Forum: Mongrel Mongrel as Windows service with normal privileges

3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-06-04 23:28
(Received via mailing list)
I am trying to run Mongrel 1.1.5 with mongrel_service 0.3.4 on Ruby
1.8.6 with a "normal" user account, i.e. a user which belongs only to
the Windows group "Users". The rationale behind this is that running a
web server with full administrative rights (e.g. Local System) is not
something that I would like to do.

Unfortunately, starting the service from the services control panel
results in the following error message: "The service did not respond to
the start or control request in a timely fashion" (the error comes up
very quickly, maybe 1 second max).

This happens only if the user the service is configured to run as does
not belong to the "Administrators" group, otherwise it works fine.

I have read a couple of threads about this subject, so this is what I
have already tried:

(With psexec -l cmd.exe:)
1. mongrel_rails start -e development -a 127.0.0.1 -p 3000
    ===> WORKS
2. mongrel_service console single -e development -a 127.0.0.1 -p 3000
    ===> WORKS

(Interactively logged in as the service user:)
3. mongrel_rails start -e development -a 127.0.0.1 -p 3000
    ===> WORKS
4. mongrel_service console single -e development -a 127.0.0.1 -p 3000
    ===> WORKS

5. Running the service with service user in Administrator group
    ===> WORKS

6. Running the service with service user only in Users (or Power Users)
group
    ===> DOES NOT WORK

I had to change a couple of NTFS security settings in order to get it
run with normal privileges. Now the only thing that still does not work
is #6.  Unfortunately, no log files are being generated, especially
ServiceFB.log is nowhere to be found. The server is Windows Server 2003
Standard, by the way.

Could anybody please enlighten me how I could further analyze this
problem ? I followed the advise here in the list as far as I could, but
now I am at a loss.

Thanks in advance,
Ingmar
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-04 23:57
(Received via mailing list)
On Wed, Jun 4, 2008 at 1:37 PM, Ingmar Stieger <ml@stiegerhs.de> wrote:
>
>   ===> WORKS
> 6. Running the service with service user only in Users (or Power Users)
> group
>   ===> DOES NOT WORK
>
> I had to change a couple of NTFS security settings in order to get it run
> with normal privileges. Now the only thing that still does not work is #6.
>  Unfortunately, no log files are being generated, especially ServiceFB.log
> is nowhere to be found. The server is Windows Server 2003 Standard, by the
> way.
>

32bits or x64 editions?

In any case, serviceFB.log and mongrel.log and mongrel_service.log
should be stored into ruby/bin folder since was not possible by the
service point to the directory of the service.

I suggest you also try the psexec tool from Sysinternals and also
runas program (builtin in Windows) to get more detail information.

PATH reports from these environment will be help, also the security
bits from the ACLs too, since if it runs as administrator maybe there
is some file down there in your app (maybe log folder) that is not
allowed to be written in it.

> Could anybody please enlighten me how I could further analyze this problem ?
> I followed the advise here in the list as far as I could, but now I am at a
> loss.
>

It's hard to replicate all the environments, so please try go back to
0.3.3 which generates the servicefb.log file and see what it outputs.

In any case, mongrel.log should always be generated.

> Thanks in advance,
> Ingmar

HTH and please post your results so we can help you out.

Regards,
--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-06-05 10:12
(Received via mailing list)
Luis Lavena wrote:
> 32bits or x64 editions?
>
Windows 2003 32bit.
> In any case, serviceFB.log and mongrel.log and mongrel_service.log
> should be stored into ruby/bin folder since was not possible by the
> service point to the directory of the service.
>
Thanks for the hint of using mongrel_service 0.3.3. I get these log
files now:

servicefb.log:

_initialize() constructor
_initialize() constructor done
ServiceProcess(new_name)
ServiceProcess(new_name) done
ServiceHost()
ServiceHost() done
ServiceHost.Add()
_add_to_references()
_add_to_references() done
ServiceHost.Add() done
ServiceController.RunMode()
CurrentPID: 5108
ParentPID: 512
Error with OpenProcess
GetLastError: 0The operation completed successfully.
Parent Name:
ServiceController.RunMode() done
ServiceHost() destructor
ServiceHost() destructor done
ServiceProcess() destructor
ServiceProcess() destructor done
_terminate() destructor
_terminate() destructor done

mongrel_service.log:

