skip allow_superuser in Windows OS (#16629)

As user id is always zero in Windows, this commit excluded the checking of running as root in Windows.
elastic · Nov 5, 2024 · 5847d77 · 5847d77
1 parent 113585d
commit 5847d77
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 30 deletions.
diff --git a/config/logstash.yml b/config/logstash.yml
@@ -320,7 +320,7 @@
 #
 # ------------ Other Settings --------------
 #
-# Allow or block running Logstash as superuser (default: true)
+# Allow or block running Logstash as superuser (default: true). Windows are excluded from the checking
 # allow_superuser: false
 #
 # Where to find custom plugins

diff --git a/logstash-core/lib/logstash/runner.rb b/logstash-core/lib/logstash/runner.rb
@@ -454,6 +454,8 @@ def execute
   end # def self.main
 
   def running_as_superuser
+    return if LogStash::Environment.windows? # windows euid always returns 0, skip checking
+
     if Process.euid() == 0
       if setting("allow_superuser")
         logger.warn("NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk. " +

diff --git a/logstash-core/spec/logstash/runner_spec.rb b/logstash-core/spec/logstash/runner_spec.rb
@@ -574,41 +574,51 @@
     let(:deprecation_logger_stub) { double("DeprecationLogger").as_null_object }
     before(:each) { allow(runner).to receive(:deprecation_logger).and_return(deprecation_logger_stub) }
 
-    context "unintentionally running logstash as superuser" do
-      before do
-        expect(Process).to receive(:euid).and_return(0)
+    if LogStash::Environment.windows?
+      context "unintentionally running logstash as superuser" do
+        it "runs successfully" do
+          LogStash::SETTINGS.set("allow_superuser", false)
+          expect(logger).not_to receive(:fatal)
+          expect { subject.run(args) }.not_to raise_error
+        end
       end
-      it "fails with bad exit" do
-        LogStash::SETTINGS.set("allow_superuser", false)
-        expect(logger).to receive(:fatal) do |msg, hash|
-          expect(msg).to eq("An unexpected error occurred!")
-          expect(hash[:error].to_s).to match("Logstash cannot be run as superuser.")
+    else
+      context "unintentionally running logstash as superuser" do
+        before do
+          expect(Process).to receive(:euid).and_return(0)
+        end
+        it "fails with bad exit" do
+          LogStash::SETTINGS.set("allow_superuser", false)
+          expect(logger).to receive(:fatal) do |msg, hash|
+            expect(msg).to eq("An unexpected error occurred!")
+            expect(hash[:error].to_s).to match("Logstash cannot be run as superuser.")
+          end
+          expect(subject.run(args)).to eq(1)
         end
-        expect(subject.run(args)).to eq(1)
       end
-    end
 
-    context "intentionally running logstash as superuser " do
-      before do
-        expect(Process).to receive(:euid).and_return(0)
-      end
-      it "runs successfully with warning message" do
-        LogStash::SETTINGS.set("allow_superuser", true)
-        expect(logger).not_to receive(:fatal)
-        expect(logger).to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./)
-        expect { subject.run(args) }.not_to raise_error
+      context "intentionally running logstash as superuser " do
+        before do
+          expect(Process).to receive(:euid).and_return(0)
+        end
+        it "runs successfully with warning message" do
+          LogStash::SETTINGS.set("allow_superuser", true)
+          expect(logger).not_to receive(:fatal)
+          expect(logger).to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./)
+          expect { subject.run(args) }.not_to raise_error
+        end
       end
-    end
 
-    context "running logstash as non-root " do
-      before do
-        expect(Process).to receive(:euid).and_return(100)
-      end
-      it "runs successfully without any messages" do
-        LogStash::SETTINGS.set("allow_superuser", false)
-        expect(logger).not_to receive(:fatal)
-        expect(logger).not_to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./)
-        expect { subject.run(args) }.not_to raise_error
+      context "running logstash as non-root " do
+        before do
+          expect(Process).to receive(:euid).and_return(100)
+        end
+        it "runs successfully without any messages" do
+          LogStash::SETTINGS.set("allow_superuser", false)
+          expect(logger).not_to receive(:fatal)
+          expect(logger).not_to receive(:warn).with(/NOTICE: Allowing Logstash to run as superuser is heavily discouraged as it poses a security risk./)
+          expect { subject.run(args) }.not_to raise_error
+        end
       end
     end
   end