elastic · ycombinator · Dec 3, 2024 · Oct 30, 2024 · Nov 5, 2024 · Nov 6, 2024
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: Added support for pre-existing Active Directory user for unprivileged mode
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: User can specify custom pre-existing user for running unprivileged mode. This user will be gived permissions to log on as a service.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component:
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/4585
@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 
 	"github.com/spf13/cobra"
 
@@ -28,6 +29,10 @@ const (
 	flagInstallDevelopment            = "develop"
 	flagInstallNamespace              = "namespace"
 	flagInstallRunUninstallFromBinary = "run-uninstall-from-binary"
+
+	flagInstallCustomUser  = "user"
+	flagInstallCustomGroup = "group"
+	flagInstallCustomPass  = "password"
 )
 
 func newInstallCommandWithArgs(_ []string, streams *cli.IOStreams) *cobra.Command {
@@ -61,6 +66,13 @@ would like the Agent to operate.
 	cmd.Flags().Bool(flagInstallDevelopment, false, "Install into a standardized development namespace, may enable development specific options. Allows multiple Elastic Agents to be installed at once. (experimental)")
 	_ = cmd.Flags().MarkHidden(flagInstallDevelopment) // For internal use only.
 
+	// Active directory user specification
+	cmd.Flags().String(flagInstallCustomUser, "", "Custom user used to run Elastic Agent")
+	cmd.Flags().String(flagInstallCustomGroup, "", "Custom group used to access Elastic Agent files")
+	if runtime.GOOS == "windows" {
+		cmd.Flags().String(flagInstallCustomPass, "", "Password for Active directory user used to run Elastic Agent")
+	}
+
 	addEnrollFlags(cmd)
 
 	return cmd
@@ -249,7 +261,19 @@ func installCmd(streams *cli.IOStreams, cmd *cobra.Command) error {
 		progBar.Describe("Successfully uninstalled Elastic Agent")
 	}
 	if status != install.PackageInstall {
-		ownership, err = install.Install(cfgFile, topPath, unprivileged, log, progBar, streams)
+		customUser, _ := cmd.Flags().GetString(flagInstallCustomUser)
+		customGroup, _ := cmd.Flags().GetString(flagInstallCustomGroup)
+		customPass := ""
+		if runtime.GOOS == "windows" {
+			customPass, _ = cmd.Flags().GetString(flagInstallCustomPass)
+
+			if (customUser != "" || customPass != "") &&
+				(customUser == "" || customPass == "") {
+				return fmt.Errorf("error installing package: all Active Directory parameters must be provided")
+			}
+		}
+
+		ownership, err = install.Install(cfgFile, topPath, unprivileged, log, progBar, streams, customUser, customGroup, customPass)
 		if err != nil {
 			return fmt.Errorf("error installing package: %w", err)
 		}

@@ -69,7 +69,7 @@ func privilegedCmd(streams *cli.IOStreams, cmd *cobra.Command) (err error) {
 	}
 
 	pt := install.CreateAndStartNewSpinner(streams.Out, "Converting Elastic Agent to privileged...")
-	err = install.SwitchExecutingMode(topPath, pt, "", "")
+	err = install.SwitchExecutingMode(topPath, pt, "", "", "")
 	if err != nil {
 		// error already adds context
 		return err

@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"runtime"
 
 	"github.com/spf13/cobra"
 
@@ -44,6 +45,13 @@ unprivileged it will still perform all the same work, including stopping and sta
 	cmd.Flags().BoolP("force", "f", false, "Do not prompt for confirmation")
 	cmd.Flags().DurationP("daemon-timeout", "", 0, "Timeout waiting for Elastic Agent daemon restart after the change is applied (-1 = no wait)")
 
+	// Custom  user specification
+	cmd.Flags().String(flagInstallCustomUser, "", "Custom user used to run Elastic Agent")
+	cmd.Flags().String(flagInstallCustomGroup, "", "Custom group used to access Elastic Agent files")
+	if runtime.GOOS == "windows" {
+		cmd.Flags().String(flagInstallCustomPass, "", "Password for Active directory user used to run Elastic Agent")
+	}
+
 	return cmd
 }
 
