I need to launch several builds on Jenkins.
But also I need to do it by different users for example (test1 and test2) .
Is there any plugin for it or some config file.
I need it because test1 have special permission for some directories.
and test2 have special permission for some other directories.
Or can I change jenkins config somehow as if it was launched from test1 users with all test1 user permissions.
I am not aware of any plugin to change the user that Jenkins runs under. However, dependent on the os you have different options. Under Windows, you can use runas command and under Linux, there is su and sudo. ssh might be an option too, even if you connect to the box that you are on right now. You have to see in how far you need to use free style projects instead of specialized projects.
However, do you really need to have the permission set the way they are or can you permission test1 to have the special permissions that test2 has. This obviously does not work if testing the permissions is the main purpose of the test.
Alternatively, you can use the node functionality that Jenkins provides. On one and the same server you can not only run the main Jenkins, but also nodes (or slaves). These slaves can run under different users. This will give you the overhead that nodes come with, however, it adds a very simple and clean way to switch users. However, nobody prevents you from having more than one slave running on the same server or having you slave run on different servers.
Related
I want to package programs into an MSI and create Scheduled Tasks (i.e. run on Boot/Startup).
I'm trying solutions available on the market such as Advanced Installer and EMCO MSI Packager, but I get the same error in both:
Verify that you have sufficient privileges to start system services
This means my account does not have the "Login as a service" privilege. However, looking up solutions, you'll find that Advanced Installer offers little help.
Basically, they suggest either (1) hardcoding user credentials, which is obviously unviable or (2) creating a new user with the required privileges, also unviable.
I've created tasks before in plain C++ and it was very easy, a simple
system("schtasks [args]")
Was enough to create tasks, and as long as the program was running after a UAC prompt was accepted, the tasks were successfully created.
So what exactly is the aforementioned error, and how can I fix it, preferably with a solution from the market (it is cleaner than having to manually make a setup.exe, ask for privileges, manually make tasks).
Edit: Any answers that provide some clarity on creating Scheduled Tasks that automatically run elevated (i.e. have access to Program Files, etc) are greatly appreciated.
Edit 2: Setting user to LocalService did not work.
Verify that you have sufficient privileges to start system services is a red herring. It's a generic error message from MSI saying it couldn't start the service. There's a bakers dozen reasons (that I've answered on here: Error 1920 service failed to start. Verify that you have sufficient privileges to start system services )
Here's a couple tips:
DLLs going to Win SXS and GAC don't happen until after StartServices because of a design limitation in MSI. Try installing but not starting the service. Then after it's installed try to start it. If it works, it could be that.
You could be missing files. You can try to run the exe from a command prompt while it's hung and see if it says anything is missing.
The application could be crashing on startup.
I offer free 1 hour consulting sessions. If you can share the files with me I could look at it with you. Look me up if you are interested.
Here is the issue that I am having,
I have a C++ application that runs by writing data to .txt files and I want to create an MSI Package for the application.
When I build and run my app all is fine but when I run my MSI Setup File the created application does get granted the correct privileges to function.
I can't find a way to allow the app to write to the .txt files needed even if I include them in the package and set them as system files.
If I "Run as administrator" all is well but that isn't really plausible as I need it to function while "Running as User".
Is there anyway to prompt the user while installing to agree to an install with admin rights, so it doesn't have to be done manually before a prompt each launch.
Anything that can get my code running again would be brilliant, thanks.
Longer Writeup: System.UnauthorizedAccessException while running .exe under program files (several other options in addition to the ones listed below).
Per-User Folder: I would think you should install the files in question to a per-user folder (writeable for user - for example My Documents), or as templates to a per-machine folder (not writeable for normal users - for example %ProgramFiles%) and then have your application copy the templates from the per-machine location to the current user's My Documents folder - for example. Then you write to the files there - where a regular user will have write access. I suppose you could also write to a network share which is set up for users to have access.
Elevation: It is possible, to require the application to run elevated (link might be outdated - for .NET it is slightly different), but this is a horrible approach for something as simple as writing to text files. I would never require such elevation. Elevated rights are pervasive, and you don't want your application to run with the keys to the city - you become a hacker target and bugs in your tool become armed and dangerous.
