diff options
| author | Bryan McLellan <btm@loftninjas.org> | 2018-03-28 18:15:46 -0400 |
|---|---|---|
| committer | Bryan McLellan <btm@loftninjas.org> | 2018-03-29 15:36:12 -0400 |
| commit | 0698ccebd1f40a2ad21230813cbafb0330b0d107 (patch) | |
| tree | 379d0c2b00706219cdcf2e5bc388a094c26ead7b | |
| parent | 2151d6d435f6169ca41dc1f96324a3585ff22e06 (diff) | |
| download | chef-0698ccebd1f40a2ad21230813cbafb0330b0d107.tar.gz | |
Avoid lookups for rights of 'LocalSystem' in windows service
LocalSystem is a special account for the service subsystem, and the security
subsystem doesn't know about it. It inherits rights from BUILTIN\Administrators
so we don't need to check it for SeServiceLogonRight. Even if we look up System
it wouldn't show up as it gets that right from hidden membership in
BUILTIN\Administrators.
Signed-off-by: Bryan McLellan <btm@loftninjas.org>
| -rw-r--r-- | lib/chef/provider/service/windows.rb | 3 | ||||
| -rw-r--r-- | spec/unit/provider/service/windows_spec.rb | 17 |
2 files changed, 11 insertions, 9 deletions
diff --git a/lib/chef/provider/service/windows.rb b/lib/chef/provider/service/windows.rb index cba626145a..417ec03ef4 100644 --- a/lib/chef/provider/service/windows.rb +++ b/lib/chef/provider/service/windows.rb @@ -93,7 +93,8 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service Win32::Service.configure(new_config) logger.info "#{@new_resource} configured with #{new_config.inspect}" - if new_config.has_key?(:service_start_name) + # LocalSystem is the default runas user, which is a special service account that should ultimately have the rights of BUILTIN\Administrators, but we wouldn't see that from get_account_right + if new_config.has_key?(:service_start_name) && new_config[:service_start_name].casecmp("localsystem") != 0 unless Chef::ReservedNames::Win32::Security.get_account_right(canonicalize_username(new_config[:service_start_name])).include?(SERVICE_RIGHT) grant_service_logon(new_config[:service_start_name]) end diff --git a/spec/unit/provider/service/windows_spec.rb b/spec/unit/provider/service/windows_spec.rb index 7cfc645b32..24c3e07f39 100644 --- a/spec/unit/provider/service/windows_spec.rb +++ b/spec/unit/provider/service/windows_spec.rb @@ -85,6 +85,7 @@ describe Chef::Provider::Service::Windows, "load_current_resource", :windows_onl prvdr.current_resource = Chef::Resource::WindowsService.new("current-chef") prvdr end + let(:service_right) { Chef::Provider::Service::Windows::SERVICE_RIGHT } before(:all) do @@ -564,19 +565,11 @@ describe Chef::Provider::Service::Windows, "load_current_resource", :windows_onl end describe "running as a different account" do - let(:old_run_as_user) { new_resource.run_as_user } - let(:old_run_as_password) { new_resource.run_as_password } - before do new_resource.run_as_user(".\\wallace") new_resource.run_as_password("Wensleydale") end - after do - new_resource.run_as_user(old_run_as_user) - new_resource.run_as_password(old_run_as_password) - end - it "calls #grant_service_logon if the :run_as_user and :run_as_password attributes are present" do expect(Win32::Service).to receive(:start) expect(provider).to receive(:grant_service_logon).and_return(true) @@ -589,6 +582,14 @@ describe Chef::Provider::Service::Windows, "load_current_resource", :windows_onl expect(Chef::ReservedNames::Win32::Security).not_to receive(:add_account_right).with("wallace", service_right) provider.start_service end + + it "skips the rights check for LocalSystem" do + new_resource.run_as_user("LocalSystem") + expect(Win32::Service).to receive(:start) + expect(Chef::ReservedNames::Win32::Security).not_to receive(:get_account_right) + expect(Chef::ReservedNames::Win32::Security).not_to receive(:add_account_right) + provider.start_service + end end end |