execabs fails to run netsh from shortcut

[jnyrup]

• I am using the latest release of AWS Vault
• I have provided my .aws/config (redacted if necessary) (does not seem to apply here)
• I have provided the debug output using aws-vault --debug (redacted if necessary)

I'm having a shortcut on my Windows desktop which opens aws-vault in admin mode.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -f C:\Users\JonasNyrup\Desktop\login.ps1

This used to work, but since #792 I get

2022/04/07 10:56:57 aws-vault v6.6.0
2022/04/07 10:56:57 Loading config file C:\Users\JonasNyrup\.aws\config
2022/04/07 10:56:57 Parsing config file C:\Users\JonasNyrup\.aws\config
2022/04/07 10:56:57 [keyring] Considering backends: [wincred]
2022/04/07 10:56:57 profile jn: using stored credentials
2022/04/07 10:56:57 profile jn: skipping GetSessionToken because profile '<profile>' has no MFA serial defined
2022/04/07 10:56:57 profile <profile>: using AssumeRole
2022/04/07 10:56:57 Starting `aws-vault proxy`
aws-vault.exe: error: : netsh resolves to executable in current directory (.\netsh.exe), try --help

login.ps1

aws-vault exec --server --prompt=osascript <profile> -- cmd.exe

If I open a powershell in admin mode and run C:\Users\JonasNyrup\Desktop\login.ps1 it works.

I just tried that 6.3.1 works, and 6.4.0 does not.

I'm not familiar with go or its ecosystem, but as I can read from https://go.dev/blog/path-security execabs seems to require absolute paths to commands.

[Mattie112]

Ah I just wanted to make a ticket, I have the same issue. However for me it does not matter if it is cmd or ps

(the osascript I found in #888)

PS C:\WINDOWS\system32> aws-vault --debug exec xx-xx-staging --prompt=osascript --server
2022/04/07 11:34:15 aws-vault v6.6.0
2022/04/07 11:34:15 Loading config file C:\Users\xx\.aws\config
2022/04/07 11:34:15 Parsing config file C:\Users\xx\.aws\config
2022/04/07 11:34:15 [keyring] Considering backends: [wincred]
2022/04/07 11:34:15 Profile 'default' missing in config file
2022/04/07 11:34:15 Profile 'default' missing in config file
2022/04/07 11:34:15 profile xx-login: using stored credentials
2022/04/07 11:34:15 profile xx-login: skipping GetSessionToken because profile 'xx-login' has no MFA serial defined
2022/04/07 11:34:15 profile xx-xx-staging: using AssumeRole (with MFA)
2022/04/07 11:34:15 Starting `aws-vault proxy`
aws-vault.exe: error: : netsh resolves to executable in current directory (.\netsh.exe), try --help
aws-vault: error: exec: Failed to start credential server: The EC2 Instance Metadata endpoint proxy server isn't running. Run `aws-vault proxy` as Administrator or root in the background and then try this command again
PS C:\WINDOWS\system32> aws-vault proxy
aws-vault.exe: error: : netsh resolves to executable in current directory (.\netsh.exe), try --help
PS C:\WINDOWS\system32>

C:\WINDOWS\system32>aws-vault --debug exec xx-xx-staging --prompt=osascript --server
2022/04/07 11:36:13 aws-vault v6.6.0
2022/04/07 11:36:13 Loading config file C:\Users\xx\.aws\config
2022/04/07 11:36:13 Parsing config file C:\Users\xx\.aws\config
2022/04/07 11:36:13 [keyring] Considering backends: [wincred]
2022/04/07 11:36:13 Profile 'default' missing in config file
2022/04/07 11:36:13 Profile 'default' missing in config file
2022/04/07 11:36:14 profile xx-login: using stored credentials
2022/04/07 11:36:14 profile xx-login: skipping GetSessionToken because profile 'xx-login' has no MFA serial defined
2022/04/07 11:36:14 profile xx-xx-staging: using AssumeRole (with MFA)
2022/04/07 11:36:14 Starting `aws-vault proxy`
aws-vault: error: exec: Failed to start credential server: The EC2 Instance Metadata endpoint proxy server isn't running. Run `aws-vault proxy` as Administrator or root in the background and then try this command again