ACL Modification: It is also possible to install the text files to a per-machine location and apply ACL permissioning to them so that they are writeable for regular users even if they don't have elevated rights. There is some information on how to do this here (bullet point 2). This approach is frowned upon in this day and age, but it will work. Be on the alert that your ACL permissioning shouldn't be too tight, in case you write to a new file, delete the old one and rename the new file to the old name during your write operation - you need file create in addition to file write obviously - there is very fine-grained control in NTFS. GenericWrite should do the trick I think.
Some Links (loosely connected, added for easy retrieval):
Create folder and file on Current user profile, from Admin Profile
Why is it a good idea to limit deployment of files to the user-profile or HKCU when using MSI?
Create a .config folder in the user folder
There is no connection at all between the install of an application and the running of an application regarding privileges. In other words there is nothing you can do in an MSI install that grants elevated privileges to the app being installed. It would be a massive security breach if a limited user could create an MSI setup that then installed an app that ran elevated.
So this question is actually nothing to do with Windows Installer - it's about whether you require users to be limited users or elevated users. If it's acceptable that users must be privileged, then you give the app an elevation manifest. If limited users will use it, then all writes or modifications to files or registry entries must be to locations available to limited users. It also means that the app won't be able to perform privileged operations, such as starting or stopping services.
We have an exe which actually checks the contents of a folder and then kicks off a windows service to do some processing on the files in that folder.
So, we made this exe as part of System start up program so it runs everytime the system reboots/starts.
Now the user is very annoyed as he gets pop up for UAC everytime he restarts. But we need to have admin rights for this exe as it kicks off a windows service. Therefore I researched and found a couple of solns for this prob.
This and This
But couldn't decide which is better and less vulnerable for security implications.
Another potential solution can be in the code of .exe itself detect the system start up and if we have any content in the target folder then only ask for UAC from user and kick off the windows service . Else just don't run the exe. I am not sure how to do this in C++. Any pointers would be helpful. If there is any better solution, always welcome.
You probably want to use Task Scheduler here.
Just create a task as part of the install process, with "When the computer starts" as the trigger, and set the "Run with highest privileges" security option.
The problem is that you're mixing up the system and user sessions.
If the processing of those files is done on behalf of a user, it probably should not be done by a service. What if two users wanted their files processed? What security context should the service use for that? And obviously you shouldn't need Administrator right to process some user files.
If the service is performing some system-level task, it shouldn't depend on a user. And in fact running at startup suggests you want this mode. (User applets start at login, not after reboot). The main problem in your design therefore seems to be that you try to run an app (with UI) at the wrong moment which requires far too many permissions (causing UAC). Redesign the service so that it does all the tasks which require admin permissions, and when installing the service set it to start automatically. This still requires UAC at installation, but that is when UAC is expected.
I've got an env.config in source control but pretty much the only things I can put in it are things that relate to all my various environments (production, staging). I've got environment specific settings that I want to add to the env.config file (for instance, the DB host) that will change from environment to environment. How can I handle these differences? Right now I'm doing it from the AWS console where I can manage it in the GUI on a per-environment basis, but I'd love to be able to change a lot of this stuff from git so I don't have to be logging into the console whenever I want to change something.
Is there any way to have multiple, environment specific config files?
So this has been posted before in the AWS forums. (https://forums.aws.amazon.com/thread.jspa?messageID=529373) So far there's only workarounds! The problem is that the .config files would require some logic to figure out what environment you're attempting to target. Personally I don't think any logic is required, as you could simply namespace the config settings based on the AWS environment name you're targeting.
I think your usecase is similar to what is discussed in How to configure Elastic Beanstalk for RDS
You may want to use 'eb branch'. You can then have multiple environments with different configurations.
More documentation on eb branch here
How do you unit/integration test code that requires a different privilege level than exists in your continuous integration environment?
In my non-root, CCRB-driven build environment, I've got some utility functions that assume privileges that don't hold in my automated build environment: either root privileges or special accounts and groups. (For example, one function changes UID/GID and supplementary groups to a specified account, changes root and current working directory, and divorces from any controlling terminal.)
We could run the tests by hand, of course, but then we might forget to run them.
How have others tackled this issue?
I would try to factor out the security management code behind a mockable interface, so that in unit tests I can provide fake privileges however I want.
This way it would be possible to test both that barring the required privileges the function fails, and that with the privileges granted it does what it is supposed to do.
Without more concrete details it is hard to say more.