Issue: windows servercore container Error: Unable to connect to the elevated service.
romandolinsky opened this issue · 10 comments
Issue Description
Run as the specified user return: Error: Unable to connect to the elevated service.
Steps to Reproduce
- powershell: net user testuser Docker123 /add
- powershell: .\test\gsudo.exe -u testuser 'cmd'
OR
- powershell: net user testuser Docker123 /add
- Add-LocalGroupMember -Group "Administrators" -Member "testuser"
- powershell: ./gsudo.exe -u testuser 'cmd'
Screenshots
PS C:> net user testuser Docker123 /add
The command completed successfully.
PS C:> .\test\gsudo.exe -u testuser 'cmd'
Password for user 0CF23A0B77AB\testuser: *********
Error: Unable to connect to the elevated service.
PS C:> .\test\gsudo.exe --debug -u testuser 'cmd'
Debug: Invoking Shell: PowerShell
Debug: Command Line: --debug -u testuser cmd
Debug: Command to run: C:\Windows\system32\cmd.exe /v:on /s /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoLogo -NoProfile -Command "cmd""
Debug: Using Console mode VT
Debug: Caller PID: 48364
Debug: Caller SID: S-1-5-93-2-1
Password for user 0CF23A0B77AB\testuser: *********
Debug: Starting process as 0CF23A0B77AB\testuser: C:\test\gsudo.exe --debug -u 0CF23A0B77AB\testuser gsudoelevate 48364 S-1-5-93-2-1 All 00:00:00
Debug: Service process started.
Error: Unable to connect to the elevated service.
PS C:> .\test\gsudo.exe status
Caller Pid: 48364
Running as:
User: User Manager\ContainerAdministrator
Sid: S-1-5-93-2-1
Is Admin: True
Integrity Level: High (12288)
Credentials Cache:
Mode: Explicit
Available for this process: False
Total active cache sessions: 0
Processes attached to the current console:
PID PPID Integrity UserName Name
48364 34824 High User Manager\ContainerAdministrator C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
53796 48364 High User Manager\ContainerAdministrator C:\test\gsudo.exe (this gsudo status)
PS C:>
Context:
- Windows version:
docker image: windows/servercore:10.0.17763.1217 - gsudo version:
gsudo 2.0.4
Hi @romandolinsky,
I've installed Server Core 2019 in a VM. And I couldnt reproduce the problem. It is working for me... 😟
I may need to setup docker with Windows Containers to try your scenario.
Hello,
Issue is inside running docker container. For that you need install docker, pull image dockerhub docker pull mcr.microsoft.com/windows/servercore
, and run it.
Hi again @romandolinsky.
I see now how gsudo fails inside a windows container, but PowerShell fails there too. Take a look:
Trying adding it to the admin group, no luck either:
If you can't launch a program as other-user in an official way, there is little room for gsudo to act.
Not an expert on Docker on Windows, but certainly the containerized environment imposes limits to isolate from the host kernel. The docs are not conclusive to me link. IMO the last paragraphs don't match the rest of the article.
gsudo depends on the CreateProcess Api to start a process as another user. If that windows functionality is intentionally limited on containers, I can't do much.
On the other hand if we find an alternative Api or method to launch as another user, we can investigate.
I tried adding the users in the DockerFile, and building an image.
FROM mcr.microsoft.com/windows/servercore:ltsc2019
RUN net user test1 Docker123 /ADD
RUN net user test2 Docker123 /ADD
USER test2
gsudo is a convenience tool. It can facilitate an existing scenario, but hardly can make something work if is not supported on Windows. If it is supported, help me make it work without gsudo first.
Hi @gerardog
picture2: all GUI base tool are remove or not working in container. Container is cmd only. For test you must run only cmd tools.
