Execute scripts in user context

[dherder]

Gong snippet: Slack thread: https://fleetdm.slack.com/archives/C01HE9GQW6B/p1729850813240129.

---

[allenhouchins]

I'm not aware of other management solutions running scripts as the user rather than the root agent. Even in a self service model, admins create the scripts in a way that they can execute or deliver things within the user context -- like determining the current logged in user via logname on Ubuntu or reading in values from loginwindow on macOS.

Are they able to provide a redacted version of the script they are trying to execute? A couple of thoughts using Cloudflare WARP as the example...

Install via apt:

curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ jammy main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
sudo apt-get -y update && sudo apt-get -y install cloudflare-warp

Then place a script on the user's desktop for them to double click and execute. Or put the script it a hidden folder and execute as the user via cron. It would take some additional logic in the script but this should get them most of the way there...

user=$(logname)
sudo -u "$user" sh -c "echo 'Logged-in user: $user'"

[dherder]

For sure a script can be created to run in user context. A much better admin experience would be to give them the lever to solve this across all scripts without having them do backflips to find the user or drop that script and hope that they execute it.

"Execution Context" is a common feature in script execution in UEM solutions like Omnissa and Ivanti. https://docs.omnissa.com/bundle/Windows_Desktop_ManagementV2302/page/uemWindeskScripts.html

[noahtalerman]

Problem

13706 will allow the end user to run a script on their own device. There are many cases where an admin would want to execute a script in the user context, one such example is the installation of Cloudflare WARP on Linux devices. Today, I cannot do this with Fleet and if I attempt to, I get the following Error code in Fleet:

A browser window should open at the following URL:

https://organization.cloudflareaccess.com/warp

If the browser fails to open, please visit the URL above directly in your browser.
Failed to enroll: Teams enrollment as root not supported. Please re-run the command as a regular user.

script execution error: exit status 1

[noahtalerman]

Slack thread: https://fleetdm.slack.com/archives/C01HE9GQW6B/p1729850813240129

@dherder for some reason I get an error when I click on this Slack link. Is this a customer request? If so, can you please add the customer label?

[noahtalerman]

@dherder just giving you a ping! as a reminder.

Can you please share an updated Slack link and let us know which customer/prospect requested this?

When I click the one in the issue description I see this error:

[dherder]

@noahtalerman that's weird, I get the same error. Maybe try this link? In any case, I'll figure out another way to get the script to execute. This was initially blocking https://github.com/cloudflare/cloudflare-docs/pull/17606/files. That being said, it doesn't meet the new prioritization criteria right now, I believe.

[noahtalerman]

@dherder this Slack link takes me to an internal conversation about a prospect-comrie request for integration w/ Zscaler or Cloudflare for ZTNA access.

Is that the right link?

If yes, this sounds like a different request? Or, maybe executing scripts in user context is a proposed solution to the prospects problem?

I'll figure out another way to get the script to execute

Sounds good 👍

[dherder]

@dherder this Slack link takes me to an internal conversation about a prospect-comrie request for integration w/ Zscaler or Cloudflare for ZTNA access.

Is that the right link?

Yessir!

If yes, this sounds like a different request? Or, maybe executing scripts in user context is a proposed solution to the prospects problem?

Executing remote scripts in user context is the way that Linux users will configure the Cloudflare agent, thus the relation to the prospect's integration request.