@@ -56,6 +64,18 @@ func unprivilegedCmd(streams *cli.IOStreams, cmd *cobra.Command) (err error) {
 		return fmt.Errorf("unable to perform unprivileged command, not executed with %s permissions", utils.PermissionUser)
 	}
 
+	customUser, _ := cmd.Flags().GetString(flagInstallCustomUser)
+	customGroup, _ := cmd.Flags().GetString(flagInstallCustomGroup)
+	customPass := ""
+	if runtime.GOOS == "windows" {
+		customPass, _ = cmd.Flags().GetString(flagInstallCustomPass)
+
+		if (customUser != "" || customPass != "") &&
+			(customUser == "" || customPass == "") {
+			return fmt.Errorf("error installing package: all Active Directory parameters must be provided")
+		}
+	}
+
 	// cannot switch to unprivileged when service components have issues
 	err = ensureNoServiceComponentIssues()
 	if err != nil {
@@ -77,7 +97,10 @@ func unprivilegedCmd(streams *cli.IOStreams, cmd *cobra.Command) (err error) {
 	}
 
 	pt := install.CreateAndStartNewSpinner(streams.Out, "Converting Elastic Agent to unprivileged...")
-	err = install.SwitchExecutingMode(topPath, pt, install.ElasticUsername, install.ElasticGroupName)
+
+	username, password := install.UnprivilegedUser(customUser, customPass)
+	groupName := install.UnprivilegedGroup(customGroup)
+	err = install.SwitchExecutingMode(topPath, pt, username, groupName, password)
 	if err != nil {
 		// error already adds context
 		return err

@@ -40,7 +40,7 @@ const (
 )
 
 // Install installs Elastic Agent persistently on the system including creating and starting its service.
-func Install(cfgFile, topPath string, unprivileged bool, log *logp.Logger, pt *progressbar.ProgressBar, streams *cli.IOStreams) (utils.FileOwner, error) {
+func Install(cfgFile, topPath string, unprivileged bool, log *logp.Logger, pt *progressbar.ProgressBar, streams *cli.IOStreams, customUser, customGroup, userPassword string) (utils.FileOwner, error) {
 	dir, err := findDirectory()
 	if err != nil {
 		return utils.FileOwner{}, errors.New(err, "failed to discover the source directory for installation", errors.TypeFilesystem)
@@ -49,13 +49,15 @@ func Install(cfgFile, topPath string, unprivileged bool, log *logp.Logger, pt *p
 	var ownership utils.FileOwner
 	username := ""
 	groupName := ""
+	password := ""
 	if unprivileged {
-		username = ElasticUsername
-		groupName = ElasticGroupName
-		ownership, err = EnsureUserAndGroup(username, groupName, pt)
+		username, password = UnprivilegedUser(customUser, userPassword)
+		groupName = UnprivilegedGroup(customGroup)
+		ownership, err = EnsureUserAndGroup(username, groupName, pt, username == ElasticUsername && password == "") // force create only elastic user
 		if err != nil {
 			// error context already added by EnsureUserAndGroup
 			return utils.FileOwner{}, err
+
 		}
 	}
 
@@ -147,7 +149,7 @@ func Install(cfgFile, topPath string, unprivileged bool, log *logp.Logger, pt *p
 
 	// install service
 	pt.Describe("Installing service")
-	err = InstallService(topPath, ownership, username, groupName)
+	err = InstallService(topPath, ownership, username, groupName, password)
 	if err != nil {
 		pt.Describe("Failed to install service")
 		// error context already added by InstallService
@@ -371,11 +373,12 @@ func StatusService(topPath string) (service.Status, error) {
 }
 
