Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10248

windows pidlock can raise access denied

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • None
    • PUP 5.5.20, PUP 6.15.0
    • None
    • Night's Watch
    • 3
    • NW - 2020-04-01, NW - 2020-04-15
    • Needs Assessment
    • Bug Fix
    • Use `SeDebugPrivilege` on Windows when opening a lockfile PID in order to determine whether the process is a Puppet process.
    • Needs Assessment

    Description

      If puppet is running in the background as a service, and you run puppet agent -t in the foreground, then the foreground process may not have permission to open the process token for the background process running as LocalSystem resulting in an ugly error message:

      c:\Program Files\Puppet Labs\Puppet\puppet\lib\ruby\vendor_ruby\puppet>puppet agent -t --trace
      		 
      Error: Could not run Puppet configuration client: OpenProcess(2000, 0, 1604):  Access is denied.
      		 
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:73:in `open_process'
      		 
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/windows/process.rb:125:in `get_process_image_name_by_pid'
      		 
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:69:in `clear_if_stale'
      		 
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:11:in `locked?'
      		 
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/util/pidlock.rb:20:in `lock'
      		 
      c:/Program Files/Puppet Labs/Puppet/puppet/lib/ruby/vendor_ruby/puppet/agent/locker.rb:19:in `lock'

      Puppet should either interpret that to mean "the pid specified in the lockfile is still running" or it needs to enable the SeDebugPrivilege prior to calling OpenProcess like we do when managing file DACLs. The former is unable to tell if the running process is puppet/ruby or some other process that is now reusing the stale pid, which is the problem we had originally. Might be able to run tasklist to get the command line, though enabling the debug privilege would definitely detect if the process id is puppet:

      with_privilege(SE_DEBUG_PRIVILEGE) do
      		 
        open_process(PROCESS_QUERY_INFORMATION, false, pid) do |phandle|
      		 
          ...
      		 
        end
      		 
      end

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PUP-3914 Intermittent lock file left after reboot.

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              gabriel.nagy Gabriel Nagy
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support