-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow nats-server to run as system user on Windows #3022
Conversation
Trying to run nats-server as nt authority/system user, the process would immediately exit with error: "The service process could not connect to the service controller." This is now fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general LGTM but wanted folks better suited in windows to approve. Thanks!
I'm not knowledgeable about Windows permissions. This Go issue (confirmed but not fixed) came up in search and makes me wonder if there is risk of fixing one use-case and breaking another. It would be great to have this PR tested with a non-System (but restricted) user. |
I presume that most customers would not run NATS Server as the System user (i.e. just as not a general practice to run NATS Server as root on a unix host). |
Been a bit busy lately with other things. I'll try to test this change on windows running nats as:
Restricted user should fail to call OpenProcess, resulting in ACCESS_DENIED First thought is that this will work fine since the issue you linked seems to have been already fixed in go |
Thanks @LaurensVergote . The original Go issue was not well linked to an actual fix (Dec 15, 2021). Thanks for finding! |
@ColinSullivan1 @tbeets @scottf So should this be merged before v2.8.0 that we are trying to get out today? |
I have verified this like so:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Trying to run nats-server as nt_authority/system, the process would immediately exit with error: "The service process could not connect to the service controller."
This is now fixed
git pull --rebase origin main
)Changes proposed in this pull request:
(https://pkg.go.dev/golang.org/x/sys/windows/svc#IsWindowsService)
/cc @nats-io/core
Reproduction steps
In order to start a command prompt as nt_authority you can use the following command:
PS> psexec -s -i cmd.exe
PSExec tool can be found here (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec)
cmd output before changes:
cmd output after changes:
Addendum:
Not sure exactly why this fixes it, but was discovered as a solution for an issue we had at the company I work at since we run nats both as a service and not as a service under different users.