213ba7115b
Patch Set 2:
(1 comment)
Patch-set: 2
Attention: {"person_ident":"Gerrit User 36901 \u003c36901@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"REMOVE","reason":"\u003cGERRIT_ACCOUNT_36901\u003e replied on the change"}
Attention: {"person_ident":"Gerrit User 9649 \u003c9649@4a232e18-c5a9-48ee-94c0-e04e7cca6543\u003e","operation":"ADD","reason":"\u003cGERRIT_ACCOUNT_36901\u003e replied on the change"}
75 lines
3.6 KiB
Plaintext
75 lines
3.6 KiB
Plaintext
{
|
|
"comments": [
|
|
{
|
|
"unresolved": false,
|
|
"key": {
|
|
"uuid": "a5c65adb_f854a65f",
|
|
"filename": "/PATCHSET_LEVEL",
|
|
"patchSetId": 2
|
|
},
|
|
"lineNbr": 0,
|
|
"author": {
|
|
"id": 9649
|
|
},
|
|
"writtenOn": "2024-03-25T12:59:55Z",
|
|
"side": 1,
|
|
"message": "Hello Zhongcheng Lao, can you please give more details on why this change was required?",
|
|
"revId": "8bf9ce6f86a483f632e7cc136d619a0e1fbc3c6f",
|
|
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
|
},
|
|
{
|
|
"unresolved": false,
|
|
"key": {
|
|
"uuid": "858c06a7_429da451",
|
|
"filename": "/PATCHSET_LEVEL",
|
|
"patchSetId": 2
|
|
},
|
|
"lineNbr": 0,
|
|
"author": {
|
|
"id": 36901
|
|
},
|
|
"writtenOn": "2024-03-26T04:27:28Z",
|
|
"side": 1,
|
|
"message": "The code tries to log in as a batch user.\nI don\u0027t see the installer script granted the SeBatchLogonRight right for the created user. Only SeServiceLogonRight is granted by default.\nhttps://github.com/cloudbase/cloudbase-init-installer/blob/a19436cf78d6add1b25a4a21d6141320b31a5f93/CloudbaseInitSetup/Carbon/Service/Install-Service.ps1#L194\nGrant-Privilege -Identity $identity -Privilege SeServiceLogonRight\n\nI\u0027m not sure if it was on purpose to use SeBatchLogonRight other than SeServiceLogonRight.",
|
|
"parentUuid": "a5c65adb_f854a65f",
|
|
"revId": "8bf9ce6f86a483f632e7cc136d619a0e1fbc3c6f",
|
|
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
|
},
|
|
{
|
|
"unresolved": true,
|
|
"key": {
|
|
"uuid": "bbaf5f5e_52ff0e67",
|
|
"filename": "/PATCHSET_LEVEL",
|
|
"patchSetId": 2
|
|
},
|
|
"lineNbr": 0,
|
|
"author": {
|
|
"id": 9649
|
|
},
|
|
"writtenOn": "2024-03-28T09:45:41Z",
|
|
"side": 1,
|
|
"message": "Hello, can you please create an issue on github or opendev with this information and what exactly fails before and how does this patch solves the problem?\n\nFrom https://learn.microsoft.com/en-us/windows/win32/secauthn/logonuserexexw\n\n```\nLOGON32_LOGON_BATCH\nThis logon type is intended for batch servers, where processes may be executing on behalf of a user without their direct intervention. This type is also for higher performance servers that process many plaintext authentication attempts at a time, such as mail or web servers. The LogonUserExExW function does not cache credentials for this logon type.\n```\n\nI do not see any privilege requirement for LOGON32_LOGON_BATCH logon type.\n\nAlso the user creation and privilege delegation is done by the wix plugin here https://github.com/cloudbase/cloudbase-init-installer/blob/master/CloudbaseInitSetup/Product.wxs#L204. LogonAsService\u003dyes\n\nAs cloudbase-init needs to be able to support \"runas\" impersonation during the userdata script run, we need to make sure this patch does not break this feature. I will try to test this behaviour locally to make sure.\n\nThank you.",
|
|
"parentUuid": "858c06a7_429da451",
|
|
"revId": "8bf9ce6f86a483f632e7cc136d619a0e1fbc3c6f",
|
|
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
|
},
|
|
{
|
|
"unresolved": true,
|
|
"key": {
|
|
"uuid": "3d883934_b81f3e08",
|
|
"filename": "/PATCHSET_LEVEL",
|
|
"patchSetId": 2
|
|
},
|
|
"lineNbr": 0,
|
|
"author": {
|
|
"id": 36901
|
|
},
|
|
"writtenOn": "2024-03-29T06:51:46Z",
|
|
"side": 1,
|
|
"message": "Sure.\nCreated an issue to track this.\nhttps://github.com/cloudbase/cloudbase-init/issues/132\nLet me know if you find anything.",
|
|
"parentUuid": "bbaf5f5e_52ff0e67",
|
|
"revId": "8bf9ce6f86a483f632e7cc136d619a0e1fbc3c6f",
|
|
"serverId": "4a232e18-c5a9-48ee-94c0-e04e7cca6543"
|
|
}
|
|
]
|
|
} |