FAQ
Hello,

I'm controlling 180 windows machines for an art project. I am using
puppet to configure the machines, push out an app as a zip, unzip it,
change permissions, then launch it. Everything works perfectly,
except the app is being launched in a hidden desktop due to windows
security.

From what I'm told since puppet runs as a service it is not allowed to
launch an app on the logged in desktop. I confirmed that when running
the puppet agent manually the app launches correctly.

My question is, does anyone have any experience launching an .exe from
puppet in windows in the current logged in desktop?

thanks,
Lucas

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Josh Cooper at Oct 26, 2012 at 7:44 pm
    Hi Lucas,
    On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers wrote:
    Hello,

    I'm controlling 180 windows machines for an art project. I am using
    puppet to configure the machines, push out an app as a zip, unzip it,
    change permissions, then launch it.
    If you do not need LocalSystem permissions, then you could simply
    configure the puppet service to run as an unprivileged (domain or
    local) user:

    sc config puppet obj= <username> password= <password>

    and allow the service to interact with the desktop:

    sc config puppet type= interact
    Everything works perfectly,
    except the app is being launched in a hidden desktop due to windows
    security.
    This page describes some of the issues.
    http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

    "If the service opens a command window and runs a batch file, the user
    could hit CTRL+C to terminate the batch file and gain access to a
    command window with LocalSystem permissions." So privilege escalation.
    From what I'm told since puppet runs as a service it is not allowed to
    launch an app on the logged in desktop. I confirmed that when running
    the puppet agent manually the app launches correctly.
    It is possible to allow services running under LocalSystem to interact
    with the desktop in older versions of Windows. If you don't care about
    the security implications, you could investigate that, though I
    wouldn't recommend it.

    Alternatively, you could do something like this:
    http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html.
    Compile it and distribute it with your module.

    Josh

    --
    Josh Cooper
    Developer, Puppet Labs

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Lucas Vickers at Oct 30, 2012 at 5:42 pm
    just FYI I was able to launch the app into the active desktop using the tool
    http://developex.com/custom-software/devxexec.html
    which is probably just an implementation of the article you posted.
    The only caveat is that I still had to run the service under the logged in
    user,
    which so far is showing no negative side effects.

    thanks for the info
    On Friday, October 26, 2012 2:40:20 PM UTC-4, Josh Cooper wrote:

    Hi Lucas,
    On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers wrote:
    Hello,

    I'm controlling 180 windows machines for an art project. I am using
    puppet to configure the machines, push out an app as a zip, unzip it,
    change permissions, then launch it.
    If you do not need LocalSystem permissions, then you could simply
    configure the puppet service to run as an unprivileged (domain or
    local) user:

    sc config puppet obj= <username> password= <password>

    and allow the service to interact with the desktop:

    sc config puppet type= interact
    Everything works perfectly,
    except the app is being launched in a hidden desktop due to windows
    security.
    This page describes some of the issues.

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx

    "If the service opens a command window and runs a batch file, the user
    could hit CTRL+C to terminate the batch file and gain access to a
    command window with LocalSystem permissions." So privilege escalation.
    From what I'm told since puppet runs as a service it is not allowed to
    launch an app on the logged in desktop. I confirmed that when running
    the puppet agent manually the app launches correctly.
    It is possible to allow services running under LocalSystem to interact
    with the desktop in older versions of Windows. If you don't care about
    the security implications, you could investigate that, though I
    wouldn't recommend it.

    Alternatively, you could do something like this:

    http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html.

    Compile it and distribute it with your module.

    Josh

    --
    Josh Cooper
    Developer, Puppet Labs
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zTUvy2vrKKkJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedOct 26, '12 at 3:10p
activeOct 30, '12 at 5:42p
posts3
users2
websitepuppetlabs.com

2 users in discussion

Lucas Vickers: 2 posts Josh Cooper: 1 post

People

Translate

site design / logo © 2022 Grokbase