gerardog/gsudo

Issue: windows servercore container Error: Unable to connect to the elevated service.

romandolinsky opened this issue · 10 comments

Issue Description

Run as the specified user return: Error: Unable to connect to the elevated service.

Steps to Reproduce

  1. powershell: net user testuser Docker123 /add
  2. powershell: .\test\gsudo.exe -u testuser 'cmd'

OR

  1. powershell: net user testuser Docker123 /add
  2. Add-LocalGroupMember -Group "Administrators" -Member "testuser"
  3. powershell: ./gsudo.exe -u testuser 'cmd'

Screenshots

PS C:> net user testuser Docker123 /add
The command completed successfully.

PS C:> .\test\gsudo.exe -u testuser 'cmd'
Password for user 0CF23A0B77AB\testuser: *********
Error: Unable to connect to the elevated service.
PS C:> .\test\gsudo.exe --debug -u testuser 'cmd'
Debug: Invoking Shell: PowerShell
Debug: Command Line: --debug -u testuser cmd
Debug: Command to run: C:\Windows\system32\cmd.exe /v:on /s /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -Command "cmd""
Debug: Using Console mode VT
Debug: Caller PID: 48364
Debug: Caller SID: S-1-5-93-2-1
Password for user 0CF23A0B77AB\testuser: *********
Debug: Starting process as 0CF23A0B77AB\testuser: C:\test\gsudo.exe --debug -u 0CF23A0B77AB\testuser gsudoelevate 48364 S-1-5-93-2-1 All 00:00:00
Debug: Service process started.
Error: Unable to connect to the elevated service.
PS C:> .\test\gsudo.exe status
Caller Pid: 48364
Running as:
User: User Manager\ContainerAdministrator
Sid: S-1-5-93-2-1
Is Admin: True
Integrity Level: High (12288)

Credentials Cache:
Mode: Explicit
Available for this process: False
Total active cache sessions: 0

Processes attached to the current console:
PID PPID Integrity UserName Name
48364 34824 High User Manager\ContainerAdministrator C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
53796 48364 High User Manager\ContainerAdministrator C:\test\gsudo.exe (this gsudo status)
PS C:>

Context:

  • Windows version:
    docker image: windows/servercore:10.0.17763.1217
  • gsudo version:
    gsudo 2.0.4

Hi @romandolinsky,
I've installed Server Core 2019 in a VM. And I couldnt reproduce the problem. It is working for me... 😟

image

I may need to setup docker with Windows Containers to try your scenario.

Hello,
Issue is inside running docker container. For that you need install docker, pull image dockerhub docker pull mcr.microsoft.com/windows/servercore, and run it.

Hi again @romandolinsky.

I see now how gsudo fails inside a windows container, but PowerShell fails there too. Take a look:

image

image

Trying adding it to the admin group, no luck either:
image

If you can't launch a program as other-user in an official way, there is little room for gsudo to act.

Not an expert on Docker on Windows, but certainly the containerized environment imposes limits to isolate from the host kernel. The docs are not conclusive to me link. IMO the last paragraphs don't match the rest of the article.

gsudo depends on the CreateProcess Api to start a process as another user. If that windows functionality is intentionally limited on containers, I can't do much.

On the other hand if we find an alternative Api or method to launch as another user, we can investigate.

I tried adding the users in the DockerFile, and building an image.

FROM mcr.microsoft.com/windows/servercore:ltsc2019
RUN net user test1 Docker123 /ADD
RUN net user test2 Docker123 /ADD
USER test2

image
Fails for created users. 👎

gsudo is a convenience tool. It can facilitate an existing scenario, but hardly can make something work if is not supported on Windows. If it is supported, help me make it work without gsudo first.

