Overview

On Windows, access to system resources and system-related tasks can be controlled with privileges held in an object called access token. When the Wrapper is executed on behalf of a user, the process receives a copy of the access token containing the user's privileges.

The Professional Edition of the Wrapper makes it possible to adjust these privileges at different levels:

  • When installing the Wrapper as a service with Administrator crendentials (or when updating the service with appropriate permissions), it is possible to completely redefine its list or required privileges. Later, when the Service Control Manager (SCM) starts the service, it will update the process token with the specified privileges.

  • At runtime, any of the privileges existing in the Wrapper process token can be enabled or disabled. In addition, it is possible to completely remove a privilege. However, this action is not reversible during the lifespan of the Wrapper process. A privilege that is not present in the access token cannot be added.

  • By default, a process started from a user session and all its child processes share the same access token. Therefore, if a privilege is changed by one process, the change will apply to all processes in the parent-child hierarchy.

    The Wrapper, however, makes it possible to configure the privileges of some of its child processes separately. This is the case with the Java process and Event Commands. For this to work, a duplicate of the Wrapper access token will be created exclusively for the child process. This allows the child process to run in a new security context, whose privileges can then be adjusted without affecting other processes.

For security, it is recommended that an application enables only the privileges that it needs. If a privilege may be used occasionally, or if it must be used by some of its child processes, it can be disabled to retain the ability to re-enable it at a later stage. However, to prevent a privilege from being re-enabled by the application or any of its child processes, the safest course of action is to remove the privilege completely.

If no require privileges are specified for a Windows Service, the SCM will not change the service's access token at startup, leaving it with the privileges assigned by default, i.e those held by the user and groups to which the service account belongs.

The following privileges are commonly assigned to users running services:

  • SeCreateGlobalPrivilege and SeImpersonatePrivilege privileges are granted through the SERVICE group to which all users running services should belong.

  • SeIncreaseWorkingSetPrivilege is granted through the Users group.

  • SeChangeNotifyPrivilege is enabled by default for all users.

In general, the above privileges are appropriate (and sometimes necessary) for the Wrapper process, so in most situations you should not need to change them. However, depending on your application usage, it may be better for security to remove some privileges from the access token of the Java process or child processes running in response to events.

WARNING

Particular attention should be paid to the SeImpersonatePrivilege privilege. While enabled by default for Windows services, this privilege can be abused to escalate from a local account to NT AUTHORITY\SYSTEM if the Java application gives the user the ability to execute arbitrary commands. In such cases, it is highly recommended to remove SeImpersonatePrivilege from the Java process.

The same applies to Event Commands. Caution should always be taken to ensure that the target program or script has appropriate file permissions so that it cannot be modified or replaced. But, additionally, if the configured command gives the user the ability to execute its own commands or open a console, the SeImpersonatePrivilege should also be removed.

NT AUTHORITY\SYSTEM is a powerfull account that has even more privileges than an Administrator on Windows. Gaining access to it is a real safety concern as it would allow almost full control over the machine.

Please see the description of the wrapper.ntservice.impersonation for details on how to control impersonation for the Wrapper process.


The following properties are available to configure privileges:

Required privileges for a Windows Service

wrapper.ntservice.required_privileges
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used when installing the Wrapper as a Windows service or when updating an existing service. It specifies a list of required privileges that will be inserted into the service configuration. The Service Control Manager (SCM) then uses this list to determine which privileges are supported and, if applicable, assign them to the service each time it is started. Privileges of the service access token that are not present in the required privilege list will be removed by the SCM. There is however an exception, the SeChangeNotifyPrivilege privilege which is never removed for compatibility reasons.

The value NONE, or an empty value, can be used to specify that no required privileges should be used for the service. If no required privileges are specified, the SCM will not change the service's access token at startup, leaving it with the privileges assigned by default, i.e those held by the user and groups to which the service belongs.

The default value is UNCHANGED. When installing a service, it means that no required privileges will be used for the service. When updating a service, it means that the configured required privileges will not be udpated.

NOTE

Using wrapper.ntservice.required_privileges=SeChangeNotifyPrivilege will restrict the service privileges to a minimum. It will cause all privileges to be removed at startup except SeChangeNotifyPrivilege.

The property must be defined with a comma-separated list of privilege names, each starting with 'Se' and ending with 'Privilege'.

