[inputs.win_services] could not open service - Error for services with restricted priviledges #13382
Comments
Soumyadeep9009
added
the
feature request
That code you linked to is Go code, not telegraf. I have previously asked upstream about the permissions here: golang/go#48777 and was told they would not make the change to allow other permissions. I did create a POC to allow using I'm inclined to close this as won't fix. |
|
If ok, after it will be possible to change in plugin telegraf : |
telegraf-tiger
bot
removed
the
waiting for response
|
@powersj Why does it speak about api ? |
|
You have changed the function parameter count and as such broken everyone currently using that function, hence compatibility-breaking. |
|
Hello! I am closing this issue due to inactivity. I hope you were able to resolve your problem, if not please try posting this question in our Community Slack or Community Page. Thank you! |
|
Hello |
telegraf-tiger
bot
removed
the
waiting for response
|
@tguenneguez sorry for the late reply. WE as in the sense of Telegraf developers are the wrong guys to discuss this with. This is an upstream issue in the Golang library as @powersj outlined. If you can convince the Go developers to e.g. add a second function e.g. func (m *Mgr) OpenServiceWithPermissions(name string, perm uint32) (*Service, error) {
h, err := windows.OpenService(m.Handle, syscall.StringToUTF16Ptr(name), perm)
if err != nil {
return nil, err
}
return &Service{Name: name, Handle: h}, nil
}we are happy to use that function! |
|
@tguenneguez and @Soumyadeep9009 I've pushed PR #14073 as a workaround and tested listing the services in |
|
Hello @srebhan |
|
@iatalay thanks for testing!!! |
|
Yes this works. We can now close this thread. |
|
@Soumyadeep9009 please keep the issue open as it will automatically closed as soon as the corresponding PR is merged. Until then it helps people to find the PR and thus getting a workaround until the PR is merged. :-) |
Use Case
We are using input win_services plugin to monitor key Windows services. Although we use Local System to configure telegraf services, it is not detecting the status of few key OS services like Dnscache, RpcSs, gpsvc.
We have noticed in the code that it requires SERVICE_ALL_ACCESS for the required services to monitor the status else it sends the following error:
2023-06-02T11:07:00Z D! [inputs.win_services] could not open service: "Dnscache": Access is denied.
2023-06-02T11:07:00Z D! [inputs.win_services] could not open service: "gpsvc": Access is denied.
2023-06-02T11:07:00Z D! [inputs.win_services] could not open service: "RpcSs": Access is denied.
In enterpise organization it is likely that such services will have restricted permissions even for local system account, therefore, I am wondering if SERVICE_ALL_ACCESS isn't an overkill.
Referring the below section in the code : https://cs.opensource.google/go/x/sys/+/refs/tags/v0.8.0:windows/svc/mgr/mgr.go
// OpenService retrieves access to service name, so it can
// be interrogated and controlled.
func (m *Mgr) OpenService(name string) (*Service, error) {
h, err := windows.OpenService(m.Handle, syscall.StringToUTF16Ptr(name), windows.SERVICE_ALL_ACCESS)
if err != nil {
return nil, err
}
return &Service{Name: name, Handle: h}, nil
}
Can this be modified/updated to make it work with the bare minimum priviledge of SERVICE_QUERY_STATUS
Expected behavior
Expected to populate the metrices for those services Dnscache, RpcSs, gpsvc
Actual behavior
2023-06-02T11:07:00Z D! [inputs.win_services] could not open service: "Dnscache": Access is denied.
2023-06-02T11:07:00Z D! [inputs.win_services] could not open service: "gpsvc": Access is denied.
2023-06-02T11:07:00Z D! [inputs.win_services] could not open service: "RpcSs": Access is denied.
Additional info
No response
The text was updated successfully, but these errors were encountered: