diff options
| author | Bryan McLellan <btm@loftninjas.org> | 2018-03-28 18:15:46 -0400 |
|---|---|---|
| committer | Bryan McLellan <btm@loftninjas.org> | 2018-03-29 15:36:12 -0400 |
| commit | 0698ccebd1f40a2ad21230813cbafb0330b0d107 (patch) | |
| tree | 379d0c2b00706219cdcf2e5bc388a094c26ead7b /lib/chef | |
| parent | 2151d6d435f6169ca41dc1f96324a3585ff22e06 (diff) | |
| download | chef-0698ccebd1f40a2ad21230813cbafb0330b0d107.tar.gz | |
Avoid lookups for rights of 'LocalSystem' in windows service
LocalSystem is a special account for the service subsystem, and the security
subsystem doesn't know about it. It inherits rights from BUILTIN\Administrators
so we don't need to check it for SeServiceLogonRight. Even if we look up System
it wouldn't show up as it gets that right from hidden membership in
BUILTIN\Administrators.
Signed-off-by: Bryan McLellan <btm@loftninjas.org>
Diffstat (limited to 'lib/chef')
| -rw-r--r-- | lib/chef/provider/service/windows.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/chef/provider/service/windows.rb b/lib/chef/provider/service/windows.rb index cba626145a..417ec03ef4 100644 --- a/lib/chef/provider/service/windows.rb +++ b/lib/chef/provider/service/windows.rb @@ -93,7 +93,8 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service Win32::Service.configure(new_config) logger.info "#{@new_resource} configured with #{new_config.inspect}" - if new_config.has_key?(:service_start_name) + # LocalSystem is the default runas user, which is a special service account that should ultimately have the rights of BUILTIN\Administrators, but we wouldn't see that from get_account_right + if new_config.has_key?(:service_start_name) && new_config[:service_start_name].casecmp("localsystem") != 0 unless Chef::ReservedNames::Win32::Security.get_account_right(canonicalize_username(new_config[:service_start_name])).include?(SERVICE_RIGHT) grant_service_logon(new_config[:service_start_name]) end |