[Unprivileged] Windows enablement

[blakerouse]

What does this PR do?

Enables the installation mode of --unprivileged for Windows. During installation the elastic-agent-user user and elastic-agent group is created, permissions are set correctly on the copied files, service is created running as the elastic-agent-user. While running in unprivileged mode the daemon creates the vault with the correct permissions and gives users in the elastic-agent group the ability to communicate with the running Elastic Agent daemon.

Why is it important?

Allowing users to install the Elastic Agent with less permissions.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• [ ] I have added tests that prove my fix is effective or that my feature works (cannot test with unit tests)
• [ ] I have added an entry in ./changelog/fragments using the changelog tool (skipped as we don't want to expose this feature until ready)
• I have added an integration test or an E2E test

Author's Checklist

• elastic-agent-user is created
• elastic-agent group is created
• elastic-agent-user is added to elastic-agent group
• file permission/owner is set for elastic-agent-user and elastic-agent group
• elastic-agent runs correctly

How to test this PR locally

$ .\elastic-agent.exe install -f --unprivileged

Add your local user to elastic-agent group. Be sure to re-open command prompt. Run C:\Program Files\Elastic\Agent\elastic-agent.exe status.

Related issues

• Closes [Unprivileged] Enable --unprivileged on Windows #3868

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b unprivileged-windows upstream/unprivileged-windows
git merge upstream/main
git push upstream unprivileged-windows

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b unprivileged-windows upstream/unprivileged-windows
git merge upstream/main
git push upstream unprivileged-windows

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[leehinman]

just documentation requests.

[leehinman]

can you add a comment on why the switch to Token(0) ? We have had so many issues with detecting "admin" I'd just like to be sure we have this documented if things pop up later.

[blakerouse]

windows.Token(0) is used because its passed into checkTokenMembership that when the token is zero that check uses the current process token. It is a simpler way of saying this processes current token, without the need to grab a handle that needs to be closed for the current process.

What do you want documented here? That windows.Token(0) means the current process token?

[leehinman]

What do you want documented here? That windows.Token(0) means the current process token?

Probably a few links to MSDN documentation, and just a comment that windows.Token(0) is current process. I'm just thinking in 3 years if we have a bug around this code in some new Azure environment it is nice to know what we were thinking and hopefully pointers to full documentation which might give clues if it has been deprecated etc.

[blakerouse]

Added some more comments and a link for the windows.Token(0).

[leehinman]

I'm pretty sure this password is stored encrypted in the Registry. We need to document how the user would go about changing it. It's not uncommon for password policies to require changing static passwords like this on a regular basis.

[blakerouse]

I don't know if that is true in this case. The user cannot login at all, it can only be used as a service and the password is setup to never expire.

[leehinman]

I don't know if that is true in this case.

See things like: https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93209

[blakerouse]

That is interesting finding, but even in this case the installing administrator doesn't even know the password. Being the finding is speaking about an administrator knowing the password, and in this case the password is completely unknown.

We can definitely add documentation about it for unprivileged installation on Windows. If they choose to change the user account password they will also have to update the password for the service.

[pchila]

Code looks good, no major blockers.
Left a few comments that are mostly for readability/documentation, those don't fundamentally change the implementation

[leehinman]

need to use crypto/rand not math/rand for generating random passwords.

Other than that, LGTM.

[blakerouse]

@leehinman Okay I have updated to crypto/rand.

[elastic-sonarqube]

Quality Gate failed

Failed conditions

7.7% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube

[pierrehilbert]

What can be tested is tested and additional tests will require this to be merged first.
I'm forcing the merge even if the SonarQube requirement is red.