Windows: enhance user privilege handling and add printsid command (#6651)

Author: chenjie4255

cmd/main.go

@@ -21,6 +21,7 @@ import (
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"runtime"
 	"strconv"
 	"strings"
 	"sync"
@@ -88,6 +89,10 @@ func Main(args []string) error {
 		},
 	}
 
+	if runtime.GOOS == "windows" {
+		app.Commands = append(app.Commands, cmdPrintSID())
+	}
+
 	if calledViaMount(args) {
 		var err error
 		args, err = handleSysMountArgs(args)

cmd/mdtest.go

@@ -22,6 +22,7 @@ import (
 	_ "net/http/pprof"
 	"os"
 	"path"
+	"runtime"
 	"sync"
 	"time"
 
@@ -35,9 +36,17 @@ import (
 	"github.com/urfave/cli/v2"
 )
 
-var ctx = meta.NewContext(1, uint32(os.Getuid()), []uint32{uint32(os.Getgid())})
+var ctx = meta.NewContext(1, uint32(utils.GetCurrentUID()), []uint32{uint32(utils.GetCurrentGID())})
 var umask = uint16(utils.GetUmask())
 
+func init() {
+	// For all the juicefs command, we treat admin/elevated privilege user as root(0) on Windows
+	// just like the mount option '-adminasroot' does for the mounted filesystem.
+	if runtime.GOOS == "windows" && utils.IsWinAdminOrElevatedPrivilege() {
+		ctx = meta.NewContext(1, 0, []uint32{0})
+	}
+}
+
 func createDir(jfs *fs.FileSystem, root string, d int, width int) error {
 	if err := jfs.Mkdir(ctx, root, 0777, umask); err != 0 {
 		return fmt.Errorf("Mkdir %s: %s", root, err)

cmd/object.go

@@ -25,6 +25,7 @@ import (
 	"math/rand"
 	"os"
 	"path"
+	"runtime"
 	"sort"
 	"strings"
 	"sync"
@@ -414,7 +415,11 @@ func (j *juiceFS) Shutdown() {
 }
 
 func newJFS(endpoint, accessKey, secretKey, token string) (object.ObjectStorage, error) {
-	pid, uid, gid = uint32(os.Getpid()), uint32(os.Getuid()), uint32(os.Getgid())
+	pid, uid, gid = uint32(os.Getpid()), uint32(utils.GetCurrentUID()), uint32(utils.GetCurrentGID())
+	if runtime.GOOS == "windows" && utils.IsWinAdminOrElevatedPrivilege() {
+		uid = 0
+		gid = 0
+	}
 	metaUrl := os.Getenv(endpoint)
 	if metaUrl == "" {
 		metaUrl = endpoint

cmd/printsid.go

@@ -0,0 +1,32 @@
+package cmd
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/juicedata/juicefs/pkg/utils"
+	"github.com/urfave/cli/v2"
+)
+
+func cmdPrintSID() *cli.Command {
+	return &cli.Command{
+		Name:     "printsid",
+		Category: "TOOL",
+		Action:   printSID,
+		Usage:    "Show SID info and the convected UID/GID for the current user.",
+		Hidden:   true,
+	}
+}
+
+func printSID(ctx *cli.Context) error {
+	if runtime.GOOS != "windows" {
+		return fmt.Errorf("printsid command is only supported on Windows")
+	}
+
+	userSid := utils.GetCurrentUserSIDStr()
+	groupSid := utils.GetCurrentUserGroupSIDStr()
+	fmt.Printf("Current User SID: %s, UID: %d\n", userSid, utils.GetCurrentUID())
+	fmt.Printf("Current Group SID: %s, GID: %d\n", groupSid, utils.GetCurrentGID())
+
+	return nil
+}

cmd/restore.go

@@ -43,6 +43,9 @@ $ juicefs restore redis://localhost/1 2023-05-10-01`,
 
 func restore(ctx *cli.Context) error {
 	setup0(ctx, 2, 0)
+	if runtime.GOOS == "windows" && !utils.IsWinAdminOrElevatedPrivilege() {
+		return fmt.Errorf("restore command requires Administrator or elevated privilege on Windows")
+	}
 	if os.Getuid() != 0 && runtime.GOOS != "windows" {
 		return fmt.Errorf("only root can restore files from trash")
 	}

cmd/rmr.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 
 	"github.com/juicedata/juicefs/pkg/meta"
 	"github.com/juicedata/juicefs/pkg/utils"
@@ -81,8 +82,10 @@ func rmr(ctx *cli.Context) error {
 		numThreads = 255
 	}
 	if ctx.Bool("skip-trash") {
-		if os.Getuid() != 0 {
+		if runtime.GOOS != "windows" && os.Getuid() != 0 {
 			logger.Fatalf("Only root can remove files directly")
+		} else if runtime.GOOS == "windows" && !utils.IsWinAdminOrElevatedPrivilege() {
+			logger.Fatalf("Removing files directly requires Administrator or elevated privilege on Windows")
 		}
 		flag = 1
 	}

pkg/fs/http.go

@@ -336,7 +336,7 @@ func (h *indexHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func StartHTTPServer(fs *FileSystem, config WebdavConfig) {
-	ctx := meta.NewContext(uint32(os.Getpid()), uint32(os.Getuid()), []uint32{uint32(os.Getgid())})
+	ctx := meta.NewContext(uint32(os.Getpid()), uint32(utils.GetCurrentUID()), []uint32{uint32(utils.GetCurrentGID())})
 	hfs := &webdavFS{ctx, fs, uint16(utils.GetUmask()), config}
 	srv := &webdav.Handler{
 		FileSystem: hfs,

pkg/gateway/gateway.go

@@ -71,7 +71,7 @@ type Config struct {
 }
 
 func NewJFSGateway(jfs *fs.FileSystem, conf *vfs.Config, gConf *Config) (minio.ObjectLayer, error) {
-	mctx = meta.NewContext(uint32(os.Getpid()), uint32(os.Getuid()), []uint32{uint32(os.Getgid())})
+	mctx = meta.NewContext(uint32(os.Getpid()), uint32(utils.GetCurrentUID()), []uint32{uint32(utils.GetCurrentGID())})
 	jfsObj := &jfsObjects{fs: jfs, conf: conf, listPool: minio.NewTreeWalkPool(time.Second * 10), gConf: gConf, nsMutex: minio.NewNSLock(false)}
 	go jfsObj.cleanup()
 	return jfsObj, nil

pkg/object/nfs.go

@@ -465,7 +465,7 @@ func newNFSStore(addr, username, pass, token string) (ObjectStorage, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to dial MOUNT service %s: %v", addr, err)
 	}
-	auth := rpc.NewAuthUnix(username, uint32(os.Getuid()), uint32(os.Getgid()))
+	auth := rpc.NewAuthUnix(username, uint32(utils.GetCurrentUID()), uint32(utils.GetCurrentGID()))
 	target, err := mount.Mount(path, auth.Auth())
 	target.Config.DirCount = 1 << 17
 	// Readdir returns up to 1M at a time, even if MaxCount is set larger

pkg/utils/utils_unix.go

@@ -29,6 +29,26 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+func GetCurrentUID() int {
+	return os.Getuid()
+}
+
+func GetCurrentGID() int {
+	return os.Getgid()
+}
+
+func GetCurrentUserSIDStr() string {
+	return ""
+}
+
+func GetCurrentUserGroupSIDStr() string {
+	return ""
+}
+
+func IsWinAdminOrElevatedPrivilege() bool {
+	return false
+}
+
 func GetFileInode(path string) (uint64, error) {
 	fi, err := os.Stat(path)
 	if err != nil {