The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
Feature #8268: Basic Puppet agent support on Windows
Puppet.features.root? always returns true on Windows
|Assignee:||Josh Cooper||% Done:|
|Category:||windows||Estimated time:||16.00 hours|
|Affected Puppet version:||development||Branch:|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.
On Windows, Puppet.features.root? always returns true, even when running as a non-admin user. It should only return true if we are running with elevated privileges.
Part of the problem is that Puppet.features.root, invokes SUIDManager.root?, which calls Process.uid, without first requiring the win32/process gem. And without it, Process.uid always returns 0.
We also need to investigate what code paths occur when root? is true or false, and make sure they make sense on Windows. For example, the file provider will attempt to set the owner and group of files that it manages when running as root, but the capability to obtain and set owner/group info is not implemented yet on Windows.
#2 Updated by Josh Cooper over 2 years ago
- Status changed from Accepted to Merged - Pending Release
- Assignee set to Josh Cooper
- % Done changed from 0 to 100
On Windows, Puppet.features.root? and Puppet::Util::SUIDManager.root? will return true if the current user’s process token is running with elevated privileges, and false otherwise.
This check may fail because the platform doesn’t support UAC, e.g. Windows 2003, in which case, it will return true if the user is a member of the builtin administrators group, and false otherwise.
Note that due to UAC it is possible for Puppet.features.root? to return false even though you are an administrator. In other words, by default processes created by the administrator run with the restricted token, and you must explicitly run puppet with elevated privileges such as:
runas /user:administrator "puppet apply manifest.pp"
Whether or not we are “root” on Windows controls the following puppet behaviors:
- The directory that we store puppet configuration
- Whether we can chown/chgrp files
Note that chown/chgrp is not currently supported, but will be when we add support for windows file provider.
This change was merged into 2.7.x as commit:630ec36089e2224fba99b76d76eaf904af13e4d6
#3 Updated by Josh Cooper over 2 years ago
- Affected Puppet version set to development
This was a problem on windows 2003 R2 (but not 2003), where the call to GetTokenInformation for elevation info returns a different error code (GetLastError), and therefore exception message. So now we explicitly check for the platform version and only call GetTokenInformation when running on Vista/2008 or later. This change was merged into 2.7.x as commit:29c7bf2ce5d6912b6177b4477492507e0749a485