 // InstallService installs the service.
-func InstallService(topPath string, ownership utils.FileOwner, username string, groupName string) error {
-	opts, err := withServiceOptions(username, groupName)
+func InstallService(topPath string, ownership utils.FileOwner, username string, groupName string, password string) error {
+	opts, err := withServiceOptions(username, groupName, password)
 	if err != nil {
 		return fmt.Errorf("error getting service installation options: %w", err)
 	}
+
 	svc, err := newService(topPath, opts...)
 	if err != nil {
 		return fmt.Errorf("error creating new service handler for install: %w", err)
@@ -482,3 +485,24 @@ func CreateInstallMarker(topPath string, ownership utils.FileOwner) error {
 	_ = handle.Close()
 	return fixInstallMarkerPermissions(markerFilePath, ownership)
 }
+
+func UnprivilegedUser(username, password string) (string, string) {
+	if username != "" && password != "" {
+		return username, password
+	}
+
+	if username != "" && runtime.GOOS != "windows" {
+		// password only required for windows
+		return username, password
+	}
+
+	return ElasticUsername, ""
+}
+
+func UnprivilegedGroup(groupName string) string {
+	if groupName != "" {
+		return groupName
+	}
+
+	return ElasticGroupName
+}
@@ -28,7 +28,7 @@ func fixInstallMarkerPermissions(markerFilePath string, ownership utils.FileOwne
 }
 
 // withServiceOptions just sets the user/group for the service.
-func withServiceOptions(username string, groupName string) ([]serviceOpt, error) {
+func withServiceOptions(username string, groupName string, _ string) ([]serviceOpt, error) {
 	return []serviceOpt{withUserGroup(username, groupName)}, nil
 }
 

@@ -55,12 +55,17 @@ func fixInstallMarkerPermissions(markerFilePath string, ownership utils.FileOwne
 }
 
 // withServiceOptions just sets the user/group for the service.
-func withServiceOptions(username string, groupName string) ([]serviceOpt, error) {
+func withServiceOptions(username string, groupName string, password string) ([]serviceOpt, error) {
 	if username == "" {
 		// not installed with --unprivileged; nothing to do
 		return []serviceOpt{}, nil
 	}
 
+	if password != "" {
+		// existing user
+		return []serviceOpt{withUserGroup(username, groupName), withPassword(password)}, nil
+	}
+
 	// service requires a password to launch as the user
 	// this sets it to a random password that is only known by the service
 	password, err := RandomPassword()

@@ -15,7 +15,7 @@ import (
 
 // EnsureUserAndGroup creates the given username and group returning the file ownership information for that
 // user and group.
-func EnsureUserAndGroup(username string, groupName string, pt *progressbar.ProgressBar) (utils.FileOwner, error) {
+func EnsureUserAndGroup(username string, groupName string, pt *progressbar.ProgressBar, forceCreate bool) (utils.FileOwner, error) {
 	var err error
 	var ownership utils.FileOwner
 
@@ -24,7 +24,7 @@ func EnsureUserAndGroup(username string, groupName string, pt *progressbar.Progr
 	if err != nil && !errors.Is(err, ErrGroupNotFound) {
 		return utils.FileOwner{}, fmt.Errorf("failed finding group %s: %w", groupName, err)
 	}
-	if errors.Is(err, ErrGroupNotFound) {
+	if forceCreate && errors.Is(err, ErrGroupNotFound) {
 		pt.Describe(fmt.Sprintf("Creating group %s", groupName))
 		ownership.GID, err = CreateGroup(groupName)
 		if err != nil {
@@ -39,7 +39,7 @@ func EnsureUserAndGroup(username string, groupName string, pt *progressbar.Progr
 	if err != nil && !errors.Is(err, ErrUserNotFound) {
 		return utils.FileOwner{}, fmt.Errorf("failed finding username %s: %w", username, err)
 	}
-	if errors.Is(err, ErrUserNotFound) {
+	if forceCreate && errors.Is(err, ErrUserNotFound) {
 		pt.Describe(fmt.Sprintf("Creating user %s", username))
 		ownership.UID, err = CreateUser(username, ownership.GID)
 		if err != nil {
@@ -53,5 +53,10 @@ func EnsureUserAndGroup(username string, groupName string, pt *progressbar.Progr
 		}
 		pt.Describe(fmt.Sprintf("Successfully created user %s", username))
 	}
+
+	if err := EnsureRights(username); err != nil {
+		pt.Describe(fmt.Sprintf("Failed to assign rights to user %s", username))
+		return utils.FileOwner{}, fmt.Errorf("failed to set proper rights to user %s: %w", username, err)
+	}
 	return ownership, nil
 }
@@ -19,7 +19,7 @@ import (
 //
 // When username and groupName are blank then it switched back to root/Administrator and when a username/groupName is
 // provided then it switched to running with that username and groupName.
-func SwitchExecutingMode(topPath string, pt *progressbar.ProgressBar, username string, groupName string) error {
+func SwitchExecutingMode(topPath string, pt *progressbar.ProgressBar, username string, groupName string, password string) error {
 	// ensure service is stopped
 	status, err := EnsureStoppedService(topPath, pt)
 	if err != nil {
@@ -38,7 +38,7 @@ func SwitchExecutingMode(topPath string, pt *progressbar.ProgressBar, username s
 	// ensure user/group are created
 	var ownership utils.FileOwner
 	if username != "" && groupName != "" {
-		ownership, err = EnsureUserAndGroup(username, groupName, pt)
+		ownership, err = EnsureUserAndGroup(username, groupName, pt, username == ElasticUsername)
 		if err != nil {
 			// context for the error already provided in the EnsureUserAndGroup function
 			return err
@@ -78,7 +78,7 @@ func SwitchExecutingMode(topPath string, pt *progressbar.ProgressBar, username s
 
