Skip to content

Commit

Permalink
Rewrite check for admin (elastic#23970)
Browse files Browse the repository at this point in the history
* rewrite hasroot

* rename

* updates

* fix linux

* update changelog
  • Loading branch information
narph authored Feb 25, 2021
1 parent c5821d9 commit 29942ff
Show file tree
Hide file tree
Showing 6 changed files with 58 additions and 14 deletions.
1 change: 1 addition & 0 deletions x-pack/elastic-agent/CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@
- Fix issue of missing log messages from filebeat monitor {pull}23514[23514]
- Increase checkin grace period to 30 seconds {pull}23568[23568]
- Fix libbeat from reporting back degraded on config update {pull}23537[23537]
- Rewrite check if agent is running with admin rights on Windows {pull}23970[23970]
- Fix issues with dynamic inputs and conditions {pull}23886[23886]
- Fix bad substitution of API key. {pull}24036[24036]
- Fix docker enrollment issue related to Fleet Server change. {pull}24155[24155]
Expand Down
7 changes: 5 additions & 2 deletions x-pack/elastic-agent/pkg/agent/cmd/install.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,11 @@ would like the Agent to operate.
}

func installCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error {
var err error
if !install.HasRoot() {
isAdmin, err := install.HasRoot()
if err != nil {
return fmt.Errorf("unable to perform install command while checking for administrator rights, %v", err)
}
if !isAdmin {
return fmt.Errorf("unable to perform install command, not executed with %s permissions", install.PermissionUser)
}
status, reason := install.Status()
Expand Down
10 changes: 7 additions & 3 deletions x-pack/elastic-agent/pkg/agent/cmd/uninstall.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,12 @@ Unless -f is used this command will ask confirmation before performing removal.
}

func uninstallCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags, args []string) error {
if !install.HasRoot() {
return fmt.Errorf("unable to perform uninstall command, not executed with %s permissions", install.PermissionUser)
isAdmin, err := install.HasRoot()
if err != nil {
return fmt.Errorf("unable to perform command while checking for administrator rights, %v", err)
}
if !isAdmin {
return fmt.Errorf("unable to perform command, not executed with %s permissions", install.PermissionUser)
}
status, reason := install.Status()
if status == install.NotInstalled {
Expand Down Expand Up @@ -72,7 +76,7 @@ func uninstallCmd(streams *cli.IOStreams, cmd *cobra.Command, flags *globalFlags
}
}

err := install.Uninstall()
err = install.Uninstall()
if err != nil {
return err
}
Expand Down
5 changes: 3 additions & 2 deletions x-pack/elastic-agent/pkg/agent/install/root_unix.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ const (
)

// HasRoot returns true if the user has root permissions.
func HasRoot() bool {
return os.Getegid() == 0
// Added extra `nil` value to return since the HasRoot for windows will return an error as well
func HasRoot() (bool, error) {
return os.Getegid() == 0, nil
}
29 changes: 22 additions & 7 deletions x-pack/elastic-agent/pkg/agent/install/root_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
package install

import (
"os"
"github.com/pkg/errors"
"golang.org/x/sys/windows"
)

const (
Expand All @@ -16,12 +17,26 @@ const (
)

// HasRoot returns true if the user has Administrator/SYSTEM permissions.
func HasRoot() bool {
// only valid rights can open the physical drive
f, err := os.Open("\\\\.\\PHYSICALDRIVE0")
func HasRoot() (bool, error) {
var sid *windows.SID
// See https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-checktokenmembership for more on the api
err := windows.AllocateAndInitializeSid(
&windows.SECURITY_NT_AUTHORITY,
2,
windows.SECURITY_BUILTIN_DOMAIN_RID,
windows.DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&sid)
if err != nil {
return false
return false, errors.Errorf("sid error: %s", err)
}
defer f.Close()
return true

token := windows.Token(0)

member, err := token.IsMember(sid)
if err != nil {
return false, errors.Errorf("token membership error: %s", err)
}

return member, nil
}
20 changes: 20 additions & 0 deletions x-pack/elastic-agent/pkg/agent/install/root_windows_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
// or more contributor license agreements. Licensed under the Elastic License;
// you may not use this file except in compliance with the Elastic License.

// +build windows

package install

import (
"testing"

"github.com/stretchr/testify/assert"
)

func TestHasRoot(t *testing.T) {
t.Run("check if user is admin", func(t *testing.T) {
_, err := HasRoot()
assert.NoError(t, err)
})
}

0 comments on commit 29942ff

Please sign in to comment.