# Logfile created on 05.06.2008 09:51:06

native/mongrel_service.bas:44,
mongrel_service.singlemongrel.constructor:
  redirecting to: c:\ruby\bin\mongrel.log

Not very helpful - OpenProcess fails with no apparent error.
> I suggest you also try the psexec tool from Sysinternals and also
> runas program (builtin in Windows) to get more detail information.
>
Could you please explain what you want me to do ? I think I  have ran
everything I can using psexec and as the actual service user (explained
in my initial post). If there is something else, I will happily run it
:). On the other hand, since it works using these two methods, no error
message will appear. Only the service itself can not be started.
> PATH reports from these environment will be help, also the security
> bits from the ACLs too, since if it runs as administrator maybe there
> is some file down there in your app (maybe log folder) that is not
> allowed to be written in it.
>
The app is a newly generated rails skeleton, and the user has "Full
Control" on the directory and on the Ruby directory. I am not sure how I
can get to the PATH variable when starting the service - any idea ?

Thanks,
Ingmar
3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-06-05 11:24
(Received via mailing list)
I digged a bit through the source code, and I am under the impression
that a normal user may not query the service control manager with
PROCESS_QUERY_INFORMATION. Could this be the case ?

_process_name does not return the name and _process_name_dyn_psapi fails
as well. (tested with 0.3.1 and 0.3.3). It looks like OpenProcess can
not be used in this manner...

In a totally unrelated project [1] I solved what I think you are trying
to do here differently:
I just pass the parameter "-runservice" from SCM in order to determine
if the application should run as service (called from SCM) or as a
normal console application. Maybe this would be an easier approach for
mongrel_service as well ?

I would create a proof of concept, but unfortunately, I am not
proficient with FreeBasic...

Bye,
Ingmar

[1] http://www.nwnx.org
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-05 12:11
(Received via mailing list)
On Thu, Jun 5, 2008 at 10:11 AM, Ingmar Stieger <ml@stiegerhs.de> wrote:
>>
> ServiceHost()
> Parent Name:
> # Logfile created on 05.06.2008 09:51:06
>
> native/mongrel_service.bas:44, mongrel_service.singlemongrel.constructor:
>  redirecting to: c:\ruby\bin\mongrel.log
>
> Not very helpful - OpenProcess fails with no apparent error.
>>

Because it couldn't get parent process name.

>> I suggest you also try the psexec tool from Sysinternals and also
>> runas program (builtin in Windows) to get more detail information.
>>
>
> Could you please explain what you want me to do ? I think I  have ran
> everything I can using psexec and as the actual service user (explained in
> my initial post). If there is something else, I will happily run it :). On
> the other hand, since it works using these two methods, no error message
> will appear. Only the service itself can not be started.

On this ticket:

http://rubyforge.org/tracker/?func=detail&atid=514...

You can use PsExec tool [1] to simulate another user and remove
administrative privileges for testing:

You can search the mailing list and other tickets that explain how to
perform it (was discussed several times).

Can you provide the 'sc queryex' and 'sc qc' for your service and
pastie it here?


[1] http://technet.microsoft.com/en-us/sysinternals/bb...

--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-05 12:15
(Received via mailing list)
On Thu, Jun 5, 2008 at 11:23 AM, Ingmar Stieger <ml@stiegerhs.de> wrote:
> I digged a bit through the source code, and I am under the impression that a
> normal user may not query the service control manager with
> PROCESS_QUERY_INFORMATION. Could this be the case ?
>

Look at the source code for 0.3.4 you will find that a process can be
opened for readonly functions and perform PROCESS_QUERY_INFORMATION
without problems.

That worked on 32 and 64 bits versions of many Windows Servers and XP,
so shoudl work in your scenario too, unless that specific user lack
the permission to "run and control services" which you will need to
check with your sysadmin for that configuration.