Example: 
wrapper.ntservice.required_privileges=SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege

The command 'whoami /priv' can be used to view the privilege names of the current user.

In a Command Prompt run as NT AUTHORITY\SYSTEM, 'whoami /priv' will return the following output: 
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Disabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

Please see the Microsoft MSDN page for the full list of privileges (only constants ending with 'Privilege' can be used).

Runtime privileges for the Wrapper process

The following properties are used to adjust privileges for the Wrapper process. Only privileges that exist in the access token of the Wrapper process can be adjusted.

By default, the access token contains the privileges held by the user under which the Wrapper is running and the privileges of the groups to which this user belongs.

For Windows services, the default privileges can be overridden by setting a list of required privileges. If a privilege is missing, it is possible to add it to the wrapper.ntservice.required_privileges list and to re-install or update the service. On the next startup, the access token of the Wrapper should then contain the privilege.

Note that these properties will only take effect on the first configuration load and will be ignored if the configuration is reloaded.

wrapper.privileges.enable
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to enable when the Wrapper starts as a console or as a service. The privileges listed must be separated by commas.

Example (enable SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.privileges.enable=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to enable all privileges present in the access token of the Wrapper process.

wrapper.privileges.enable=ALL can also be used in combination with wrapper.privileges.disable to enable all but a few privileges.

Example (enable all privileges except SeIncreaseWorkingSetPrivilege): 
wrapper.privileges.enable=ALL
wrapper.privileges.disable=SeIncreaseWorkingSetPrivilege

wrapper.privileges.disable
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to disable when the Wrapper starts as a console or as a service. The privileges listed must be separated by commas.

Example (disable SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.privileges.disable=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to disable all privileges present in the access token of the Wrapper process.

wrapper.privileges.disable=ALL can also be used in combination with wrapper.privileges.enable to disable all but a few privileges.

Example (disable all privileges except SeIncreaseWorkingSetPrivilege): 
wrapper.privileges.disable=ALL
wrapper.privileges.enable=SeIncreaseWorkingSetPrivilege

WARNING

  • If a privilege is both present in wrapper.privileges.enable and wrapper.privileges.disable list, a warning will be logged and the privilege will be disabled (except in cases where one of the properties is set to ALL).

  • Using both wrapper.privileges.enable=ALL and wrapper.privileges.disable=ALL is invalid.

wrapper.privileges.remove
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to remove when the Wrapper starts as a console or as a service. The privileges listed must be separated by commas.

Example (remove SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.privileges.remove=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to remove all privileges present in the access token of the Wrapper process.

Example (remove all privileges): 
wrapper.privileges.remove=ALL

WARNING

Once a privilege has been removed from the access token of a process, it cannot be added back for the lifespan of the process. Removing a privilege also makes it unavailable to all child processes that share the same access token or for future child processes that will be launched by duplicating the access token of the Wrapper.

If the Wrapper is launched from another process and both processes share the same access token, editing the access token of the Wrapper would also affect the parent process. However, when starting in a console or as a Windows service, which are the most common scenarios, this is not a problem because Windows will assign a new token to the Wrapper process.

NOTE

wrapper.privileges.remove can be used at runtime to remove one or more privileges. However, it is usually better to remove the privilege(s) from the value of wrapper.ntservice.required_privileges and reinstall or update the service.

wrapper.ntservice.impersonation
Compatibility :3.5.58
Editions :Professional EditionStandard EditionCommunity Edition
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property controls whether impersonation should be removed for the Wrapper process and all of its child processes (including the Java application processes).

When a Windows service starts, the Service Control Manager (SCM) automatically adds the SERVICE group to the account used by the service. This is the case for most accounts that you can use for Windows services, including the built-in accounts and custom local accounts. By default, the SERVICE group has the SeImpersonatePrivilege which is a user right to "Impersonate a client after authentication". While this privilege is needed by many system services for compatibility, most Java applications do not actually need it.

It is a known security concern that SeImpersonatePrivilege can be abused my malicious code to escalate to the LocalSystem account which has the highest privilege level on a Windows system. No one can guarantee that their program will never be affected by vulnerabilities that allow execution of unwanted code, so the safest way is to simply not allow this privilege when it is not needed.

