Lucas Vickers
2012-Oct-26 15:10 UTC
[Puppet Users] Launching a full screen app through puppet
Hello, I''m controlling 180 windows machines for an art project. I am using puppet to configure the machines, push out an app as a zip, unzip it, change permissions, then launch it. Everything works perfectly, except the app is being launched in a hidden desktop due to windows security. From what I''m told since puppet runs as a service it is not allowed to launch an app on the logged in desktop. I confirmed that when running the puppet agent manually the app launches correctly. My question is, does anyone have any experience launching an .exe from puppet in windows in the current logged in desktop? thanks, Lucas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Josh Cooper
2012-Oct-26 18:40 UTC
Re: [Puppet Users] Launching a full screen app through puppet
Hi Lucas, On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers <lucasvickers@gmail.com> wrote:> Hello, > > I''m controlling 180 windows machines for an art project. I am using > puppet to configure the machines, push out an app as a zip, unzip it, > change permissions, then launch it.If you do not need LocalSystem permissions, then you could simply configure the puppet service to run as an unprivileged (domain or local) user: sc config puppet obj= <username> password= <password> and allow the service to interact with the desktop: sc config puppet type= interact> Everything works perfectly, > except the app is being launched in a hidden desktop due to windows > security.This page describes some of the issues. http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx "If the service opens a command window and runs a batch file, the user could hit CTRL+C to terminate the batch file and gain access to a command window with LocalSystem permissions." So privilege escalation.> From what I''m told since puppet runs as a service it is not allowed to > launch an app on the logged in desktop. I confirmed that when running > the puppet agent manually the app launches correctly.It is possible to allow services running under LocalSystem to interact with the desktop in older versions of Windows. If you don''t care about the security implications, you could investigate that, though I wouldn''t recommend it. Alternatively, you could do something like this: http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html. Compile it and distribute it with your module. Josh -- Josh Cooper Developer, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Lucas Vickers
2012-Oct-30 17:42 UTC
Re: [Puppet Users] Launching a full screen app through puppet
just FYI I was able to launch the app into the active desktop using the tool http://developex.com/custom-software/devxexec.html which is probably just an implementation of the article you posted. The only caveat is that I still had to run the service under the logged in user, which so far is showing no negative side effects. thanks for the info On Friday, October 26, 2012 2:40:20 PM UTC-4, Josh Cooper wrote:> > Hi Lucas, > > On Fri, Oct 26, 2012 at 8:10 AM, Lucas Vickers <lucasv...@gmail.com<javascript:>> > wrote: > > Hello, > > > > I''m controlling 180 windows machines for an art project. I am using > > puppet to configure the machines, push out an app as a zip, unzip it, > > change permissions, then launch it. > > If you do not need LocalSystem permissions, then you could simply > configure the puppet service to run as an unprivileged (domain or > local) user: > > sc config puppet obj= <username> password= <password> > > and allow the service to interact with the desktop: > > sc config puppet type= interact > > > Everything works perfectly, > > except the app is being launched in a hidden desktop due to windows > > security. > > This page describes some of the issues. > > http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190(v=vs.85).aspx > > "If the service opens a command window and runs a batch file, the user > could hit CTRL+C to terminate the batch file and gain access to a > command window with LocalSystem permissions." So privilege escalation. > > > From what I''m told since puppet runs as a service it is not allowed to > > launch an app on the logged in desktop. I confirmed that when running > > the puppet agent manually the app launches correctly. > > It is possible to allow services running under LocalSystem to interact > with the desktop in older versions of Windows. If you don''t care about > the security implications, you could investigate that, though I > wouldn''t recommend it. > > Alternatively, you could do something like this: > > http://chabster.blogspot.com/2008/01/run-as-interactive-user-from-service.html. > > Compile it and distribute it with your module. > > Josh > > -- > Josh Cooper > Developer, Puppet Labs >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/zTUvy2vrKKkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.