Check User SIDs via os package

This commit is contained in:
ksubrmnn 2019-05-16 12:12:02 -07:00
parent 71bbabc36b
commit aa8efc5b94

View File

@ -19,28 +19,38 @@ limitations under the License.
package preflight
import (
"os/exec"
"strings"
"os/user"
"github.com/pkg/errors"
)
// Check validates if an user has elevated (administrator) privileges.
// The "Well-known SID" of Administrator group
// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
const administratorSID = "S-1-5-32-544"
// Check validates if a user has elevated (administrator) privileges.
func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) {
errorList = []error{}
// The "Well-known SID" of Administrator group is S-1-5-32-544
// The following powershell will return "True" if run as an administrator, "False" otherwise
// See https://msdn.microsoft.com/en-us/library/cc980032.aspx
args := []string{"[bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\")"}
isAdmin, err := exec.Command("powershell", args...).Output()
currUser, err := user.Current()
if err != nil {
errorList = append(errorList, errors.Wrap(err, "unable to determine if user is running as administrator"))
} else if strings.EqualFold(strings.TrimSpace(string(isAdmin)), "false") {
errorList = append(errorList, errors.New("user is not running as administrator"))
errorList = append(errorList, errors.New("cannot get current user"))
return nil, errorList
}
groupIds, err := currUser.GroupIds()
if err != nil {
errorList = append(errorList, errors.New("cannot get group IDs for current user"))
return nil, errorList
}
for _, sid := range groupIds {
if sid == administratorSID {
return nil, errorList
}
}
errorList = append(errorList, errors.New("user is not running as administrator"))
return nil, errorList
}