Allow nats-server to run as system user on Windows

[LaurensVergote]

Trying to run nats-server as nt_authority/system, the process would immediately exit with error: "The service process could not connect to the service controller."
This is now fixed

• Link to issue: None reported
• Documentation added: N/A
• Tests added: N/A (No functionality changes)
• Branch rebased on top of current main (git pull --rebase origin main)
• Changes squashed to a single commit (described here)
• Build is green in Travis CI
• You have certified that the contribution is your original work and that you license the work to the project under the Apache 2 license

Changes proposed in this pull request:

• Stopped using Deprecated method IsAnInteractiveSession (https://pkg.go.dev/golang.org/x/sys/windows/svc#IsAnInteractiveSession)
• Replaced Deprecated method with suggested one (IsWindowsService)
  (https://pkg.go.dev/golang.org/x/sys/windows/svc#IsWindowsService)

/cc @nats-io/core

Reproduction steps

In order to start a command prompt as nt_authority you can use the following command:

PS> psexec -s -i cmd.exe

PSExec tool can be found here (https://docs.microsoft.com/en-us/sysinternals/downloads/psexec)

cmd output before changes:

C:\nats_IsAnInteractiveSession>whoami
nt authority\system

C:\nats_IsAnInteractiveSession>nats-server.exe -v
nats-server: v2.7.4

C:\nats_IsAnInteractiveSession>nats-server.exe
The service process could not connect to the service controller.

cmd output after changes:

C:\nats_IsWindowsService>whoami
nt authority\system

C:\nats_IsWindowsService>nats-server.exe -v
nats-server: v2.7.4

C:\nats_IsWindowsService>nats-server.exe
[12580] 2022/04/11 10:50:56.739321 [←[32mINF←[0m] Starting nats-server
[12580] 2022/04/11 10:50:56.740421 [←[32mINF←[0m]   Version:  2.7.4
[12580] 2022/04/11 10:50:56.742057 [←[32mINF←[0m]   Git:      [not set]
[12580] 2022/04/11 10:50:56.742608 [←[32mINF←[0m]   Name:     NC6K5LCGMBO7PNQ3HZKCQCVMZVSBF552ELGQ7QMK24FD32ZLUXPZ35DU
[12580] 2022/04/11 10:50:56.743154 [←[32mINF←[0m]   ID:       NC6K5LCGMBO7PNQ3HZKCQCVMZVSBF552ELGQ7QMK24FD32ZLUXPZ35DU
[12580] 2022/04/11 10:50:56.745350 [←[32mINF←[0m] Listening for client connections on 0.0.0.0:4222
[12580] 2022/04/11 10:50:56.751411 [←[32mINF←[0m] Server is ready

Addendum:
Not sure exactly why this fixes it, but was discovered as a solution for an issue we had at the company I work at since we run nats both as a service and not as a service under different users.

[derekcollison]

In general LGTM but wanted folks better suited in windows to approve. Thanks!

[tbeets]

I'm not knowledgeable about Windows permissions. This Go issue (confirmed but not fixed) came up in search and makes me wonder if there is risk of fixing one use-case and breaking another.

It would be great to have this PR tested with a non-System (but restricted) user.

[tbeets]

I presume that most customers would not run NATS Server as the System user (i.e. just as not a general practice to run NATS Server as root on a unix host).

[LaurensVergote]

Been a bit busy lately with other things. I'll try to test this change on windows running nats as:

• Service (LocalSystem)
• Non-service (LocalSystem)
• Service (Restricted User)
• Non-service (Restricted User)

Restricted user should fail to call OpenProcess, resulting in ACCESS_DENIED
Currently having some trouble creating a user that receives ACCESS_DENIED on the OpenProcess call. Every single user I test, even with the most minimal permissions, receives a valid handle.

First thought is that this will work fine since the issue you linked seems to have been already fixed in go

[tbeets]

Thanks @LaurensVergote . The original Go issue was not well linked to an actual fix (Dec 15, 2021). Thanks for finding!

[kozlovic]

@ColinSullivan1 @tbeets @scottf So should this be merged before v2.8.0 that we are trying to get out today?

[scottf]

I have verified this like so:

1. execute using the nats server in my path

C:\>whoami
nt authority\system

C:\>nats-server -version
nats-server: v2.8.0-beta.20

C:\>nats-server
The service process could not connect to the service controller.

2. get pr source from https://github.com/LaurensVergote/nats-server.git, checked out Windows branch, built then execute with server (main)

C:\temp\pr3022\nats-server>whoami
nt authority\system

C:\temp\pr3022\nats-server>git branch
* Windows
  main

C:\temp\pr3022\nats-server>main -version
nats-server: v2.8.0-beta.12

C:\temp\pr3022\nats-server>main
[2148] 2022/04/18 16:28:52.207955 [←[32mINF←[0m] Starting nats-server
[2148] 2022/04/18 16:28:52.208519 [←[32mINF←[0m]   Version:  2.8.0-beta.12
[2148] 2022/04/18 16:28:52.208519 [←[32mINF←[0m]   Git:      [not set]
[2148] 2022/04/18 16:28:52.209084 [←[32mINF←[0m]   Name:     NB2SJHEQ5ZPIMI4LX3QSJLCND65DQR2WDEHI7U2LWPFL6GPX4UM7MGY6
[2148] 2022/04/18 16:28:52.209654 [←[32mINF←[0m]   ID:       NB2SJHEQ5ZPIMI4LX3QSJLCND65DQR2WDEHI7U2LWPFL6GPX4UM7MGY6
[2148] 2022/04/18 16:28:52.210975 [←[32mINF←[0m] Listening for client connections on 0.0.0.0:4222
[2148] 2022/04/18 16:28:52.239812 [←[32mINF←[0m] Server is ready

[scottf]

LGTM