summaryrefslogtreecommitdiff
path: root/lib/chef
diff options
context:
space:
mode:
authorBryan McLellan <btm@loftninjas.org>2018-03-28 18:15:46 -0400
committerBryan McLellan <btm@loftninjas.org>2018-03-29 15:36:12 -0400
commit0698ccebd1f40a2ad21230813cbafb0330b0d107 (patch)
tree379d0c2b00706219cdcf2e5bc388a094c26ead7b /lib/chef
parent2151d6d435f6169ca41dc1f96324a3585ff22e06 (diff)
downloadchef-0698ccebd1f40a2ad21230813cbafb0330b0d107.tar.gz
Avoid lookups for rights of 'LocalSystem' in windows service
LocalSystem is a special account for the service subsystem, and the security subsystem doesn't know about it. It inherits rights from BUILTIN\Administrators so we don't need to check it for SeServiceLogonRight. Even if we look up System it wouldn't show up as it gets that right from hidden membership in BUILTIN\Administrators. Signed-off-by: Bryan McLellan <btm@loftninjas.org>
Diffstat (limited to 'lib/chef')
-rw-r--r--lib/chef/provider/service/windows.rb3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/chef/provider/service/windows.rb b/lib/chef/provider/service/windows.rb
index cba626145a..417ec03ef4 100644
--- a/lib/chef/provider/service/windows.rb
+++ b/lib/chef/provider/service/windows.rb
@@ -93,7 +93,8 @@ class Chef::Provider::Service::Windows < Chef::Provider::Service
Win32::Service.configure(new_config)
logger.info "#{@new_resource} configured with #{new_config.inspect}"
- if new_config.has_key?(:service_start_name)
+ # LocalSystem is the default runas user, which is a special service account that should ultimately have the rights of BUILTIN\Administrators, but we wouldn't see that from get_account_right
+ if new_config.has_key?(:service_start_name) && new_config[:service_start_name].casecmp("localsystem") != 0
unless Chef::ReservedNames::Win32::Security.get_account_right(canonicalize_username(new_config[:service_start_name])).include?(SERVICE_RIGHT)
grant_service_logon(new_config[:service_start_name])
end