C:\WINDOWS\system32>aws-vault: error: : netsh resolves to executable in current directory (.\netsh.exe), try --help

Both run as admin.

edit:
And if I use v6.3.1 it does seem to work indeed (but with a different error)

C:\Users\Matthijs>aws-vault --debug exec xx-xx-staging --prompt=osascript --server
2022/04/07 11:42:34 aws-vault v6.3.1
2022/04/07 11:42:34 Loading config file C:\Users\xx\.aws\config
2022/04/07 11:42:34 Parsing config file C:\Users\xx\.aws\config
2022/04/07 11:42:34 [keyring] Considering backends: [wincred]
2022/04/07 11:42:34 Profile 'default' missing in config file
2022/04/07 11:42:34 Profile 'default' missing in config file
2022/04/07 11:42:34 profile xx-login: using stored credentials
2022/04/07 11:42:34 profile xx-login: skipping GetSessionToken because profile 'xx-login' has no MFA serial defined
2022/04/07 11:42:34 profile xx-x-staging: using AssumeRole (with MFA)
2022/04/07 11:42:34 Re-using cached credentials ****************KCRC from sts.AssumeRole, expires in 7m49.5109978s
2022/04/07 11:42:34 Starting EC2 Instance Metadata server on 127.0.0.1:9099
2022/04/07 11:42:34 Setting subprocess env: AWS_DEFAULT_REGION=eu-central-1, AWS_REGION=eu-central-1
2022/04/07 11:42:34 Starting child process:
aws-vault: error: exec: exec: "": executable file not found in %PATH%

[1oglop1]

I can confirm the same problem with v6.6.0; however, I tried to compile aws-vault on my windows machine and did not have a problem.
So I suspect it may be a release problem.
@mtibben

PS D:\Coding\Go_things\another\aws-vault> .\aws-vault.exe --debug exec --server --prompt=osascript myprofile -- powershell
2022/07/10 11:13:08 aws-vault dev
2022/07/10 11:13:08 Loading config file C:\Users\win10\.aws\config
2022/07/10 11:13:08 Parsing config file C:\Users\win10\.aws\config
2022/07/10 11:13:08 [keyring] Considering backends: [wincred]
2022/07/10 11:13:08 profile myprofile: using stored credentials
2022/07/10 11:13:08 profile myprofile: using GetSessionToken
2022/07/10 11:13:08 Re-using cached credentials ****************KVN2 from sts.GetSessionToken, expires in 49m23.8878738s
2022/07/10 11:13:08 Setting subprocess env: AWS_DEFAULT_REGION=eu-central-1, AWS_REGION=eu-central-1
2022/07/10 11:13:08 Starting child process: powershell
2022/07/10 11:13:08 Starting EC2 Instance Metadata server on 127.0.0.1:9099
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

[secjosh]

@1oglop1 What version of golang did you use to build it locally on windows?

Golang 1.19 incorporated the security fix execabs was meant to address in the os.exec package
https://cs.opensource.google/go/go/+/release-branch.go1.19:src/os/exec/exec.go;l=33-45

This may have changed the behavior when the current-working-directory also happens to be in PATH environment variable (and not just included as a relative directory .)

---

I can think of 2 ways to fix it:

• Since we are already using the go1.19 toolchain we can remove execabs
• Update server/ec2alias_windows.go to use an absolute path for netsh

   // command := "C:\WINDOWS\system32\netsh.exe"
   command := filepath.Join(
      os.Getenv('SystemRoot'),
      'system32',
      'netsh.exe')

[1oglop1]

@secjosh Last time I tried the compilation it was go 1.18.3

[mtibben]

FYI I removed execabs in #1093 - does this solve the problem for you?

[jnyrup]

FYI I removed execabs in #1093 - does this solve the problem for you?

I just tried out 6.6.1 and it solved the problem for me 🎉