(GH-1083) Bump childprocess to '~> 4.0.0'; Disable @process.leader

Prior to this commit, it was observed on Windows Server 2016, 2019 Github Actions instances that invoking the pdk would result in ACCESS_DENIED errors. When the ChildProcess.leader parameter is set to true, it will set the `CREATE_BREAKAWAY_FROM_JOB` and `JOB_OBJECT_LIMIT_BREAKAWAY_OK` flags in the Win32. This is not required in Windows > Server 2008 / 7 and can potentially cause issues when Task Scheduler attempts to schedule a job that invokes a program with insufficient privileges. This commit also bumps `childprocess` to `~> 4.0.0` and `hitimes` to `2.0.0` to resolve dependency issues after bumping `childprocess`.
puppetlabs · Jun 9, 2021 · 5d6cbb3 · 5d6cbb3
1 parent 2b03b72
commit 5d6cbb3
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/lib/pdk/cli/exec/command.rb b/lib/pdk/cli/exec/command.rb
@@ -27,7 +27,17 @@ def initialize(*argv)
           @argv = argv
 
           @process = ChildProcess.build(*@argv)
-          @process.leader = true
+          # https://github.com/puppetlabs/pdk/issues/1083:
+          # When @process.leader is set, childprocess will set the CREATE_BREAKAWAY_FROM_JOB
+          # and JOB_OBJECT_LIMIT_BREAKAWAY_OK flags in the Win32 API calls. This will cause
+          # issues on systems > Windows 7 / Server 2008, if the JOB_OBJECT_LIMIT_BREAKAWAY_OK
+          # flag is set and the Task Scheduler is trying to kick off a job, it can sometimes
+          # result in ACCESS_DENIED being returned by the Win32 API, depending on the permission
+          # levels / user account this user.
+          # The resolution for pdk/issues/1083 is to ensure @process.leader is not set.
+          # This will potentially cause issues on older Windows systems, in which case we may
+          # need to revisit and conditionally set this param depending on what OS we're on
+          # @process.leader = true
 
           @stdout = Tempfile.new('stdout', mode: TEMPFILE_MODE).tap { |io| io.sync = true }
           @stderr = Tempfile.new('stderr', mode: TEMPFILE_MODE).tap { |io| io.sync = true }

diff --git a/pdk.gemspec b/pdk.gemspec
@@ -20,12 +20,12 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = '>= 2.4.0' # rubocop:disable Gemspec/RequiredRubyVersion
 
   spec.add_runtime_dependency 'bundler', '>= 1.15.0', '< 3.0.0'
-  spec.add_runtime_dependency 'childprocess', '~> 0.7.1'
+  spec.add_runtime_dependency 'childprocess', '~> 4.0.0'
   spec.add_runtime_dependency 'cri', '~> 2.10'
   spec.add_runtime_dependency 'diff-lcs', '1.3'
   spec.add_runtime_dependency 'ffi', '>= 1.9.25', '< 2.0.0'
   spec.add_runtime_dependency 'gettext-setup', '~> 0.24'
-  spec.add_runtime_dependency 'hitimes', '1.3.0'
+  spec.add_runtime_dependency 'hitimes', '2.0.0'
   spec.add_runtime_dependency 'json-schema', '2.8.0'
   spec.add_runtime_dependency 'json_pure', '~> 2.1.0'
   spec.add_runtime_dependency 'minitar', '~> 0.6'