-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix runas function for System Account #34292
Conversation
Since I don't understand how this works at all, I would at least like @UtahDave to take a look here so we can get more eyes on this. |
@cachedout When you login as an Administrator on Windows it gives you a restricted token so you're running like a normal user (without admin). When you do something that needs admin, Windows hits you with the UAC Dialog to remove the restrictions on your token. This is like sudo in linux, I believe. In order to runas on Windows we have to log in (that happens a few lines above). We need to run with the elevated token if it's an admin account, so we get the unrestricted token using the GetTokenInformation command. Then we use that token to execute our command with elevated privileges. |
@twangboy what happens if the user doesn't have an elevated security token? Will line 302 return the regular token? Or will it stacktrace? |
@UtahDave It will stacktrace |
@twangboy, do we want that to stacktrace? Or should we catch that and do something else, like return an error message or try with the regular security token? |
Working on checking for admin before elevating... Of course I don't want it to stacktrace. I didn't check that scenario. |
@UtahDave ^^^ |
@twangboy looks like this needs to be rebased. |
Rebased |
@cachedout Is this OK now? |
What does this PR do?
Use the elevated token if present when passing runas with an admin account. Only fixes when Salt is running under the LocalSystem account. Need to fix for debug mode under an admin account.
What issues does this PR fix or reference?
https://github.com/saltstack/zh/issues/766
Previous Behavior
When admin credentials were passed to Runas the restricted token was used instead of the full elevated privileges of the user.
New Behavior
Uses the elevated token.
Tests written?
No