Diffusion puppet 1e541900c5eb

(#10299) Use CheckTokenMembership to see if user has admin rights
1e541900c5ebUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(#10299) Use CheckTokenMembership to see if user has admin rights

Previously, on Windows 2003 and earlier, Puppet.features.root? was
implemented by checking if the current user is a member of the local
Administrators group. However, many accounts, e.g. LocalSystem, are
implicit members of this group, so Puppet.features.root? would
incorrectly return false. This led to puppet not being able to find
its default configuration directory, among other things.

Conversely, a process can be executing using a restricted token, so
while the user may be a member of the Administrators group, the
process will be running with less privileges, and
Puppet.features.root? would incorrectly return true.

This commit uses CheckTokenMembership to determine if the local
Administrators group SID is both present and enabled in the calling
thread's access token.

The behavior on Vista/2008 is unchanged. The calling thread's token
must be currently elevated.

Details

Provenance

Josh Cooper <josh@puppetlabs.com>	Authored on
Jeff McCune <jeff@puppetlabs.com>	Committed on Feb 10 2012, 9:18 PM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU44af10ff5362: (#10299) Refactor Windows administrator detection

Branches

Unknown

Tags

Unknown

Event Timeline

Jeff McCune <jeff@puppetlabs.com> committed rPU1e541900c5eb: (#10299) Use CheckTokenMembership to see if user has admin rights (authored by Josh Cooper <josh@puppetlabs.com>).Feb 10 2012, 9:18 PM

Changes (2)

Path

Size

lib/

puppet/

util/

windows/

user.rb

spec/

integration/

util/

windows/

user_spec.rb

rPU1e541900c5eb

View Options

lib/puppet/util/windows/user.rb