For start lets skip user with password. Only user is ok.
dockerfile:
FROM mcr.microsoft.com/windows/servercore:ltsc2019
RUN net user test1 /ADD
RUN Add-LocalGroupMember -Group "Administrators" -Member "test1"
RUN net user test2 /ADD
USER test2
now arg -u test1 work
PS C:\test> whoami
85ee41dc6d19\test1
PS C:\test> .\gsudo.exe status
Caller Pid: 16800
Running as:
User: 85EE41DC6D19\test1
Sid: S-1-5-21-3846466227-413805912-2460007740-1000
Is Admin: True
Integrity Level: High (12288)
Credentials Cache:
Mode: Explicit
Available for this process: False
Total active cache sessions: 0
Processes attached to the current console:
PID PPID Integrity UserName Name
16800 19248 High 85EE41DC6D19\test1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
29532 16800 High 85EE41DC6D19\test1 C:\test\gsudo.exe (this gsudo status)
PS C:\test>
PS C:\test> .\gsudo.exe -u test2 '.\gsudo.exe status'
Password for user 85EE41DC6D19\test2:
Error: Unable to connect to the elevated service.
Yeah run -it
was one problem.
But the main one es the chance to start a process as user 2. Did you success with Start-Process ?
Get-credentials only in cmd :
PS C:\test> $key = “HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds”
PS C:\test> Set-ItemProperty $key ConsolePrompting True
Start-process (default user) gsudo -NoNewWindow return whole output
PS C:\test> whoami
user manager\containeradministrator
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -NoNewWindow
PS C:\test> Caller Pid: 37004
User: User Manager\ContainerAdministrator
Sid: S-1-5-93-2-1
Is Admin: True
Integrity Level: High (12288)
Credentials Cache:
Mode: Explicit
Available for this process: False
Total active cache sessions: 0
Processes attached to the current console:
PID PPID Integrity UserName Name
37004 23340 High User Manager\ContainerAdministrator C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
35688 37004 High User Manager\ContainerAdministrator C:\test\gsudo.exe (this gsudo status)
passtru return created processs
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -PassThru
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
19 3 700 1208 0.00 24296 14 gsudo
start-process test1 NoNewWindow return no output
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test1' -NoNewWindow
Windows PowerShell credential request
Enter your credentials.
Password for user test1:
PS C:\test>
but passtru return all process info
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test1' -PassThru
Windows PowerShell credential request
Enter your credentials.
Password for user test1:
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
22 3 680 1092 0.00 34872 14 gsudo
PS C:\test>
info about process are there but I cannot see output. Same for user test2
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test2' -NoNewWindow
Windows PowerShell credential request
Enter your credentials.
Password for user test2:
PS C:\test> Start-Process -FilePath .\gsudo.exe -ArgumentList "status" -Credential 'test2' -PassThru
Windows PowerShell credential request
Enter your credentials.
Password for user test2:
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
23 3 684 1052 0.00 21928 14 gsudo
No, do not start gsudo. Start any other process, like cmd or notepad. When I wrote...
If you can't launch a program as other-user in an official way, there is little room for gsudo to act.
... I meant, gsudo wont make a container do what is not programed to do.
There could be a bug in gsudo that prevents this from succeding, but as far as I tested, Windows Containers do not support running processes as multiple users. CreateProcess succeeds but the process is not started or is closed immediately. You see it with -PassThru, but then the process disappears instantly. There is no way gsudo can make a container do what Microsoft crippled intentionally. Containers are not virtual machines.
For get-credentials workaround, use the following, (or install Powershell 7)
$username='test'
$password = ConvertTo-SecureString "password" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password
Ultimately, why are you attempting this, Why do you need multiple users in a container?
In Docker's moby project they said this is not supported by the platform:
moby/moby#28585 (comment)
This is not a problem in gsudo, is a Docker+Windows containers limitation.
Happy new year 🎆
yes I test with python instead of gsudo. Like you say: Process with different user is immediately close. 😢
Q: Ultimately, why are you attempting this, Why do you need multiple users in a container?
I need it because I setuping some stuff in container for which I need user with admin privileges and after that I need run build process with user privileges. If you run multiple make multiprocess targets like administrator you can kick down whole node.
Anyway Thank you for support
Sorry for not being of much help.
Closed as external issue.