diff --git a/libbeat/api/npipe/listener_windows.go b/libbeat/api/npipe/listener_windows.go index b95409a75f4..415079ef383 100644 --- a/libbeat/api/npipe/listener_windows.go +++ b/libbeat/api/npipe/listener_windows.go @@ -101,11 +101,8 @@ func DefaultSD(forUser string) (string, error) { if u.Username == "NT AUTHORITY\\SYSTEM" { // running as SYSTEM, include Administrators group so Administrators can talk over // the named pipe to the running Elastic Agent system process - admin, err := user.LookupGroup("Administrators") - if err != nil { - return "", errors.Wrap(err, "failed to lookup Administrators group") - } - descriptor += "(A;;GA;;;" + admin.Gid + ")" + // https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems + descriptor += "(A;;GA;;;S-1-5-32-544)" // Administrators group } return descriptor, nil } diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go index eb07e0119b4..b8a2445d82e 100644 --- a/x-pack/elastic-agent/pkg/agent/cmd/run.go +++ b/x-pack/elastic-agent/pkg/agent/cmd/run.go @@ -9,9 +9,7 @@ import ( "fmt" "os" "os/signal" - "os/user" "path/filepath" - "runtime" "syscall" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status" @@ -279,21 +277,10 @@ func setupMetrics(agentInfo *info.AgentInfo, logger *logger.Logger, operatingSys return nil, err } - // get descriptor on windows - descriptor := "" - if runtime.GOOS == "windows" { - var err error - descriptor, err = securityDescriptor() - if err != nil { - return nil, err - } - } - // start server for stats endpointConfig := api.Config{ - Enabled: true, - Host: beats.AgentMonitoringEndpoint(operatingSystem, cfg.HTTP), - SecurityDescriptor: descriptor, + Enabled: true, + Host: beats.AgentMonitoringEndpoint(operatingSystem, cfg.HTTP), } s, err := monitoringServer.New(logger, endpointConfig, monitoring.GetNamespace, app.Routes, isProcessStatsEnabled(cfg.HTTP)) @@ -309,23 +296,3 @@ func setupMetrics(agentInfo *info.AgentInfo, logger *logger.Logger, operatingSys func isProcessStatsEnabled(cfg *monitoringCfg.MonitoringHTTPConfig) bool { return cfg != nil && cfg.Enabled } - -func securityDescriptor() (string, error) { - u, err := user.Current() - if err != nil { - return "", errors.New(err, "failed to get current user") - } - // Named pipe security and access rights. - // We create the pipe and the specific users should only be able to write to it. - // See docs: https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights - // String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings - // Give generic read/write access to the specified user. - descriptor := "D:P(A;;GA;;;" + u.Uid + ")" - if u.Username == "NT AUTHORITY\\SYSTEM" { - // running as SYSTEM, include Administrators group so Administrators can talk over - // the named pipe to the running Elastic Agent system process - // https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems - descriptor += "(A;;GA;;;S-1-5-32-544)" // Administrators group - } - return descriptor, nil -}