Following the principle of least privilege, it was decided that the Wrapper will remove this privilege by default for services running with any account other than NT AUTHORITY\SYSTEM (when running with the SYSTEM account, Java processes would already have the highest possible privileges, so there is no risk of further escalation). This applies to all Wrapper versions after 3.5.58. Only services that need SeImpersonatePrivilege should enable it.

The wrapper.ntservice.impersonation property can be configured with the following values:

  • UNCHANGED :

    to never remove SeImpersonatePrivilege from the Wrapper process.

  • DEFAULT :

    to remove SeImpersonatePrivilege when running as a service with an account other than NT AUTHORITY\SYSTEM.

  • REMOVE :

    to always remove SeImpersonatePrivilege from the Wrapper process.

The default value is DEFAULT.

NOTE

SeImpersonatePrivilege will not be removed if required privileges are specified for the service. This is because if SeImpersonatePrivilege is not present in the list of required privileges, it will be removed by the SCM. But on the contrary, if it is present, it means that it must be retained. Fine control of the required privileges can be made with the Professional Edition.

The Professional Edition can also override wrapper.ntservice.impersonation by specifying SeImpersonatePrivilege with the wrapper.privileges.remove property.

If SeImpersonatePrivilege is required for an Event Command (Professional Edition), for the Java application, or for any of its child processes, wrapper.ntservice.impersonation must be set to UNCHANGED. Then, the Professional Edition of the Wrapper can fine tune which processes should remove this privilege and which processes should keep it.

Example: 
# Do not remove impersonation for services
wrapper.ntservice.impersonation=UNCHANGED

# Remove impersonation for the Java process
wrapper.java.privileges.remove=SeImpersonatePrivilege

# Remove impersonation for all event commands by default
wrapper.event.default.command.privileges.remove=SeImpersonatePrivilege

# Enable SeImpersonatePrivilege for only one specific command
wrapper.event.user1.command.argv.1=./myscript.bat
wrapper.event.user1.command.privileges.enable=SeImpersonatePrivilege

NOTE

wrapper.ntservice.impersonation is only used when the Wrapper is running as a Windows service. However, for the other privilege properties, if you need to apply different settings depending on whether you are running as a service or as a console application, you may consider using an include file whose path references the %WRAPPER_RUN_MODE% variable. You can then have two distinct configuration files, with paths (or filenames) containing either the word "service" or "console" depending on which mode the configuration should apply to.

Example (different configurations for service and console modes): 
#include ../conf/wrapper-privileges-%WRAPPER_RUN_MODE%.conf

Runtime privileges for the Java process

The following properties are used to adjust privileges for the Java process. If any of these properties are set, the access token of the Wrapper process will be duplicated and the specified privileges will adjusted in the token copy. The Java process will then be launched in the security context represented by this new token.

Only privileges that exist in the access token of the Java process (and therefore also exist in token of the Wrapper process) can be adjusted.

Keep in mind that the list of privileges can be changed at two levels before the Java process is launched: when installing a Windows service if required privileges were specified, or if one or more privileges have been removed when starting Wrapper.

The privileges will be readjusted each time a new JVM is launched. If reloading the configuration file is allowed, these properties can be changed to use different privilege settings on the next JVM invocation.

wrapper.java.privileges.enable
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to enable when the Java process is launched. The privileges listed must be separated by commas.

Example (enable SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.java.privileges.enable=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to enable all privileges present in the access token of the Wrapper process.

wrapper.java.privileges.enable=ALL can also be used in combination with wrapper.java.privileges.disable to enable all but a few privileges.

Example (enable all privileges except SeIncreaseWorkingSetPrivilege): 
wrapper.java.privileges.enable=ALL
wrapper.java.privileges.disable=SeIncreaseWorkingSetPrivilege

wrapper.java.privileges.disable
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to disable when the Java process is launched. The privileges listed must be separated by commas.

Example (disable SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.java.privileges.disable=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to disable all privileges present in the access token of the Wrapper process.

wrapper.java.privileges.disable=ALL can also be used in combination with wrapper.java.privileges.enable to disable all but a few privileges.

