diff options
author | Josh Cooper <josh@puppetlabs.com> | 2011-08-18 10:34:18 -0700 |
---|---|---|
committer | Josh Cooper <josh@puppetlabs.com> | 2011-08-22 15:06:11 -0700 |
commit | 2ac87905708ddbc44d212e10e34d72cad09e3271 (patch) | |
tree | 9907686fa4f90f5ce4379f982808498dd3156943 /lib/puppet | |
parent | ccdd043ab309ca382dc949612d7efe3562adf5c5 (diff) | |
download | puppet-2ac87905708ddbc44d212e10e34d72cad09e3271.tar.gz puppet-2ac87905708ddbc44d212e10e34d72cad09e3271.tar.xz puppet-2ac87905708ddbc44d212e10e34d72cad09e3271.zip |
(#8662) Fix Puppet.features.root? on Windows
This commit changes Puppet::Util::SUIDManager.root? (and
Puppet.features.root?) to only return true if the user is running with
elevated privileges (granted via UAC). If this check fails because
elevated privileges are not supported, e.g. pre-Vista, then we fall
back to checking if the user is a member of the builtin Administrators
group.
This means if you are logged in as Administrator on 2008,
Puppet.features.root? will return false, unless you are explicitly
running puppet as an administrator, e.g.
runas /user:Administrator "puppet apply manifest.pp"
This commit also adds tests to ensure SUIDManager.asuser is a no-op on
Windows, since Windows does not (easily) support switching user
contexts without providing a password.
Diffstat (limited to 'lib/puppet')
-rw-r--r-- | lib/puppet/util/suidmanager.rb | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/lib/puppet/util/suidmanager.rb b/lib/puppet/util/suidmanager.rb index 697bce111..d2772002e 100644 --- a/lib/puppet/util/suidmanager.rb +++ b/lib/puppet/util/suidmanager.rb @@ -37,7 +37,20 @@ module Puppet::Util::SUIDManager module_function :groups= def self.root? - Process.uid == 0 + return Process.uid == 0 unless Puppet.features.microsoft_windows? + + require 'sys/admin' + require 'win32/security' + + # if Vista or later, check for unrestricted process token + begin + return Win32::Security.elevated_security? + rescue Win32::Security::Error => e + raise e unless e.to_s =~ /Incorrect function/i + end + + group = Sys::Admin.get_group("Administrators", :sid => Win32::Security::SID::BuiltinAdministrators) + group and group.members.index(Sys::Admin.get_login) != nil end # Runs block setting uid and gid if provided then restoring original ids |