From 252a6aeec289ecf3c6099b7e2b9eaa4c6d79da9f Mon Sep 17 00:00:00 2001 From: Nic Klaassen Date: Tue, 4 Mar 2025 10:57:28 -0800 Subject: [PATCH] [vnet] fix: use authenticated users SID (#52765) --- lib/vnet/install_service_windows.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/vnet/install_service_windows.go b/lib/vnet/install_service_windows.go index ff772ef25d0f3..c66ad551765d4 100644 --- a/lib/vnet/install_service_windows.go +++ b/lib/vnet/install_service_windows.go @@ -108,15 +108,20 @@ func grantServiceRights() error { if err != nil { return trace.Wrap(err, "getting current service DACL") } + // This is the universal well-known SID for "Authenticated Users". + authenticatedUsersSID, err := windows.StringToSid("S-1-5-11") + if err != nil { + return trace.Wrap(err, "parsing authenticated users SID") + } // Build an explicit access entry allowing authenticated users to start, // stop, and query the service. ea := []windows.EXPLICIT_ACCESS{{ AccessPermissions: windows.SERVICE_QUERY_STATUS | windows.SERVICE_START | windows.SERVICE_STOP, AccessMode: windows.GRANT_ACCESS, Trustee: windows.TRUSTEE{ - TrusteeForm: windows.TRUSTEE_IS_NAME, + TrusteeForm: windows.TRUSTEE_IS_SID, TrusteeType: windows.TRUSTEE_IS_WELL_KNOWN_GROUP, - TrusteeValue: windows.TrusteeValueFromString("Authenticated Users"), + TrusteeValue: windows.TrusteeValueFromSID(authenticatedUsersSID), }, }} // Merge the new explicit access entry with the existing DACL.