Jira (PUP-10248) windows pidlock can raise access denied

[Josh Cooper (JIRA)]

Josh Cooper created an issue

Puppet / PUP-10248 windows pidlock can raise access denied Issue Type: Bug Assignee: Unassigned Created: 2020/01/22 10:16 PM Priority: Normal Reporter: Josh Cooper If puppet is running in the background as a service, and you run puppet agent -t in the foreground, then the foreground process may not have permission to open the process token for the background process running as LocalSystem resulting in an ugly error message: c:\Program Files\Puppet Labs\Puppet\puppet\lib\ruby\vendor_ruby\puppet>puppet agent -t --trace Error: Could not run Puppet configuration client: OpenProcess(2000, 0, 1604): Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:73:in `open_process' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:125:in `get_process_image_name_by_pid' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:69:in `clear_if_stale' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:11:in `locked?' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:20:in `lock' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:19:in `lock' Puppet should either interpret that to mean "the pid specified in the lockfile is still running" or it needs to enable the SeDebugPrivilege prior to calling OpenProcess like we do when managing file DACLs. The latter is the only way to detect if the process id is puppet or something else that's now reusing that pid: with_privilege(SE_DEBUG_PRIVILEGE) do open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle| ... end end Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Josh Cooper Team: Night's Watch

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied Change By: Josh Cooper

If puppet is running in the background as a service, and you run {{puppet agent -t}} in the foreground, then the foreground process may not have permission to open the process token for the background process running as {{LocalSystem}} resulting in an ugly error message:

{noformat}

c:\Program Files\Puppet Labs\Puppet\puppet\lib\ruby\vendor_ruby\puppet>puppet agent -t --trace Error: Could not run Puppet configuration client: OpenProcess(2000, 0, 1604):  Access is denied. c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:73:in `open_process' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:125:in `get_process_image_name_by_pid' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:69:in `clear_if_stale' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:11:in `locked?' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:20:in `lock' c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:19:in `lock'

{noformat} Puppet should either interpret that to mean "the pid specified in the lockfile is still running" or it needs to enable the {{SeDebugPrivilege}} prior to calling {{OpenProcess}} like we do when managing file DACLs. The latter former is the only way unable to detect tell if the running process id is puppet /ruby or something else some other process that 's is now reusing that the stale pid , which is the problem we had originally. Might be able to run {{tasklist}} to get the command line, though enabling the debug privilege would definitely detect if the process id is puppet : {code:ruby}

with_privilege(SE_DEBUG_PRIVILEGE) do   open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|     ...   end end

{code}

Add Comment

[Mihai Buzgau (JIRA)]

Mihai Buzgau updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Mihai Buzgau Sprint: PR - Triage

Add Comment

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Mihai Buzgau Story Points: 3

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Mihai Buzgau Sprint: PR NW - Triage 2020-04-01

Add Comment

[Luchian Nemes (Jira)]

Luchian Nemes assigned an issue to Luchian Nemes

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Luchian Nemes Assignee: Luchian Nemes

Add Comment

[Gabriel Nagy (Jira)]

Gabriel Nagy assigned an issue to Gabriel Nagy

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Gabriel Nagy Assignee: Luchian Nemes Gabriel Nagy

Add Comment

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Mihai Buzgau Sprint: NW - 2020-04-01 , NW - 2020-04-15

Add Comment

[Gabriel Nagy (Jira)]

Gabriel Nagy updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Gabriel Nagy Release Notes: Bug Fix Release Notes Summary: Use `SeDebugPrivilege` on Windows when opening a lockfile PID in order to determine whether the process is a Puppet process.

Add Comment

[Gabriel Nagy (Jira)]

Gabriel Nagy updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Gabriel Nagy Fix Version/s: PUP 6.15.0 Fix Version/s: PUP 5.5.20

Add Comment

[Claire Cadman (Jira)]

Claire Cadman updated an issue

Puppet / PUP-10248 windows pidlock can raise access denied

Change By: Claire Cadman Labels: doc_reviewed

Add Comment