nomad run example.nomad requires Admin privileges on Windows
Nomad version
Nomad v0.7.0-rc3
Operating system and Environment details
Windows Server 2016
Issue
nomad run example.nomad fails with a permission error.
Reproduction steps
In a non-admin powershell:
nomad init
nomad run example.nomad
Error getting job struct: Error getting jobfile from "example.nomad": symlink C:\Users\mschurter\go\src\github.com\hashicorp\nomad\example.nomad C:\Users\MSCHUR~1\AppData
\Local\Temp\2\jobfile712770031: A required privilege is not held by the client.
It appears the way hashicorp/go-getter is used to copy the jobfile into a temporary file doesn't work on Windows.
schmichael
All 9 comments
For everyone here who has the same issues where they can't plan or run jobs via nomad without specific admin privileges: there is a possible workaround to make this possible.
obviously these changes will weaken the security of your system so please use with caution.
As to why this issue happens is that the creation of symbolic links requires the "SeCreateSymbolicLinkPrivilege" which is only granted to administrators but can me changed via security policy.
To change the policies simply do the following changes:
- Launch "secpol.msc" via Start or Run (Windows + R)
- Navigate through Security Settings → Local Policies → User Rights Assignment.
- Find "Create symbolic links" and add yourself to the User list.
ghost
on 20 Jan 2018
First off: great discovery, nice to know exactly what function is being performed/blocked.
Academically, I'm curious to the actual risk of allowing symbolic links. It's something done in Linux almost casually and the risk (to me) is minimal if you're not running as admin. I mean I guess someone can link and impersonate a file ... but again: only in the user space so said trojan wouldn't be elevated in anyway.
Worth further investigation, at any rate and a great find!
Justin-DynamicD
on 21 Jan 2018
Quick google shows that Windows 10 already enables this by default if you enable developer mode ... so it seems times are changing:
https://blogs.windows.com/buildingapps/2016/12/02/symlinks-windows-10/
Justin-DynamicD
on 21 Jan 2018
Great to know but also really strange.
I have Windows 10 in developer mode up and running myself and without the changes for "SeCreateSymbolicLinkPrivilege" it didnt work for me.
Maybe there is some magic going on behind the curtains which didnt apply in my case.
It could be because my current user is in a domain but without further investigation its only a guess.
ghost
on 21 Jan 2018
article notes it depends on how you call/create said link. Seems you may need to do both (be in developer mode AND have said policy in place).
I'm in a similar boat where my user account is simply a user (not admin) of W10 and I have to provide unique creds for admin access, so my experience has been similar to yours. I'm goign to dig more, however because, as stated, it seems like "legacy thinking" might be the culprit here more than any serious security risk (can't find anything specific on how it would be exploited unless you were an actual admin as well).
Justin-DynamicD
on 21 Jan 2018
This is the crazy thing in Windows 10 w/ symlinks:
if you're a standard user, you need the SeCreateSymbolicLinkPrivileges, which is only possible to set if you have Windows Pro. It should also work if you are the built-in Administrator. However, if you're only a user account of type Administrator, the privilege is always dropped and you will be required to answer the elevation privileges prompt. It really sucks.
On scripts I distribute to dev, I end up always using nomad run - so that the copy never happen. I also avoid using go-getter as is for local file copy which is not great. I enter an issue for this in go-getter (hashicorp/go-getter#39). Which, btw, also refer to #1714
ninoles
on 20 Apr 2018
Think of a global financial institution, which hardens windows os to the extent possible and getting to have exceptions to group policy is near impossible.
But, hey, why would a file copy need to create a symbolic link, this itself asks for a review.
harkamals
on 7 Jun 2018
Just encountered this today, based on all the discussion I'm still not 100% clear on what the best course of action is.
atrauzzi
on 20 Mar 2019
Windows have an utility called mklink. If you try it using the following command, you'll find that the same error occurs:
mklink link target
Access is denied.
Windows has 3 different ways to _link_ files and folders:
- Hard Link: https://docs.microsoft.com/en-us/windows/desktop/fileio/hard-links-and-junctions#hard-links
- Junction Link: https://docs.microsoft.com/en-us/windows/desktop/fileio/hard-links-and-junctions#junctions
- Symbolic Link: https://docs.microsoft.com/en-us/windows/desktop/fileio/creating-symbolic-links
Creating a symbolic link requires a Group Policy access as mentionned before or Developper Mode as describe for the SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE flag or using fsutil.
mklink [/d] link target
C++ function to create Symlink
Creating a junction link only works on folders but does not require any special privilege.
mklink /j link target
C++ function to create Junction Link
Creating a hard link only works on file on the same volume but does not require any special privilege.
mklink /h link target
GenvidCI
on 12 Jun 2019
Related issues
samber
·
3Comments
bdclark
·
3Comments
mancusogmu
·
3Comments
stongo
·
3Comments
funkytaco
·
3Comments
Most helpful comment
Think of a global financial institution, which hardens windows os to the extent possible and getting to have exceptions to group policy is near impossible.
But, hey, why would a file copy need to create a symbolic link, this itself asks for a review.