Closed Bug 1458083 Opened 7 years ago Closed 7 years ago

win10 loaner has limited permissions

Categories

(Taskcluster :: Workers, defect)

Product:
Taskcluster
Component:
Workers
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: handyman, Assigned: pmoore)

References

Details

Attachments

(3 files)

Initial UAC prompt
58.04 KB, image/png
Details
"More choices" dialogue
76.57 KB, image/png
Details
Elevated command shell
17.37 KB, image/png
Details
The Windows 10 loaner setup does not give Admin permissions to the user. There are a few things that would be good to have but can't be done because of this. If admin privileges can't be given, maybe there is a way to provide some of these tasks without granting it. * I have not found a debugger that can be installed without admin privileges. They should require admin to run, though. If they were installed with all user run privileges, this would be sufficient. I've tried Visual Studio and WinDbg. I've also tried installing them to locations that I know I have write access to. * Process monitors can't be installed -- mainly this is about Process Monitor in Windows System Internals. I note that the uninstalled zip of the app is in the C:\ root dir but needs admin privileges to run.
Component: General → Generic-Worker
QA Contact: pmoore
Hey Pete, curious if releng can get this work added into a roadmap. Not having full permissions on our loaners can get in the way of debugging issues in our infra.
Flags: needinfo?(pmoore)
(In reply to Jim Mathies [:jimm] from comment #1) > Hey Pete, curious if releng can get this work added into a roadmap. Not > having full permissions on our loaners can get in the way of debugging > issues in our infra. Apologies, I've been on PTO so have only just seen this. I suspect this can already be done by using the osGroups feature of generic-worker[1]. In the task definition for the loaner task, add the following to the task payload: payload: ... osGroups: - Administrators This will require that you have the scope generic-worker:os-group:Administrators - but you can request this in #taskcluster or via a bug in Taskcluster :: Service Request. Then the task user should already be in the Administrators group when the loaner task is created. -- [1] https://docs.taskcluster.net/reference/workers/generic-worker/docs/payload
Flags: needinfo?(pmoore)
Hi Jim, Dave, If this works for you, please consider updating the wiki page: https://wiki.mozilla.org/ReleaseEngineering/How_To/Self_Provision_a_TaskCluster_Windows_Instance#For_generic-worker_10.5.0_onwards Alternatively, let me know in this bug if it works for you, and I can update the wiki page. Many thanks, and sorry again for delay.
Flags: needinfo?(jmathies)
Flags: needinfo?(davidp99)
Thanks Pete. I'm trying to check this out but I still am not getting admin permissions in the loaner. I was able to launch the loaner with the Administrators request but the account didn't have the permission. I say this because, in addition to being unable to install apps (because of the UAC login screen), the user can't launch gpedit.msc ("You do not have permission to perform this operation. Access is denied."). So... not admin. Even more specifically, here's what I did: 1. Select the task from a test job in treeherder. 2. Edit task, adding the following: * adding my identity to the payload rdpInfo: section * in payload section, replace > scopes: [] with: > scopes: > - 'generic-worker:allow-rdp:aws-provisioner-v1/gecko-t-win10-64' > - 'generic-worker:os-group:Administrators' * also in payload section, replace > osGroups: [] with > osGroups: > - Administrators 3. Create Task and rdp to the session using the credentials in rdpinfo.txt I believe I have the `generic-worker:os-group:Administrators` scope -- taskcluster's Credential Information says I have `generic-worker:os-group:*`.
Flags: needinfo?(davidp99)
Hi David, I managed to get Administrator privileges, but it was a little tricky, due to several features being disabled in the loaner. I'll create a separate bug about this, as it seems the win10 environments have quite a lot of interactive features disabled which can make using loaners quite tricky. I created https://tools.taskcluster.net/groups/RE74a1gFTMmVgG79_xdpCA/tasks/RE74a1gFTMmVgG79_xdpCA/runs/0 as a copy of the task you created. When logging in, I could not see installed programs, or right click on start menu to open a command prompt or powershell prompt as Admin, so I resorted to opening a regular cmd.exe shell. From there, I could see that the task user was in the local Administrators group: > Microsoft Windows [Version 10.0.15063] > (c) 2017 Microsoft Corporation. All rights reserved. > > C:\Windows\System32>net localgroup Administrators > Alias name Administrators > Comment Administrators have complete and unrestricted access to the computer/domain > > Members > > ------------------------------------------------------------------------------- > Administrator > task_1527672240 > The command completed successfully. > > > C:\Windows\System32>whoami > i-015fe55bb8553\task_1527672240 The only way I could see to gain UAC privileges was to open a cmd shell using powershell: > C:\Windows\System32>powershell.exe Start-Process cmd.exe -Verb runAs This then opened a confirmation dialogue, that asked me for the Administrator password. *However* there is a "More Choices" option in the same dialogue that you can click on, that allows you to select the task user, and copy/paste the password you received in artifact "login-identity/mozilla-auth0/ad|Mozilla-LDAP|davidp99/rdpinfo.txt". Using this, I was able to open an elevated cmd.exe shell (screenshots attached). I realise there are quite a lot of hoops to jump through here, so I'll be opening bugs to simplify this process. Hopefully this should unblock you though. Please do let me know if you have any issues, and I'll update the wiki page[1] in the meantime. -- [1] https://wiki.mozilla.org/ReleaseEngineering/How_To/Self_Provision_a_TaskCluster_Windows_Instance#For_generic-worker_10.5.0_onwards
