如何为GitHub Actions的nt权限\网络服务帐户添加特权? [英] How to add privileges to the nt authority\network service account for GitHub Actions?

问题描述

GitHub Actions自托管运行程序在nt authority\network service帐户下运行.

GitHub Actions self-hosted runners run under the nt authority\network service account.

根据 https://docs.microsoft.com /en-us/windows/win32/services/networkservice-account :

它在本地计算机上具有最低特权，并且充当网络上的计算机.

It has minimum privileges on the local computer and acts as the computer on the network.

我正在尝试使用GitHub Actions自托管运行程序将应用程序部署到我的服务器上.为此，我需要访问当前提供ERROR: Access is denied.

I am trying to use a GitHub Actions self-hosted runner to deploy an app to my server. To do this I need to access schtasks.exe which currently gives ERROR: Access is denied.

我如何赋予nt authority\network service特权，以便它可以访问schtasks.exe?

How can I give privileges to nt authority\network service so that it is able to access schtasks.exe?

推荐答案

我发现最简单的解决方案是更改GitHub Actions服务运行的帐户.

I found the easiest solution for my issue was to change the account the GitHub Actions service ran under.

我通过使用powershell "(Get-Service actions.runner.*).name"查找GitHub Actions服务的名称来实现这一目标.

I achieved this by using powershell "(Get-Service actions.runner.*).name"to find the name of the GitHub Actions service.

然后运行sc config "NAME_OF_YOUR_SERVICE" obj= "NT AUTHORITY\SYSTEM" type= own以将其更新为作为系统运行.

And then running sc config "NAME_OF_YOUR_SERVICE" obj= "NT AUTHORITY\SYSTEM" type= own to update it to run as the system.

如@Lex Li所说

CI代理(用于Azure Pipelines或GitHub Actions)应在 专用帐户(在Windows上通常是来自Active的服务帐户 目录)，以便您可以调整其对各种资源的权限.

A CI agent (for Azure Pipelines or GitHub Actions) should run under a dedicated account (on Windows usually a service account from Active Directory), so that you can tune its permissions on various resources.

这篇关于如何为GitHub Actions的nt权限\网络服务帐户添加特权?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！