如何为GitHub Actions的nt权限\网络服务帐户添加特权? [英] How to add privileges to the nt authority\network service account for GitHub Actions?
问题描述
GitHub Actions自托管运行程序在nt authority\network service
帐户下运行.
GitHub Actions self-hosted runners run under the nt authority\network service
account.
根据 https://docs.microsoft.com /en-us/windows/win32/services/networkservice-account :
它在本地计算机上具有最低特权,并且充当网络上的计算机.
It has minimum privileges on the local computer and acts as the computer on the network.
我正在尝试使用GitHub Actions自托管运行程序将应用程序部署到我的服务器上.为此,我需要访问当前提供ERROR: Access is denied.
I am trying to use a GitHub Actions self-hosted runner to deploy an app to my server. To do this I need to access schtasks.exe
which currently gives ERROR: Access is denied.
我如何赋予nt authority\network service
特权,以便它可以访问schtasks.exe
?
How can I give privileges to nt authority\network service
so that it is able to access schtasks.exe
?
推荐答案
我发现最简单的解决方案是更改GitHub Actions服务运行的帐户.
I found the easiest solution for my issue was to change the account the GitHub Actions service ran under.
我通过使用powershell "(Get-Service actions.runner.*).name"
查找GitHub Actions服务的名称来实现这一目标.
I achieved this by using powershell "(Get-Service actions.runner.*).name"
to find the name of the GitHub Actions service.
然后运行sc config "NAME_OF_YOUR_SERVICE" obj= "NT AUTHORITY\SYSTEM" type= own
以将其更新为作为系统运行.
And then running sc config "NAME_OF_YOUR_SERVICE" obj= "NT AUTHORITY\SYSTEM" type= own
to update it to run as the system.
如@Lex Li所说
CI代理(用于Azure Pipelines或GitHub Actions)应在 专用帐户(在Windows上通常是来自Active的服务帐户 目录),以便您可以调整其对各种资源的权限.
A CI agent (for Azure Pipelines or GitHub Actions) should run under a dedicated account (on Windows usually a service account from Active Directory), so that you can tune its permissions on various resources.
这篇关于如何为GitHub Actions的nt权限\网络服务帐户添加特权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!