Example (disable all privileges except SeIncreaseWorkingSetPrivilege): 
wrapper.java.privileges.disable=ALL
wrapper.java.privileges.enable=SeIncreaseWorkingSetPrivilege

WARNING

  • If a privilege is both present in wrapper.java.privileges.enable and wrapper.java.privileges.disable list, a warning will be logged and the privilege will be disabled (except in cases where one of the properties is set to ALL).

  • Using both wrapper.java.privileges.enable=ALL and wrapper.java.privileges.disable=ALL is invalid.

wrapper.java.privileges.remove
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to remove when the Java process is launched. The privileges listed must be separated by commas.

Example (remove SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.java.privileges.remove=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to remove all privileges present in the access token of the Wrapper process.

Example (remove all privileges): 
wrapper.java.privileges.remove=ALL

WARNING

Once a privilege has been removed from the access token of a process, it cannot be added back for the lifespan of the process. Removing a privilege also makes it unavailable to all child processes launched by Java.

NOTE

wrapper.privileges.remove can be used to run the Java process with lower privileges than the Wrapper process.

Runtime privileges for Event commands

The following properties are used to adjust privileges for commands launched in response to certain events. If any of these properties are set, the access token of the Wrapper process will be duplicated and the specified privileges will adjusted in the token copy. The event command will then be launched in the security context represented by this new token.

Only privileges that exist in the access token of the Event command (and therefore also exist in token of the Wrapper process) can be adjusted.

Keep in mind that the list of privileges can be changed at two levels before an event command is launched: when installing a Windows service if required privileges were specified, or if one or more privileges have been removed when starting Wrapper.

NOTE

The ability to control privilege at different levels when processes are launched allows configurations like the following: In order to enable a certain privilege for an Event Command, it must also exist for the Wrapper process. However, the Java process can completely remove this privilege, thus guarantiing that it won't be use by the Java application nor by any of its child processes.

Example: 
# install the service with the following privileges
wrapper.ntservice.required_privileges=SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeIncreaseWorkingSetPrivilege

# disable SeImpersonatePrivilege privilege as it is not needed for the Wrapper itself
# (but keep it in the access token so that event commands can still enable it)
wrapper.privileges.disable=SeImpersonatePrivilege

# remove SeImpersonatePrivilege for the Java application and all of its child processes
wrapper.java.privileges.remove=SeImpersonatePrivilege

# by default, also remove SeImpersonatePrivilege to all event commands
wrapper.event.default.command.privileges.remove=SeImpersonatePrivilege

# override the above default property for a specific event command
wrapper.event.user1.command.privileges.remove=NONE

# enable SeImpersonatePrivilege for a specific event command
wrapper.event.user1.command.privileges.enable=SeImpersonatePrivilege

wrapper.event.<event_name>.command.privileges.enable
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to enable when the event command is launched. The privileges listed must be separated by commas.

Like several of the event command properties, it can be defined:

  • Globally for all events: wrapper.event.default.command.privileges.enable property, or
  • For a specific event: wrapper.event.<event_name>.command.privileges.enable property.

Example (enable SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.event.user1.command.privileges.enable=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to enable all privileges present in the access token of the Wrapper process.

wrapper.event.<event_name>.command.privileges.enable=ALL can also be used in combination with wrapper.event.<event_name>.command.privileges.disable to enable all but a few privileges.

Example (enable all privileges except SeIncreaseWorkingSetPrivilege): 
wrapper.event.user1.command.privileges.enable=ALL
wrapper.event.user1.command.privileges.disable=SeIncreaseWorkingSetPrivilege

The default value NONE is useful for wrapper.event.<event_name>.command.privileges.enable to override the value of wrapper.event.default.command.privileges.enable.

Example (SeTimeZonePrivilege is enabled for commands of all events except the user1 event): 
wrapper.event.default.command.privileges.enable=SeTimeZonePrivilege
wrapper.event.user1.command.privileges.enable=NONE

wrapper.event.<event_name>.command.privileges.disable
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to disable when the Wrapper starts as a console or as a service. The privileges listed must be separated by commas.

Like several of the event command properties, it can be defined:

  • Globally for all events: wrapper.event.default.command.privileges.disable property, or
  • For a specific event: wrapper.event.<event_name>.command.privileges.disable property.

Example (disable SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.event.user1.command.privileges.disable=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to disable all privileges present in the access token of the Wrapper process.

wrapper.event.<event_name>.command.privileges.disable=ALL can also be used in combination with wrapper.event.<event_name>.command.privileges.enable to disable all but a few privileges.

