-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Runas any user even when shell is limited like winrm #47621
Conversation
c112b6a
to
34608cb
Compare
da7506f
to
92e93b7
Compare
Seems like a good idea. Please use a class for constants like in modules/reg.py |
This should fix |
salt/utils/win_runas.py
Outdated
stdin_read, stdin_write = win32pipe.CreatePipe(security_attributes, 0) | ||
stdin_read = make_inheritable(stdin_read) | ||
stdin_read = salt.utils.winutil.make_inheritable(stdin_read) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here
salt/utils/win_runas.py
Outdated
|
||
stdout_read, stdout_write = win32pipe.CreatePipe(security_attributes, 0) | ||
stdout_write = make_inheritable(stdout_write) | ||
stdout_write = salt.utils.winutil.make_inheritable(stdout_write) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here
salt/utils/win_runas.py
Outdated
fd_err = msvcrt.open_osfhandle(stderr_read, os.O_RDONLY | os.O_TEXT) | ||
with os.fdopen(fd_err, 'r') as f_err: | ||
ret['stderr'] = f_err.read() | ||
stderr_write = salt.utils.winutil.make_inheritable(stderr_write) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and here
salt/utils/win_runas.py
Outdated
|
||
salt.utils.winutil.kernel32.CloseHandle(stdin_write.handle) | ||
salt.utils.winutil.kernel32.CloseHandle(stdout_write.handle) | ||
salt.utils.winutil.kernel32.CloseHandle(stderr_write.handle) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And these
salt/utils/win_runas.py
Outdated
|
||
def runas(cmdLine, username, password=None, cwd=None, elevated=True): | ||
|
||
impersonation_token = salt.utils.winutil.impersonate_sid( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be salt.winutil
now?
salt/utils/win_runas.py
Outdated
salt.utils.winutil.elevate_token(user_token) | ||
|
||
handle_reg = win32profile.LoadUserProfile(user_token, {'UserName': username}) | ||
salt.utils.winutil.grant_winsta_and_desktop(user_token) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And here
salt/utils/win_runas.py
Outdated
win32process.CREATE_SUSPENDED | ||
) | ||
|
||
startup_info = salt.utils.winutil.STARTUPINFO( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You get the idea...
salt/utils/win_runas.py
Outdated
|
||
env = win32profile.CreateEnvironmentBlock(user_token, False) | ||
|
||
process_info = salt.utils.winutil.CreateProcessWithTokenW( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and here
salt/utils/win_runas.py
Outdated
# salt.utils.winutil.kernel32.CloseHandle(user_token) | ||
if impersonation_token: | ||
win32security.RevertToSelf() | ||
# salt.utils.winutil.kernel32.CloseHandle(impersonation_token) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we remove these comments?
And the salt.winutil
thing
salt/winutil.py
Outdated
except block because it is only applicable on Windows platforms. | ||
|
||
|
||
Much of what is here was adappted from the following: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
adapted
Some random thoughts. There are also a few win_*.py in salt.utils For example we have salt.utils.pkg.win What I would like to see is a
With a platform independent set of high level class methods where possible, with specific platform overrides. |
@damon-atkins, thanks so much for reviewing this. :)
|
salt/utils/win_runas.py
Outdated
username, domain = split_username(username) | ||
sid, domain, sidType = win32security.LookupAccountName(domain, username) | ||
if domain == 'NT AUTHORITY': | ||
log.warn("Logon system account: %s", username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why warning?
Also, switch to log.warning
, log.warn
is deprecated in Py3.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree warning is overkill. Should these 'logon user' log statements go away completely?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you think these will make sense when trying to debug an issue, leave then, but perhaps, at debug log level? Info?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Windows creates an event log for the logons so I've just removed these log statements.
salt/win.py
Outdated
@@ -0,0 +1,1164 @@ | |||
# -*- coding: utf-8 -*- | |||
''' | |||
Windows specific utility functions, this module should be imported in a try, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is a utilities module it should be moved to salt.utils
.
94c3a62
to
2a1da92
Compare
I've read this and it looks good so far as I can tell, but I simply don't know enough about the Windows ecosystem to be able to review this in any real depth.
I'm getting the following error on Py3 when I do a
|
77ef5cb
to
8626bef
Compare
doc/topics/releases/fluorine.rst
Outdated
|
||
A password is no longer required with ``runas`` under normal circumstances. | ||
The password option is only needed if the minion process is run under a | ||
restricted (non-administrator) account. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I recall, password is only needed if it's under a non-admin account AND it's requesting priv escalation, right? If so, I think that should be called out specifically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cachedout If the minion happens to be running under a non admin. They will need to use a password anytime the use the runas
argument to cmd.run
. Maybe this is better?
A password is no longer required with ``runas`` under normal circumstances.
The password option is only needed if the minion process is run under a
restricted (non-administrator) account. In the aforementioned case, a password
is only required when using the ``runas`` argument to run command as a different
user.
@@ -685,7 +685,7 @@ def wrap(cls): | |||
username | |||
) | |||
) | |||
create_user = cls.run_function('user.add', [username]) | |||
create_user = cls.run_function('user.add', [username], **kwargs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the intention here just to pass groups
? I'm wary of passing all kwargs unless that's truly needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cachedout Yes, this is to pass groups. I'll change it to be more specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, looking at this again. We are making the kwargs dictionary for the sole purpose of passing it to user.add
. It is being used to pass timeout, groups, and password.
@dwoz This has a merge conflict with the release notes. Can you fix that up? |
- Fix runas when running under powershell remoting - Support for LOCAL SERVICE and NETWORK SERVICE system accounts. - Runas can now use system accounts from salt-call. (SYSTEM, LOCAL SERVICE and NETWORK SERVICE) - Runas can launch processes on behalf of users without a password. - Integration tests for win_runas module
@rallytime fixed. |
What does this PR do?
(SYSTEM, LOCAL SERVICE and NETWORK SERVICE)
What issues does this PR fix or reference?
Tests written?
No
Commits signed with GPG?
Yes