Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/sys/windows: get Windows services status without all access permissions #48777

Closed
powersj opened this issue Oct 4, 2021 · 6 comments
Closed

x/sys/windows: get Windows services status without all access permissions #48777

powersj opened this issue Oct 4, 2021 · 6 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Unreleased

Comments

@powersj
Copy link

powersj commented Oct 4, 2021

What version of Go are you using (go version)?

$ go version
go version go1.17.1 windows/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env

What did you do?

By default, the Connect and OpenService calls will both attempt to run with the SERVICE_ALL_ACCESS option. This is, as the name implies, elevated permissions.

What did you expect to see?

It would be preferable if the permission level could optionally be set by the user to something like GENERIC_READ. For example, if the user only wants to get the state of services and not stop/start them, then limiting the user to the lowest level of permissions required would be preferred.

What did you see instead?

Any action requires the use of the SERVICE_ALL_ACCESS permission level.
@gopherbot gopherbot added this to the Unreleased milestone Oct 4, 2021
@mknyszek mknyszek added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 4, 2021
@mknyszek
Copy link
Contributor

mknyszek commented Oct 4, 2021

CC @alexbrainman @ianlancetaylor

@mknyszek mknyszek changed the title x/sys: get Windows services status without all access permissions x/sys/windows: get Windows services status without all access permissions Oct 4, 2021
@ianlancetaylor
Copy link
Contributor

CC @bufflig

@alexbrainman
Copy link
Member

@powersj

I chose SERVICE_ALL_ACCESS because I did need to start and stop services. And that is what majority of this code users would need too.

We could have pass dwDesiredAccess parameter to Connect and OpenService, but then everyone would have to pass SERVICE_ALL_ACCESS in these calls. And we, probably, could not change Connect and OpenService API anyway.

I am not keen on adding new APIs similar to Connect and OpenService but with extra dwDesiredAccess parameter either. The API in that package is already big enough. Can you just clone and change the code?

Thank you.

Alex

@powersj
Copy link
Author

powersj commented Oct 5, 2021

@alexbrainman,

Short of shelling out and running sc query, are there any other APIs you might be aware of that get the status of Windows Services without full permissions? We are using this in Telegraf and wanted to limit the access since all we are doing is getting status.

Thanks!

@alexbrainman
Copy link
Member

are there any other APIs you might be aware of that get the status of Windows Services without full permissions?

Yes, you can copy whatever code you need out of golang.org/x/sys/windows/svc/mgr package (and replace SERVICE_ALL_ACCESS with whatever const works for your case).

You say status of Windows Services, so I suspect you want to start with this function

https://pkg.go.dev/golang.org/x/sys@v0.0.0-20211004093028-2c5d950f24ef/windows/svc/mgr#Service.Query

and then remove all the code you don't need.

Alternatively you can just keep whole golang.org/x/sys/windows/svc/mgr package and just replace SERVICE_ALL_ACCESS with whatever value you like.

Perhaps I don't understand your question. If so, then try again.

Alex

@powersj
Copy link
Author

powersj commented Oct 6, 2021

Ah thanks for detailing that, let me talk it over with the team. I will go ahead and close this as it does not sound like this would happen upstream.

Thanks again!

@powersj powersj closed this as completed Oct 6, 2021
@golang golang locked and limited conversation to collaborators Oct 6, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@mknyszek @ianlancetaylor @powersj @gopherbot @alexbrainman