The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #8662

Feature #8268: Basic Puppet agent support on Windows

Puppet.features.root? always returns true on Windows

Added by Josh Cooper over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:07/27/2011
Priority:NormalDue date:
Assignee:Josh Cooper% Done:

100%

Category:windowsEstimated time:16.00 hours
Target version:2.7.4
Affected Puppet version:development Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

On Windows, Puppet.features.root? always returns true, even when running as a non-admin user. It should only return true if we are running with elevated privileges.

Part of the problem is that Puppet.features.root, invokes SUIDManager.root?, which calls Process.uid, without first requiring the win32/process gem. And without it, Process.uid always returns 0.

We also need to investigate what code paths occur when root? is true or false, and make sure they make sense on Windows. For example, the file provider will attempt to set the owner and group of files that it manages when running as root, but the capability to obtain and set owner/group info is not implemented yet on Windows.

History

#1 Updated by Jacob Helwig over 2 years ago

  • Target version changed from 3.x to 2.7.x

#2 Updated by Josh Cooper over 2 years ago

  • Status changed from Accepted to Merged - Pending Release
  • Assignee set to Josh Cooper
  • % Done changed from 0 to 100

On Windows, Puppet.features.root? and Puppet::Util::SUIDManager.root? will return true if the current user’s process token is running with elevated privileges, and false otherwise.

This check may fail because the platform doesn’t support UAC, e.g. Windows 2003, in which case, it will return true if the user is a member of the builtin administrators group, and false otherwise.

Note that due to UAC it is possible for Puppet.features.root? to return false even though you are an administrator. In other words, by default processes created by the administrator run with the restricted token, and you must explicitly run puppet with elevated privileges such as:

runas /user:administrator "puppet apply manifest.pp"

Whether or not we are “root” on Windows controls the following puppet behaviors:

  • The directory that we store puppet configuration
  • Whether we can chown/chgrp files

Note that chown/chgrp is not currently supported, but will be when we add support for windows file provider.

This change was merged into 2.7.x as commit:630ec36089e2224fba99b76d76eaf904af13e4d6

#3 Updated by Josh Cooper over 2 years ago

  • Affected Puppet version set to development

This was a problem on windows 2003 R2 (but not 2003), where the call to GetTokenInformation for elevation info returns a different error code (GetLastError), and therefore exception message. So now we explicitly check for the platform version and only call GetTokenInformation when running on Vista/2008 or later. This change was merged into 2.7.x as commit:29c7bf2ce5d6912b6177b4477492507e0749a485

#4 Updated by Matthaus Owens over 2 years ago

  • Status changed from Merged - Pending Release to Closed
  • Target version changed from 2.7.x to 2.7.4

Released in 2.7.4rc1

Also available in: Atom PDF