>
Basically mongrel_service inherited code from other project named
ServiceFB, which is a framework we created for other purposes at the
office.

It worked without issues on lot of scenarios, and it automatically
determine the running environment so you avoid the requirement to
"analyze" the command line.

> I would create a proof of concept, but unfortunately, I am not proficient
> with FreeBasic...
>

Actually, it's basic, there are not too many keywords to worry about
(ruby has more) and it's like C, I mean, you don't need to hack a lot
of stuff to go low level :-)

> Bye,
> Ingmar

HTH,
--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-06-05 14:05
(Received via mailing list)
Luis Lavena wrote:

> On this ticket:
>
> http://rubyforge.org/tracker/?func=detail&atid=514...
>
> You can use PsExec tool [1] to simulate another user and remove
> administrative privileges for testing:
>

Yes, it works with psexec. And it works running as the service user. If
you have a look at my initial post, you can see the command line options
I used for testing (nothing special here).

> You can search the mailing list and other tickets that explain how to
> perform it (was discussed several times).
>
> Can you provide the 'sc queryex' and 'sc qc' for your service and
> pastie it here?
>

C:\>sc queryex rails3

SERVICE_NAME: rails3
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE, NOT_PAUSABLE,
IGNORES_SHUTDOWN))

        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 0
        FLAGS              :

C:\>sc qc rails3
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: rails3
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "c:/ruby/bin/mongrel_service.exe" single -e
develop
ment -p 3000 -a 127.0.0.1 -l "log/mongrel.log" -P "log/mongrel.pid" -c
"C:/rails
/x" -t 0 -r "public" -n 1024
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : rails3
        DEPENDENCIES       :
        SERVICE_START_NAME : .\web

C:\>

I've just tested this on another, totally different machine: Windows XP
Home Edition, German, Rails 2.1.0, restricted user account: No go.
Parent Name: <unknown>.

Thanks for your efforts,
Ingmar
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-05 14:25
(Received via mailing list)
Attachment: proc_info_3.7z (10 KB)
On Thu, Jun 5, 2008 at 2:04 PM, Ingmar Stieger <ml@stiegerhs.de> wrote:
>
> Yes, it works with psexec. And it works running as the service user. If you
> have a look at my initial post, you can see the command line options I used
> for testing (nothing special here).
>

The thing is that looking at the initial post:

6. Running the service with service user only in Users (or Power Users)
group
  ===> DOES NOT WORK

This make me think that running as user is not working, but the thing
is is not actually working under LocalSystem account, I'm correct?

can you provide me the cacls output form C:\rails\x folder?

>       TYPE               : 10  WIN32_OWN_PROCESS
>
> "C:/rails
> /x" -t 0 -r "public" -n 1024
>       LOAD_ORDER_GROUP   :
>       TAG                : 0
>       DISPLAY_NAME       : rails3
>       DEPENDENCIES       :
>       SERVICE_START_NAME : .\web
>

SERVICE_START_NAME looks like web is the username used?

> C:\>
>
> I've just tested this on another, totally different machine: Windows XP Home
> Edition, German, Rails 2.1.0, restricted user account: No go. Parent Name:
> <unknown>.
>

I made a test application when this was shown the first time, can you
please try with it and provide me the output.

Thanks,

--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-06-05 15:01
(Received via mailing list)
>
> The thing is that looking at the initial post:
>
> 6. Running the service with service user only in Users (or Power Users) group
>   ===> DOES NOT WORK
>
> This make me think that running as user is not working, but the thing
> is is not actually working under LocalSystem account, I'm correct?
>

Sorry if that was not clear. It does work as service under LocalSystem
but it does not work as service under user "web".

>> "C:/rails
>> /x" -t 0 -r "public" -n 1024
>>       LOAD_ORDER_GROUP   :
>>       TAG                : 0
>>       DISPLAY_NAME       : rails3
>>       DEPENDENCIES       :
>>       SERVICE_START_NAME : .\web
>
> SERVICE_START_NAME looks like web is the username used?
>

Yes, "web" is the restricted user.

> I made a test application when this was shown the first time, can you
> please try with it and provide me the output.
>
I've added a small INPUT "Press Enter.", s line at the end. This is the
output:

runas /user:web proc_info.exe

*** CURRENT PROCESS ***
EnumProcessModules (PID, name): 3904      proc_info.exe
Module32First (PID, name): 3904           proc_info.exe
GetProcessImageFileName (PID, name): 3904
\Device\HarddiskVolume5\Temp\proc_info
.exe

*** PARENT PROCESS ***
EnumProcessModules (PID, name): 244       Error with OpenProcess
GetLastError: 5Zugriff verweigert
<unknown>
Module32First (PID, name): 244            Error Creating Snap
(SNAPMODULE)
GetLastError: 5Zugriff verweigert
<unknown>
GetProcessImageFileName (PID, name): 244  Error with OpenProcess
GetLastError: 5Zugriff verweigert
<unknown>
Press Enter.

Zugriff verweigert = Access denied.

I think this confirms my suspicion that the normal user "web" may not
query the parent process. What do you think ?

Bye,
Ingmar
25ea53423e3b0d252d29e02e6f16c24b?d=identicon&s=25 Luis Lavena (Guest)
on 2008-06-05 15:47
(Received via mailing list)
On Thu, Jun 5, 2008 at 3:00 PM, Ingmar Stieger <ml@stiegerhs.de> wrote:
>
> Press Enter.
>

Hmn, looks like user web user is too limited to do anything.

> Zugriff verweigert = Access denied.
>
> I think this confirms my suspicion that the normal user "web" may not query
> the parent process. What do you think ?
>

How normal is normal? I mean, it can log in? it has applied some group
policy stuff in it?

Just for the sake of testing, can you create a "limited" account using
the control panel and try running proc_info.exe with it?

With that info maybe I can figure out what's wrong.

Thanks for your time,
--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-06-05 16:19
(Received via mailing list)
Luis Lavena wrote:

> Hmn, looks like user web user is too limited to do anything.

Interesting: The result of proc_info.exe is different when I log in
interactively with the "web" user:

*** CURRENT PROCESS ***
EnumProcessModules (PID, name): 228       proc_info.exe
Module32First (PID, name): 228            proc_info.exe
GetProcessImageFileName (PID, name): 228
\Device\HarddiskVolume5\Temp\proc_info
.exe

*** PARENT PROCESS ***
EnumProcessModules (PID, name): 3312      cmd.exe
Module32First (PID, name): 3312           cmd.exe
GetProcessImageFileName (PID, name): 3312
\Device\HarddiskVolume1\WINDOWS\system
32\cmd.exe
Press Enter.

The previous attempt with "runas" had PID 244 as parent process id,
which at that time was "svchost.exe". The full process hierarchy looked
like this (gathered with Process Explorer):

System - smss.exe - winlogon.exe - services.exe - svchost.exe -
proc_info.exe

It seems not to be only the user, but also the way the executeable is
started. The "web" user may query its parent process if it is cmd.exe,
but not if the parent is svchost.exe. I do not know how svchost starts
its child processes, but apparently with less rights than the command
shell does...

> How normal is normal? I mean, it can log in? it has applied some group
> policy stuff in it?
>
> Just for the sake of testing, can you create a "limited" account using
> the control panel and try running proc_info.exe with it?
>
> With that info maybe I can figure out what's wrong.
>
> Thanks for your time,
>

The "normal" user may run the whole rails stack as service without
problems. I hacked ServiceFB_Utils.bas to ignore the result of
parent_name, and now it works as expected (btw, you are right, FreeBasic
isnt' that hard :)) with limited rights. The test was run on the
isolated XP home machine, so no group policies are in effect.

Hope this helps,
Ingmar
E7cff3cfd41c495e1012227d7dc24202?d=identicon&s=25 Luis Lavena (luislavena)
on 2008-06-24 11:23
(Received via mailing list)
On Thu, Jun 5, 2008 at 4:19 PM, Ingmar Stieger <ml@stiegerhs.de> wrote:
>
> The "normal" user may run the whole rails stack as service without problems.
> I hacked ServiceFB_Utils.bas to ignore the result of parent_name, and now it
> works as expected (btw, you are right, FreeBasic isnt' that hard :)) with
> limited rights. The test was run on the isolated XP home machine, so no
> group policies are in effect.
>

So, at the end, the ServiceHost automatic stuff didn't do the trick,
which is a pain. I wrote that code to be more intelligent, but I think
Windows beat me, again :-P

Can you provide me your patch for ServiceFB library in google code?:

http://code.google.com/p/mmediasys-labs/

Just create a new issue and attach / paste your patch, I'll really
appreciate get rid of this thing that, at the end, didn't provide
anything but just bring pain to us (sniff) :-P

> Hope this helps,
> Ingmar
>

It really does!

Sorry for my late answer to this, been a bit hectic lately, but I'll
really appreciate your code changes.

--
Luis Lavena
AREA 17
-
Human beings, who are almost unique in having the ability to learn from
the experience of others, are also remarkable for their apparent
disinclination to do so.
Douglas Adams
3e1037c7e7f97af097b196d3f092fb86?d=identicon&s=25 Ingmar Stieger (Guest)
on 2008-09-02 23:28
(Received via mailing list)
On Jun 24, 2008 at 11:22 PM, Luis Lavena wrote:

> So, at the end, the ServiceHost automatic stuff didn't do the trick,
> which is a pain. I wrote that code to be more intelligent, but I think
> Windows beat me, again :-P
>
> Can you provide me your patch for ServiceFB library in google code?:
>
> http://code.google.com/p/mmediasys-labs/

Sorry, I almost forgot about this.

I do not have a patch, really. I simpy commented out the call to
_process_name_dyn_psapi and always set RunAsService (instead of
RunAsUnknown):

     '# RunMode() provide a simple way to get (*you*) from where this
process
was started
     '# and do the corresponding action.
     function ServiceController.RunMode() as ServiceRunMode
         dim result as ServiceRunMode
         dim currPID as DWORD
         dim parent_pid as uinteger
         dim parent_name as string
         dim start_mode as string

         _dprint("ServiceController.RunMode()")

         '# get this process PID
         currPID = GetCurrentProcessId()
         _dprint("CurrentPID: " + str(currPID))

         '# get the parent PID
         parent_pid = _parent_pid(currPID)
         _dprint("ParentPID: " + str(parent_pid))

         '# now the the name
         parent_name = _process_name(parent_pid)
         '##if (parent_name = "<unknown>") then
         '##  parent_name = _process_name_dyn_psapi(parent_pid)
         '##end if
         _dprint("Parent Name: " + parent_name)

         '# this process started as service?
         '# that means his parent is services.exe
         if (parent_name = "services.exe") then
             result = RunAsService
         else
             '# ok, it didn't start as service, analyze command line
then
             start_mode = lcase(trim(command(1)))
             if (start_mode = "manage") then
                 '# start ServiceController.Manage()
                 result = RunAsManager
             elseif (start_mode = "console") then
                 '# start ServiceController.Console()
                 result = RunAsConsole
             else
                 '# ok, the first paramenter in the commandline didn't
work,
                 '# report back so we could send the banner!
                 '## (ing) Run service anyway:
                 '## result = RunAsUnknown
                 result = RunAsService
             end if
         end if

         _dprint("ServiceController.RunMode() done")
         return result
     end function

> Just create a new issue and attach / paste your patch, I'll really
> appreciate get rid of this thing that, at the end, didn't provide
> anything but just bring pain to us (sniff) :-P

I do not know if this solves more problems than it opens up. Calling
mongrel_service.exe with no command line parameters just does nothing
with the
version I posted above - which is ok for me and works fine. I am not
sure if
this is an acceptable solution for everybody else, though ...

Bye,
Ingmar
This topic is locked and can not be replied to.