From 5847d773311463e7450708f1b305ddc2b01fbe17 Mon Sep 17 00:00:00 2001 From: kaisecheng <69120390+kaisecheng@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:37:19 +0000 Subject: [PATCH] skip `allow_superuser` in Windows OS (#16629) As user id is always zero in Windows, this commit excluded the checking of running as root in Windows. --- config/logstash.yml | 2 +- logstash-core/lib/logstash/runner.rb | 2 + logstash-core/spec/logstash/runner_spec.rb | 68 +++++++++++++--------- 3 files changed, 42 insertions(+), 30 deletions(-) diff --git a/config/logstash.yml b/config/logstash.yml index 59703aa54f6..d96ad467417 100644 --- a/config/logstash.yml +++ b/config/logstash.yml @@ -320,7 +320,7 @@ # # ------------ Other Settings -------------- # -# Allow or block running Logstash as superuser (default: true) +# Allow or block running Logstash as superuser (default: true). Windows are excluded from the checking # allow_superuser: false # # Where to find custom plugins diff --git a/logstash-core/lib/logstash/runner.rb b/logstash-core/lib/logstash/runner.rb index 0fd7a503b06..cf8917164e8 100644 --- a/logstash-core/lib/logstash/runner.rb +++ b/logstash-core/lib/logstash/runner.rb @@ -454,6 +454,8 @@ def execute end # def self.main def running_as_superuser + return if LogStash::Environment.windows? # windows euid always returns 0, skip checking + if Process.euid() == 0 if setting("allow_superuser") logger.warn("NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk. " + diff --git a/logstash-core/spec/logstash/runner_spec.rb b/logstash-core/spec/logstash/runner_spec.rb index 3a0a7e13102..00c6d04e320 100644 --- a/logstash-core/spec/logstash/runner_spec.rb +++ b/logstash-core/spec/logstash/runner_spec.rb @@ -574,41 +574,51 @@ let(:deprecation_logger_stub) { double("DeprecationLogger").as_null_object } before(:each) { allow(runner).to receive(:deprecation_logger).and_return(deprecation_logger_stub) } - context "unintentionally running logstash as superuser" do - before do - expect(Process).to receive(:euid).and_return(0) + if LogStash::Environment.windows? + context "unintentionally running logstash as superuser" do + it "runs successfully" do + LogStash::SETTINGS.set("allow_superuser", false) + expect(logger).not_to receive(:fatal) + expect { subject.run(args) }.not_to raise_error + end end - it "fails with bad exit" do - LogStash::SETTINGS.set("allow_superuser", false) - expect(logger).to receive(:fatal) do |msg, hash| - expect(msg).to eq("An unexpected error occurred!") - expect(hash[:error].to_s).to match("Logstash cannot be run as superuser.") + else + context "unintentionally running logstash as superuser" do + before do + expect(Process).to receive(:euid).and_return(0) + end + it "fails with bad exit" do + LogStash::SETTINGS.set("allow_superuser", false) + expect(logger).to receive(:fatal) do |msg, hash| + expect(msg).to eq("An unexpected error occurred!") + expect(hash[:error].to_s).to match("Logstash cannot be run as superuser.") + end + expect(subject.run(args)).to eq(1) end - expect(subject.run(args)).to eq(1) end - end - context "intentionally running logstash as superuser " do - before do - expect(Process).to receive(:euid).and_return(0) - end - it "runs successfully with warning message" do - LogStash::SETTINGS.set("allow_superuser", true) - expect(logger).not_to receive(:fatal) - expect(logger).to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./) - expect { subject.run(args) }.not_to raise_error + context "intentionally running logstash as superuser " do + before do + expect(Process).to receive(:euid).and_return(0) + end + it "runs successfully with warning message" do + LogStash::SETTINGS.set("allow_superuser", true) + expect(logger).not_to receive(:fatal) + expect(logger).to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./) + expect { subject.run(args) }.not_to raise_error + end end - end - context "running logstash as non-root " do - before do - expect(Process).to receive(:euid).and_return(100) - end - it "runs successfully without any messages" do - LogStash::SETTINGS.set("allow_superuser", false) - expect(logger).not_to receive(:fatal) - expect(logger).not_to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./) - expect { subject.run(args) }.not_to raise_error + context "running logstash as non-root " do + before do + expect(Process).to receive(:euid).and_return(100) + end + it "runs successfully without any messages" do + LogStash::SETTINGS.set("allow_superuser", false) + expect(logger).not_to receive(:fatal) + expect(logger).not_to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./) + expect { subject.run(args) }.not_to raise_error + end end end end