 	// re-install service
 	pt.Describe("Installing service")
-	err = InstallService(topPath, ownership, username, groupName)
+	err = InstallService(topPath, ownership, username, groupName, password)
 	if err != nil {
 		pt.Describe("Failed to install service")
 		// error context already added by InstallService

@@ -177,3 +177,5 @@ func dsclExec(args ...string) error {
 	}
 	return nil
 }
+
+func EnsureRights(_ string) error { return nil }
@@ -92,3 +92,5 @@ func getentGetID(database string, key string) (int, error) {
 	}
 	return val, nil
 }
+
+func EnsureRights(_ string) error { return nil }
@@ -127,38 +127,42 @@ func CreateUser(name string, _ string) (string, error) {
 		return "", fmt.Errorf("call to NetUserAdd failed: status=%d error=%d", ret, parmErr)
 	}
 
+	return FindUID(name)
+}
+
+func EnsureRights(name string) error {
 	// adjust the local security policy to ensure that the created user is scoped to a service only
 	sid, _, _, err := gowin32.GetLocalAccountByName(name)
 	if err != nil {
-		return "", fmt.Errorf("failed to get SID for %s: %w", name, err)
+		return fmt.Errorf("failed to get SID for %s: %w", name, err)
 	}
 	sp, err := gowin32.OpenLocalSecurityPolicy()
 	if err != nil {
-		return "", fmt.Errorf("failed to open local security policy: %w", err)
+		return fmt.Errorf("failed to open local security policy: %w", err)
 	}
 	defer sp.Close()
 	err = sp.AddAccountRight(sid, gowin32.AccountRightDenyInteractiveLogon)
 	if err != nil {
-		return "", fmt.Errorf("failed to set deny interactive logon: %w", err)
+		return fmt.Errorf("failed to set deny interactive logon: %w", err)
 	}
 	err = sp.AddAccountRight(sid, gowin32.AccountRightDenyNetworkLogon)
 	if err != nil {
-		return "", fmt.Errorf("failed to set deny network logon: %w", err)
+		return fmt.Errorf("failed to set deny network logon: %w", err)
 	}
 	err = sp.AddAccountRight(sid, gowin32.AccountRightDenyRemoteInteractiveLogon)
 	if err != nil {
-		return "", fmt.Errorf("failed to set deny remote interactive logon: %w", err)
+		return fmt.Errorf("failed to set deny remote interactive logon: %w", err)
 	}
 	err = sp.AddAccountRight(sid, gowin32.AccountRightServiceLogon)
 	if err != nil {
-		return "", fmt.Errorf("failed to set service logon: %w", err)
+		return fmt.Errorf("failed to set service logon: %w", err)
 	}
 	err = sp.AddAccountRight(sid, accountRightCreateSymbolicLink)
 	if err != nil {
-		return "", fmt.Errorf("failed to add right to create symbolic link: %w", err)
+		return fmt.Errorf("failed to add right to create symbolic link: %w", err)
 	}
 
-	return FindUID(name)
+	return nil
 }
 
 // AddUserToGroup adds a user to a group.
-Original file line number
+Diff line change
@@ Expand Up / @@ -177,3 +177,5 @@ func dsclExec(args ...string) error { @@
     	}
     	return nil
     }
+    func EnsureRights(_ string) error { return nil }