Hi @gerardog
picture2: all GUI base tool are remove or not working in container. Container is cmd only. For test you must run only cmd tools.
For start lets skip user with password. Only user is ok.
dockerfile:

FROM mcr.microsoft.com/windows/servercore:ltsc2019
RUN net user test1 /ADD
RUN Add-LocalGroupMember -Group "Administrators" -Member "test1"
RUN net user test2  /ADD
USER test2

now arg -u test1 work

PS C:\test> whoami
85ee41dc6d19\test1

PS C:\test> .\gsudo.exe status
Caller Pid: 16800
Running as:
  User: 85EE41DC6D19\test1
  Sid: S-1-5-21-3846466227-413805912-2460007740-1000
  Is Admin: True
  Integrity Level: High (12288)

Credentials Cache:
  Mode: Explicit
  Available for this process: False
  Total active cache sessions: 0

Processes attached to the current console:
      PID      PPID Integrity  UserName                  Name
    16800     19248 High       85EE41DC6D19\test1        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    29532     16800 High       85EE41DC6D19\test1        C:\test\gsudo.exe (this gsudo status)
PS C:\test>
PS C:\test> .\gsudo.exe -u test2 '.\gsudo.exe status'
Password for user 85EE41DC6D19\test2:
Error: Unable to connect to the elevated service.

Yeah run -it was one problem.

But the main one es the chance to start a process as user 2. Did you success with Start-Process ?

Get-credentials only in cmd :

PS C:\test> $key = “HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds”
PS C:\test> Set-ItemProperty $key ConsolePrompting True

Start-process (default user) gsudo -NoNewWindow return whole output

PS C:\test> whoami
user manager\containeradministrator
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -NoNewWindow
PS C:\test> Caller Pid: 37004
  User: User Manager\ContainerAdministrator
  Sid: S-1-5-93-2-1
  Is Admin: True
  Integrity Level: High (12288)

Credentials Cache:
  Mode: Explicit
  Available for this process: False
  Total active cache sessions: 0

Processes attached to the current console:
      PID      PPID Integrity  UserName                  Name
    37004     23340 High       User Manager\ContainerAdministrator C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    35688     37004 High       User Manager\ContainerAdministrator C:\test\gsudo.exe (this gsudo status)

passtru return created processs

PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status"  -PassThru

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     19       3      700       1208       0.00  24296  14 gsudo

start-process test1 NoNewWindow return no output

PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test1'  -NoNewWindow

Windows PowerShell credential request
Enter your credentials.
Password for user test1:

PS C:\test>

but passtru return all process info

PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test1'  -PassThru

Windows PowerShell credential request
Enter your credentials.
Password for user test1:


Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     22       3      680       1092       0.00  34872  14 gsudo


PS C:\test>

info about process are there but I cannot see output. Same for user test2

PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test2'  -NoNewWindow

Windows PowerShell credential request
Enter your credentials.
Password for user test2:

PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test2'  -PassThru

Windows PowerShell credential request
Enter your credentials.
Password for user test2:


Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
     23       3      684       1052       0.00  21928  14 gsudo

No, do not start gsudo. Start any other process, like cmd or notepad. When I wrote...

If you can't launch a program as other-user in an official way, there is little room for gsudo to act.

... I meant, gsudo wont make a container do what is not programed to do.

There could be a bug in gsudo that prevents this from succeding, but as far as I tested, Windows Containers do not support running processes as multiple users. CreateProcess succeeds but the process is not started or is closed immediately. You see it with -PassThru, but then the process disappears instantly. There is no way gsudo can make a container do what Microsoft crippled intentionally. Containers are not virtual machines.

For get-credentials workaround, use the following, (or install Powershell 7)

$username='test'
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Ultimately, why are you attempting this, Why do you need multiple users in a container?

In Docker's moby project they said this is not supported by the platform:
moby/moby#28585 (comment)

This is not a problem in gsudo, is a Docker+Windows containers limitation.

Happy new year 🎆
yes I test with python instead of gsudo. Like you say: Process with different user is immediately close. 😢
Q: Ultimately, why are you attempting this, Why do you need multiple users in a container?
I need it because I setuping some stuff in container for which I need user with admin privileges and after that I need run build process with user privileges. If you run multiple make multiprocess targets like administrator you can kick down whole node.
Anyway Thank you for support

Sorry for not being of much help.
Closed as external issue.