Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10248

windows pidlock can raise access denied

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 5.5.20, PUP 6.15.0
    • Component/s: None
    • Labels:
    • Template:
      PUP Bug Template
    • Epic Link:
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      NW - 2020-04-01, NW - 2020-04-15
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Use `SeDebugPrivilege` on Windows when opening a lockfile PID in order to determine whether the process is a Puppet process.
    • QA Risk Assessment:
      Needs Assessment

      Description

      If puppet is running in the background as a service, and you run puppet agent -t in the foreground, then the foreground process may not have permission to open the process token for the background process running as LocalSystem resulting in an ugly error message:

      c:\Program Files\Puppet Labs\Puppet\puppet\lib\ruby\vendor_ruby\puppet>puppet agent -t --trace
      Error: Could not run Puppet configuration client: OpenProcess(2000, 0, 1604):  Access is denied.
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:73:in `open_process'
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:125:in `get_process_image_name_by_pid'
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:69:in `clear_if_stale'
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:11:in `locked?'
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:20:in `lock'
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:19:in `lock'
      

      Puppet should either interpret that to mean "the pid specified in the lockfile is still running" or it needs to enable the SeDebugPrivilege prior to calling OpenProcess like we do when managing file DACLs. The former is unable to tell if the running process is puppet/ruby or some other process that is now reusing the stale pid, which is the problem we had originally. Might be able to run tasklist to get the command line, though enabling the debug privilege would definitely detect if the process id is puppet:

      with_privilege(SE_DEBUG_PRIVILEGE) do
        open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|
          ...
        end
      end
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gabriel.nagy Gabriel Nagy
              Reporter:
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support