Hi Lucas,
On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers <[email protected]> wrote:
> Hello,
>
> I'm controlling 180 windows machines for an art project. I am using
> puppet to configure the machines, push out an app as a zip, unzip it,
> change permissions, then launch it.
If you do not need LocalSystem permissions, then you could simply
configure the puppet service to run as an unprivileged (domain or
local) user:
sc config puppet obj= <username> password= <password>
and allow the service to interact with the desktop:
sc config puppet type= interact
> Everything works perfectly,
> except the app is being launched in a hidden desktop due to windows
> security.
This page describes some of the issues.
http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx
"If the service opens a command window and runs a batch file, the user
could hit CTRL+C to terminate the batch file and gain access to a
command window with LocalSystem permissions." So privilege escalation.
> From what I'm told since puppet runs as a service it is not allowed to
> launch an app on the logged in desktop. I confirmed that when running
> the puppet agent manually the app launches correctly.
It is possible to allow services running under LocalSystem to interact
with the desktop in older versions of Windows. If you don't care about
the security implications, you could investigate that, though I
wouldn't recommend it.
Alternatively, you could do something like this:
http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html.
Compile it and distribute it with your module.
Josh
--
Josh Cooper
Developer, Puppet Labs
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
