Closed Bug 1815711 Opened 2 years ago Closed 1 year ago

Grant Access to WinStation and Desktop for Application Container SIDs on Windows workers.

Categories

(Taskcluster :: Workers, enhancement)

Product:
Taskcluster
Component:
Workers
Platform:
All
Windows
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bobowen, Assigned: bobowen)

References

Details

Attachments

(2 files)

GitHub Pull Request for generic-worker changes
52 bytes, text/x-github-pull-request
Details | Review
GitHub Pull Request for community-tc-config
55 bytes, text/x-github-pull-request
Details | Review

At the moment we grant access to Everyone (S-1-1-0) on Window Station WinSta0 and Desktop Default for the Windows workers.
I think that this is done here.

In order to test Low Privileged Application Containers with taskcluster we need to also add access to ALL RESTRICTED APPLICATION PACKAGES (S-1-15-2-2).
It probably makes sense to add ALL APPLICATION PACKAGES (S-1-15-2-1) as well for normal Application Containers.
The equivalent Window Station and Desktop for a normal logon session already have these permissions.

I think I have a patch for this, just working on setting up the dev environment.

Assignee: nobody → bobowencode
Status: NEW → ASSIGNED

This patch adapts generic-worker to not apply ACLs when they are not needed. They are currently only needed when osGroups are specified in the task payload. There is still an issue when osGroups are specified, which will be fixed in a future PR, but the particular case in this bug doesn't use osGroups feature, so this should solve the issue raised in this bug.

Deploy updated generic-worker release in community-tc taskcluster deployment...

No longer blocks: 1831158
Depends on: 1831158

Hey Bob,
Mark set up a test worker pool in bug 1831158. Are you able to test if the generic-worker fix resolves the issue for you?
Many thanks!

Flags: needinfo?(bobowencode)

(In reply to Pete Moore [:pmoore][:pete] from comment #4)

Hey Bob,
Mark set up a test worker pool in bug 1831158. Are you able to test if the generic-worker fix resolves the issue for you?
Many thanks!

I can see the "ALL RESTRICTED APPLICATION PACKAGES" SID on the winstation and the desktop in the live log, so it looks like the fix has worked.

Flags: needinfo?(bobowencode)

Hey Mark,
It looks like the fix in bug 1831158 worked for Bob. What is the process for getting it rolled out to the production worker pools?

UPDATE:
Sorry, just seen this is already anwered in bug 1831158 comment 10 and that bug 1834580 has been created for this...

Flags: needinfo?(mcornmesser)
Flags: needinfo?(mcornmesser)

I've tested enabling the LPAC on the WMF CDM process and it now works.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: