How to run an Elastic Agent on Windows with Elevated Privileges

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。

このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。

*Fisheye および Crucible は除く

The instructions in this KB article are provided "as-is" and on a best-effort basis. Atlassian can't be held accountable for any misuse of the instructions on this page. It is up to each customer to decide on the security best practices to apply. We advise customers to reach out to their Security team before applying any of the instructions outlined in this article.

要約

This article explains how to run a Bamboo Elastic Agent instance on Windows with Elevated Privileges.

環境

  • Bamboo Data Center
  • Elastic Agents running on Windows
  • Elevated privileges / Administrator access

診断

When attempting to run builds that contain commands that require elevated privileges, such as Windows's sc.exe, the Job fails with a permission denied error.

原因

The Bamboo Elastic Agents Windows stock images come with security configurations that adhere to best practices, including User Account Control (UAC) and least-privilege policies. By default, the local "Bamboo" account, which the Elastic Agent uses to perform tasks, is set with standard user permissions and does not have elevated privileges. This security measure is intended to minimize the risk of unintended changes to the system and ensure a secure operating environment.

However, certain operations, such as executing administrative commands like "sc.exe" to manage Windows services, require elevated privileges that are not granted to the default "Bamboo" account. To enable the Elastic Agent to perform these tasks, it is necessary to modify the configuration of the Elastic Agent image. Specifically, UAC must be disabled and the "Bamboo" account needs to be added to the "Administrators" group, granting it the necessary permissions to run commands and perform actions that require administrative access.

ソリューション

This solution is tested on Bamboo Windows Stock images. Customers are also free to create a custom Elastic image (not supported).

Create a new Elastic Image Configuration

Disabling UAC and adding the "Bamboo" user account to Windows's Administrators group is necessary. Follow the instructions below to add an Instance Startup Script that will do that.

The Instance Startup Script instructions will require an additional restart of the EC2 instance. This may slightly impact the instance startup times.

  1. Go to Bamboo AdministrationImage Configurations
  2. Fill in the "Elastic image configuration details" form with your regular Image details and submit; if you already have an Image configuration you want to use, you can skip this step
  3. Edit the new Image configuration by locating it and clicking on Edit

  4. Under Instance startup script add the following content:

    Instance Startup Script 
    @echo off
:: Check UAC status using PowerShell
for /f "tokens=*" %%i in ('powershell.exe -command "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' | Select-Object -ExpandProperty EnableLUA"') do (
    set UACStatus=%%i
)
:: Check if UAC is enabled (1) or disabled (0)
if "%UACStatus%"=="1" (
    echo UAC is enabled. Disabling UAC...
    :: Disable UAC using PowerShell
    powershell.exe -command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0"
    :: Restart the machine
    echo Restarting the machine...
    shutdown /r /t 0
) else (
    echo UAC is already disabled. No action needed.
)

powershell.exe -NoProfile -Command ^
    "Add-LocalGroupMember -Group 'Administrators' -Member 'bamboo'"
  5. Save the Image configuration

Associate your Jobs, Plans and Projects with the new Image Configuration

Please create a separate Elastic Image configuration for that purpose and dedicate it to specific jobs that require elevated privileges. This mitigates the possibility of the image being used generally by ordinary builds that don't require such privileges.

  1. Go to Bamboo AdministrationImage Configurations
  2. Locate your image configuration and click on its name
  3. Click on Dedicate image
  4. Follow the menus to dedicate the image configuration only to your pipeline components (Job, Plan or Project) which have a hard requirement on elevated privileges
  5. Save the settings

Testing the solution

Here's an sample Script Task in a Job that can be used to test if the configuration is successful:

sc query spooler
sc stop spooler

sleep 3
sc query spooler
sc start spooler

sleep 3
sc query spooler

You should expect the following logs after execution:

build	22-Nov-2024 00:37:36	C:\build\BAM-WIN-JOB1>sc query spooler 
build	22-Nov-2024 00:37:36	
build	22-Nov-2024 00:37:36	SERVICE_NAME: spooler 
build	22-Nov-2024 00:37:36	        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
build	22-Nov-2024 00:37:36	        STATE              : 4  RUNNING 
build	22-Nov-2024 00:37:36	                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build	22-Nov-2024 00:37:36	        WIN32_EXIT_CODE    : 0  (0x0)
build	22-Nov-2024 00:37:36	        SERVICE_EXIT_CODE  : 0  (0x0)
build	22-Nov-2024 00:37:36	        CHECKPOINT         : 0x0
build	22-Nov-2024 00:37:36	        WAIT_HINT          : 0x0
build	22-Nov-2024 00:37:36	
build	22-Nov-2024 00:37:36	C:\build\BAM-WIN-JOB1>sc stop spooler 
build	22-Nov-2024 00:37:36	
build	22-Nov-2024 00:37:36	SERVICE_NAME: spooler 
build	22-Nov-2024 00:37:36	        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
build	22-Nov-2024 00:37:36	        STATE              : 3  STOP_PENDING 
build	22-Nov-2024 00:37:36	                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build	22-Nov-2024 00:37:36	        WIN32_EXIT_CODE    : 0  (0x0)
build	22-Nov-2024 00:37:36	        SERVICE_EXIT_CODE  : 0  (0x0)
build	22-Nov-2024 00:37:36	        CHECKPOINT         : 0x3
build	22-Nov-2024 00:37:36	        WAIT_HINT          : 0x4e20
build	22-Nov-2024 00:37:36	
build	22-Nov-2024 00:37:36	C:\build\BAM-WIN-JOB1>sleep 3 
build	22-Nov-2024 00:37:39	
build	22-Nov-2024 00:37:39	C:\build\BAM-WIN-JOB1>sc query spooler 
build	22-Nov-2024 00:37:39	
build	22-Nov-2024 00:37:39	SERVICE_NAME: spooler 
build	22-Nov-2024 00:37:39	        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
build	22-Nov-2024 00:37:39	        STATE              : 1  STOPPED 
build	22-Nov-2024 00:37:39	        WIN32_EXIT_CODE    : 0  (0x0)
build	22-Nov-2024 00:37:39	        SERVICE_EXIT_CODE  : 0  (0x0)
build	22-Nov-2024 00:37:39	        CHECKPOINT         : 0x0
build	22-Nov-2024 00:37:39	        WAIT_HINT          : 0x0
build	22-Nov-2024 00:37:39	
build	22-Nov-2024 00:37:39	C:\build\BAM-WIN-JOB1>sc start spooler 
build	22-Nov-2024 00:37:39	
build	22-Nov-2024 00:37:39	SERVICE_NAME: spooler 
build	22-Nov-2024 00:37:39	        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
build	22-Nov-2024 00:37:39	        STATE              : 2  START_PENDING 
build	22-Nov-2024 00:37:39	                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build	22-Nov-2024 00:37:39	        WIN32_EXIT_CODE    : 0  (0x0)
build	22-Nov-2024 00:37:39	        SERVICE_EXIT_CODE  : 0  (0x0)
build	22-Nov-2024 00:37:39	        CHECKPOINT         : 0x0
build	22-Nov-2024 00:37:39	        WAIT_HINT          : 0x7d0
build	22-Nov-2024 00:37:39	        PID                : 2872
build	22-Nov-2024 00:37:39	        FLAGS              : 
build	22-Nov-2024 00:37:39	
build	22-Nov-2024 00:37:39	C:\build\BAM-WIN-JOB1>sleep 3 
build	22-Nov-2024 00:37:42	
build	22-Nov-2024 00:37:42	C:\build\BAM-WIN-JOB1>sc query spooler 
build	22-Nov-2024 00:37:42	
build	22-Nov-2024 00:37:42	SERVICE_NAME: spooler 
build	22-Nov-2024 00:37:42	        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)
build	22-Nov-2024 00:37:42	        STATE              : 4  RUNNING 
build	22-Nov-2024 00:37:42	                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build	22-Nov-2024 00:37:42	        WIN32_EXIT_CODE    : 0  (0x0)
build	22-Nov-2024 00:37:42	        SERVICE_EXIT_CODE  : 0  (0x0)
build	22-Nov-2024 00:37:42	        CHECKPOINT         : 0x0
build	22-Nov-2024 00:37:42	        WAIT_HINT          : 0x0
simple	22-Nov-2024 00:37:42	Finished task 'Stop Spooler' with result: Success
simple	22-Nov-2024 00:37:42	Running post build plugin 'Docker Container Cleanup'
simple	22-Nov-2024 00:37:42	Running post build plugin 'NCover Results Collector'
simple	22-Nov-2024 00:37:42	Running post build plugin 'Build Results Label Collector'
simple	22-Nov-2024 00:37:42	Running post build plugin 'Clover Results Collector'
simple	22-Nov-2024 00:37:42	Running post build plugin 'npm Cache Cleanup'
simple	22-Nov-2024 00:37:42	Running post build plugin 'Artifact Copier'
simple	22-Nov-2024 00:37:42	Finalising the build...
simple	22-Nov-2024 00:37:42	Stopping timer.
simple	22-Nov-2024 00:37:42	Build BAM-WIN-JOB1-22 completed.

最終更新日 2024 年 11 月 22 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.