Attached image Initial UAC prompt
Assignee: nobody → pmoore
Status: NEW → ASSIGNED
Attached image "More choices" dialogue
Attached image Elevated command shell
See Also: → 1465374
(In reply to Pete Moore [:pmoore][:pete] from comment #5) > Hi David, > > I managed to get Administrator privileges, but it was a little tricky, due > to several features being disabled in the loaner. I'll create a separate bug > about this, as it seems the win10 environments have quite a lot of > interactive features disabled which can make using loaners quite tricky. Created bug 1465374 for this.
(In reply to Pete Moore [:pmoore][:pete] from comment #5) > Please do let me know if you have any issues, and I'll update the wiki > page[1] in the meantime. Done: https://wiki.mozilla.org/index.php?title=ReleaseEngineering/How_To/Self_Provision_a_TaskCluster_Windows_Instance&oldid=1194794#Performing_operations_as_Administrator
Flags: needinfo?(davidp99)
I was able to install WinDbg but the process was a little different (actually, easier) for me. Issue was just that the powershell command didn't produce the UAC. 1. Launch cmd.exe from a Windows Explorer window to circumvent desktop interactivity issues (I think your bug 1465374 is like what I wrote in bug 1458087). 2. Tried `powershell.exe Start-Process cmd.exe -Verb runAs`. I get a dialog that says something like "This computer can not run this software." Note that once I complete steps below that do "log in", this changes and I see the behavior your mention (ie the windows with the More Choices link). 3. `net localgroup Administrators` shows Administrator permission 4. I brought up the UAC by downloading and running the windbg installer. This time the window with the "More Choices" option was present and I was able to switch to the task user and use the RDP password to get permission. (FYI, I was able to work around the need for a debugger and dealt with my original issue weeks ago. I'm happy to try out solutions but none of this is pressing for me at this point.)
Flags: needinfo?(davidp99)
Thanks David. I'll close this now as we have a solution, and the remaining open bugs (1465374 and 1458087) should help making this easier for people in future.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
(In reply to Pete Moore [:pmoore][:pete] from comment #12) > Thanks David. I'll close this now as we have a solution, and the remaining > open bugs (1465374 and 1458087) should help making this easier for people in > future. Thanks Pete. I am blocked on this issue so I will be eager to see those other bugs resolved. (But the issue I am blocked on is not my primary task right now.)
Flags: needinfo?(jmathies)
(In reply to Tom Ritter [:tjr] from comment #13) > (In reply to Pete Moore [:pmoore][:pete] from comment #12) > > Thanks David. I'll close this now as we have a solution, and the remaining > > open bugs (1465374 and 1458087) should help making this easier for people in > > future. > > Thanks Pete. I am blocked on this issue so I will be eager to see those > other bugs resolved. (But the issue I am blocked on is not my primary task > right now.) Hi Tom, You can gain Administrator rights by following the steps from the wiki link in comment 10. Let me know if after following this you still are blocked. Thanks.
Flags: needinfo?(tom)
(In reply to Pete Moore [:pmoore][:pete] from comment #14) > (In reply to Tom Ritter [:tjr] from comment #13) > > (In reply to Pete Moore [:pmoore][:pete] from comment #12) > > > Thanks David. I'll close this now as we have a solution, and the remaining > > > open bugs (1465374 and 1458087) should help making this easier for people in > > > future. > > > > Thanks Pete. I am blocked on this issue so I will be eager to see those > > other bugs resolved. (But the issue I am blocked on is not my primary task > > right now.) > > Hi Tom, > > You can gain Administrator rights by following the steps from the wiki link > in comment 10. Let me know if after following this you still are blocked. > > Thanks. Took me a bit, but I tried this in https://tools.taskcluster.net/groups/Ph5tmVtyRfi6uLV3khUSDw/tasks/Ph5tmVtyRfi6uLV3khUSDw/details and couldn't get it to run. Maybe the wiki is out of date, or maybe I just can't figure out what I'm doing wrong...
Flags: needinfo?(tom) → needinfo?(pmoore)
Hi Tom, I'm really sorry it took me a while to get back to this. Unfortunately the task has expired so I can't see what it was - if you try again and ping me directly on irc we can step through the problem together. If you are getting a task failure/exception, the task log should help to identify the cause.
Flags: needinfo?(pmoore)
Component: Generic-Worker → Workers
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: