none
Launching Elevated Process During OnStart RRS feed

  • Question

  • We're trying to move some functionality that we previously had in a start up task to the OnStart event in WebRole.cs:

                    elasticSearchProcess = new Process();

                    var startInfo = elasticSearchProcess.StartInfo;

                    startInfo.Verb = "runas";

                    startInfo.UseShellExecute = false;

                    startInfo.CreateNoWindow = false;

                    startInfo.FileName = @"Startup.cmd";

                    startInfo.WorkingDirectory = Environment.CurrentDirectory;

                    startInfo.Arguments = string.Format(dataPath);

     

                    // capture output to Azure log files

                    startInfo.RedirectStandardError = true;

                    startInfo.RedirectStandardOutput = true;

                    elasticSearchProcess.ErrorDataReceived += (sender, evt) => Trace.WriteLine(evt.Data);

                    elasticSearchProcess.OutputDataReceived += (sender, evt) => Trace.WriteLine(evt.Data);

                     // start ES 

                    elasticSearchProcess.Start();

                    elasticSearchProcess.BeginErrorReadLine();

                    elasticSearchProcess.BeginOutputReadLine();

     

    Unfortunately the execution of Startup.cmd fails as it relies on administrative privaleges which aren't available even though the 'runas' verb is specified.


    Any help would be appreciated.  

    Friday, November 25, 2011 8:15 PM

Answers

All replies

  • You can specify the below setting in csdef for each role to let the role process run with elevated privaleges:

    <Runtime executionContext="[limited|elevated]">

    Saturday, November 26, 2011 1:12 AM
  • Thanks but even with this change applied Startup.cmd above is not running in an elevated context. 
    Saturday, November 26, 2011 7:12 PM
  • The problem, apparently, is that runas only works when UseShellExecute is set to true. 


    Makes it a bit tough to capture the output of the commands you execute but what can you do. 

    Saturday, November 26, 2011 7:59 PM
  • You don't need runas in this case. When the OnStart method runs elevated, spawned processes should run in the same security context.
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Monday, November 28, 2011 6:42 AM
  • Thanks Dominick, I'm affraid this is not the case: Startup.cmd file above changes some firewall ports (via netsh advfirewall) and fails because it's not running in admin context, even after the service definition file was updated to specify executionContext='elevated'. Only option was to use UseShellExecute set to true.

    By the way, very grateful for the work Thinktecutre has been doing on Azure, especially around the WIF/IM stuff. Many thanks! 

    Monday, November 28, 2011 4:24 PM
  • thanks!

    you can also configure the startup task itself to run elevated. Have you tried that?


    Dominick Baier | thinktecture | http://www.leastprivilege.com
    Monday, November 28, 2011 4:28 PM
  • Yes, that works as expected. We moved the launching of the task to OnStart because it's dependent on an Azure Drive that's mounted at that step, and we wanted to mount first, get the path, then pass it the batch file. All works now except we lose redirection of standard output and error. 
    Monday, November 28, 2011 4:48 PM