Skip to content

Commit

Permalink
switch to consistent HasRoot method on windows and fix memory leak (#…
Browse files Browse the repository at this point in the history
  • Loading branch information
leehinman authored Jan 4, 2024
1 parent e651eb3 commit 9500980
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 37 deletions.
37 changes: 3 additions & 34 deletions pkg/control/v2/server/listener_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"fmt"
"net"
"os/user"
"strings"

"github.com/elastic/elastic-agent-libs/api/npipe"

Expand All @@ -37,14 +36,10 @@ func securityDescriptor(log *logger.Logger) (string, error) {
if err != nil {
return "", fmt.Errorf("failed to get current user: %w", err)
}
// Named pipe security and access rights.
// We create the pipe and the specific users should only be able to write to it.
// See docs: https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights
// String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
// Give generic read/write access to the specified user.

descriptor := "D:P(A;;GA;;;" + u.Uid + ")"

if isAdmin, err := isWindowsAdmin(u); err != nil {
if isAdmin, err := utils.HasRoot(); err != nil {
// do not fail, agent would end up in a loop, continue with limited permissions
log.Warnf("failed to detect admin: %w", err)
} else if isAdmin {
Expand All @@ -53,32 +48,6 @@ func securityDescriptor(log *logger.Logger) (string, error) {
// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
descriptor += "(A;;GA;;;" + utils.AdministratorSID + ")"
}
return descriptor, nil
}

func isWindowsAdmin(u *user.User) (bool, error) {
if u.Username == "NT AUTHORITY\\SYSTEM" {
return true, nil
}

if equalsSystemGroup(u.Uid) || equalsSystemGroup(u.Gid) {
return true, nil
}

groups, err := u.GroupIds()
if err != nil {
return false, fmt.Errorf("failed to get current user groups: %w", err)
}

for _, groupSid := range groups {
if equalsSystemGroup(groupSid) {
return true, nil
}
}

return false, nil
}

func equalsSystemGroup(s string) bool {
return strings.EqualFold(s, utils.SystemSID) || strings.EqualFold(s, utils.AdministratorSID)
return descriptor, nil
}
10 changes: 7 additions & 3 deletions pkg/utils/root_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
package utils

import (
"github.com/pkg/errors"
"fmt"

"golang.org/x/sys/windows"
)

Expand All @@ -28,14 +29,17 @@ func HasRoot() (bool, error) {
0, 0, 0, 0, 0, 0,
&sid)
if err != nil {
return false, errors.Errorf("sid error: %s", err)
return false, fmt.Errorf("allocate sid error: %w", err)
}
defer func() {
_ = windows.FreeSid(sid)
}()

token := windows.Token(0)

member, err := token.IsMember(sid)
if err != nil {
return false, errors.Errorf("token membership error: %s", err)
return false, fmt.Errorf("token membership error: %w", err)
}

return member, nil
Expand Down

0 comments on commit 9500980

Please sign in to comment.