Running service without admin rights

[SeriousMikeDE]

Hi,

I'm using https://github.com/Badgerati/Pode to run a web server and I found shawl as a solution to run this as a service since the whole webserver is in a powershell script.

I'd like to run the service without admin rights so after creating the service with shawl (using an admin user) I open the services.msc and change the service user.

The service user can run the webserver without problems when calling it directly (powershell.exe server.ps1) but starting the service results in "Permission denied".

The exact error message is

Error: OutputiO(Os { code: 5, kind: PermissionDenied, message: "Permission denied" })

Is shawl causing this?

[mtkennerly]

Hi! I'm not sure whether Shawl is causing this. I don't think the log-on-as service functionality works on home editions of Windows (since they don't come with the security manager to allow service log-on for user accounts), so I would need to set up a different version of Windows in a VM in order to test this.

In the meantime, could you share the full Shawl log so I can see how far it got?

[SeriousMikeDE]

Hi - thanks for the fast reply :)

The log only contains the add part:

2022-10-24 11:17:23 [DEBUG] ********** LAUNCH ********** 2022-10-24 11:17:23 [DEBUG] Cli { sub: Add { common: CommonOpts { pass: None, restart: false, no_restart: false, restart_if: [], restart_if_not: [], stop_timeout: None, no_log: false, no_log_cmd: false, log_dir: None, pass_start_args: false, env: [], path: [], command: ["powershell.exe", "D:\\webserver\\server.ps1"] }, cwd: Some("\\\\?\\D:\\webserver"), name: "PowerWebServer" } } 2022-10-24 11:17:23 [DEBUG] Finished successfully

Starting the service through the service.msc results in "Error 1053: The Service did not Respond to the Start or Control Request in a Timely Fashion"

Running the shawl run command directly on commandline results in the mentioned error 5.

[mtkennerly]

Ah, I see. shawl run is designed in such a way that it can only work when executed by Windows's internal service mechanism. That said, when I try to run it directly in a console, I get this error instead of the error 5 you got:

Failed to run the service:
Winapi(
    Os {
        code: 1063,
        kind: Uncategorized,
        message: "The service process could not connect to the service controller.",
    },
)

I'm not sure if the difference means something. I'll see if I can reproduce this in a VM and report back.

[mtkennerly]

It seems to work on my end. Here's what I did to test it:

• Created a Windows Server 2022 VM:

  Vagrant.configure("2") do |config|
  config.vm.box = "gusztavvargadr/windows-server"
  config.vm.network "public_network"
  config.vm.provider "virtualbox" do |vb|
    vb.gui = true
    vb.memory = 4096
  end
  config.vm.synced_folder ".", "/vagrant", type: "virtualbox"
  end

• Created a new local user account named "Secondary"
• Enabled service logon for that account via Administrative Tools (https://learn.microsoft.com/en-us/system-center/scsm/enable-service-log-on-sm?view=sc-sm-2022)
• Copied shawl.exe and shawl-child.exe to C:/opt (shawl-child.exe is a small program used for testing)
  • I originally tried it with an executable in C:/Users/vagrant, but I got "error 5: access is denied" when I tried to start the service. It was happy once I moved it to a non-user folder.
• C:/opt/shawl.exe add --name shawl -- C:/opt/shawl-child.exe
• Set the service to log on as the secondary account.
• Started the service.
• Verified that shawl.exe had created C:/opt/shawl_for_shawl_rCURRENT.log, which captured this line from shawl-child.exe's output: [INFO] whoami: \"Secondary\"

[SeriousMikeDE]

Thanks for testing. Interesting results

I'll try to setup another test instance to reproduce the issue.

[SeriousMikeDE]

Hi Matthew,

thanks for checking.

I have an off topic question: would it be possible for you to allow donations on this project? I'm using shawl together with Pode in our company and I'm planning to make it big. As it's open source we don't have to pay for anything but you're still investing time. Therefore I agreed with my boss to send monthly donations to open source projects we're using since want to keep the project alive.

Greetings Mike

Matthew Kennerly @.***> schrieb am Mi., 26. Okt. 2022, 01:02:

It seems to work on my end. Here's what I did to test it:

-

Created a Windows Server 2022 VM:

Vagrant.configure("2") do |config| config.vm.box = "gusztavvargadr/windows-server" config.vm.network "public_network" config.vm.provider "virtualbox" do |vb| vb.gui = true vb.memory = 4096 end config.vm.synced_folder ".", "/vagrant", type: "virtualbox"end

-

Created a new local user account named "Secondary"

Enabled service logon for that account via Administrative Tools ( https://learn.microsoft.com/en-us/system-center/scsm/enable-service-log-on-sm?view=sc-sm-2022 )

Copied shawl.exe and shawl-child.exe to C:/opt (shawl-child.exe is a small program used for testing)

• I originally tried it with an executable in C:/Users/vagrant, but I got "error 5: access is denied" when I tried to start the service. It was happy once I moved it to a non-user folder.

• C:/opt/shawl.exe add --name shawl -- C:/opt/shawl-child.exe

• Set the service to log on as the secondary account.

• Started the service.

• Verified that shawl.exe had created C:/opt/shawl_for_shawl_rCURRENT.log, which captured this line from shawl-child.exe's output: [INFO] whoami: \"Secondary\"

— Reply to this email directly, view it on GitHub https://github.com/mtkennerly/shawl/issues/27#issuecomment-1291228710, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKKOMT2TP7Y7OWVG63Q6QBTWFBRJDANCNFSM6AAAAAARMWS3TQ . You are receiving this because you authored the thread.Message ID: @.***>

[mtkennerly]

Thanks, that's very kind of you :) I've been somewhat hesitant before, mainly since I wasn't prepared to offer rewards, so it felt a bit presumptuous to set specific tier amounts. Looking at the GitHub sponsorship feature, though, it seems to allow any custom amount and even one-time payments, which I'm more comfortable with. I've submitted an application, so I can let you know once it's approved.

[SeriousMikeDE]

Sounds great :)

Keep me updated

Matthew Kennerly @.***> schrieb am So., 30. Okt. 2022, 02:03:

Thanks, that's very kind of you :) I've been somewhat hesitant before, mainly since I wasn't prepared to offer rewards, so it felt a bit presumptuous to set specific tier amounts. Looking at the GitHub sponsorship feature, though, it seems to allow any custom amount and even one-time payments, which I'm more comfortable with. I've submitted an application, so I can let you know once it's approved.

— Reply to this email directly, view it on GitHub https://github.com/mtkennerly/shawl/issues/27#issuecomment-1296046006, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKKOMT7H232T42VFBXW6EU3WFXCMLANCNFSM6AAAAAARMWS3TQ . You are receiving this because you authored the thread.Message ID: @.***>

[mtkennerly]

@SeriousMikeDE The application just got approved :D If you're still interested, the link is: https://github.com/sponsors/mtkennerly