From aa8efc5b947535bcf0c53e8d351e0af1e7aebaf9 Mon Sep 17 00:00:00 2001 From: ksubrmnn Date: Thu, 16 May 2019 12:12:02 -0700 Subject: [PATCH] Check User SIDs via os package --- cmd/kubeadm/app/preflight/checks_windows.go | 34 +++++++++++++-------- 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/cmd/kubeadm/app/preflight/checks_windows.go b/cmd/kubeadm/app/preflight/checks_windows.go index f7c06d49d1d..58ebcaa2a47 100644 --- a/cmd/kubeadm/app/preflight/checks_windows.go +++ b/cmd/kubeadm/app/preflight/checks_windows.go @@ -19,28 +19,38 @@ limitations under the License. package preflight import ( - "os/exec" - "strings" + "os/user" "github.com/pkg/errors" ) -// Check validates if an user has elevated (administrator) privileges. +// The "Well-known SID" of Administrator group +// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems +const administratorSID = "S-1-5-32-544" + +// Check validates if a user has elevated (administrator) privileges. func (ipuc IsPrivilegedUserCheck) Check() (warnings, errorList []error) { errorList = []error{} - // The "Well-known SID" of Administrator group is S-1-5-32-544 - // The following powershell will return "True" if run as an administrator, "False" otherwise - // See https://msdn.microsoft.com/en-us/library/cc980032.aspx - args := []string{"[bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match \"S-1-5-32-544\")"} - isAdmin, err := exec.Command("powershell", args...).Output() - + currUser, err := user.Current() if err != nil { - errorList = append(errorList, errors.Wrap(err, "unable to determine if user is running as administrator")) - } else if strings.EqualFold(strings.TrimSpace(string(isAdmin)), "false") { - errorList = append(errorList, errors.New("user is not running as administrator")) + errorList = append(errorList, errors.New("cannot get current user")) + return nil, errorList } + groupIds, err := currUser.GroupIds() + if err != nil { + errorList = append(errorList, errors.New("cannot get group IDs for current user")) + return nil, errorList + } + + for _, sid := range groupIds { + if sid == administratorSID { + return nil, errorList + } + } + + errorList = append(errorList, errors.New("user is not running as administrator")) return nil, errorList }