Example (disable all privileges except SeIncreaseWorkingSetPrivilege): 
wrapper.event.user1.command.privileges.disable=ALL
wrapper.event.user1.command.privileges.enable=SeIncreaseWorkingSetPrivilege

The default value NONE is useful for wrapper.event.<event_name>.command.privileges.disable to override the value of wrapper.event.default.command.privileges.disable.

Example (SeImpersonatePrivilege is disabled for commands of all events except the user1 event): 
wrapper.event.default.command.privileges.disable=SeImpersonatePrivilege
wrapper.event.user1.command.privileges.disable=NONE

WARNING

  • If a privilege is both present in wrapper.event.<event_name>.command.privileges.enable and wrapper.event.<event_name>.command.privileges.disable list, a warning will be logged and the privilege will be disabled (except in cases where one of the properties is set to ALL).

  • Using both wrapper.event.<event_name>.command.privileges.enable=ALL and wrapper.event.<event_name>.command.privileges.disable=ALL is invalid.

wrapper.event.<event_name>.command.privileges.remove
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to specify a list of privileges to remove when the Wrapper starts as a console or as a service. The privileges listed must be separated by commas.

Like several of the event command properties, it can be defined:

  • Globally for all events: wrapper.event.default.command.privileges.remove property, or
  • For a specific event: wrapper.event.<event_name>.command.privileges.remove property.

Example (remove SeIncreaseWorkingSetPrivilege and SeCreateGlobalPrivilege): 
wrapper.event.user1.command.privileges.remove=SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege

The value ALL can be used to remove all privileges present in the access token of the Wrapper process.

Example (remove all privileges): 
wrapper.event.user1.command.privileges.remove=ALL

The default value NONE is useful for wrapper.event.<event_name>.command.privileges.remove to override the value of wrapper.event.default.command.privileges.remove.

Example (SeImpersonatePrivilege is removed for commands of all events except the user1 event): 
wrapper.event.default.command.privileges.remove=SeImpersonatePrivilege
wrapper.event.user1.command.privileges.remove=NONE

WARNING

Once a privilege has been removed from the access token of a process, it cannot be added back for the lifespan of the process. Removing a privilege also makes it unavailable to all child processes that share the same access token or for future child processes that will be launched by duplicating the access token of the Wrapper.

NOTE

wrapper.event.<event_name>.command.privileges.remove can be used at runtime to remove one or more privileges. However, it is usually better to remove the privilege(s) from the value of wrapper.ntservice.required_privileges and then reinstall or update the service.

Logging

wrapper.privileges.status.loglevel
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

This property is used to control the log level at which information about privileges is printed in the Wrapper logs.

Changing the log level can be useful for debugging purposes to visualize how privileges are changed. For each process, the list of effective privileges as well as their status will also be printed.

The default value is NONE which means that no information is printed in the log. In production, using NONE is recommended so as not to leave information about privileges status in the logs.

Example (changing log level of privileges status): 
wrapper.privileges.status.loglevel=STATUS

The log output will look like this:

Example (Java process privilege status output): 
...
STATUS | wrapper  | Launching a JVM...
STATUS | wrapper  | Java process: Privilege 'SeUndockPrivilege' was changed from DISABLED to ENABLED.
STATUS | wrapper  | Java process: Privilege 'SeTimeZonePrivilege' was removed.
STATUS | wrapper  | Java process: Effective privileges:
STATUS | wrapper  | Java process:   SeShutdownPrivilege (DISABLED)
STATUS | wrapper  | Java process:   SeUndockPrivilege (ENABLED)
STATUS | wrapper  | Java process:   SeIncreaseWorkingSetPrivilege (DISABLED)
...

Query the privileges of a Windows Service
Compatibility :3.5.57
Editions :Professional EditionStandard Edition (Not Supported)Community Edition (Not Supported)
Platforms :WindowsMac OSX (Not Supported)Linux (Not Supported)IBM AIX (Not Supported)FreeBSD (Not Supported)HP-UX (Not Supported)Solaris (Not Supported)IBM z/OS (Not Supported)IBM z/Linux (Not Supported)

It is possible to query the required privileges of a Windows service, as well as the runtime privileges of the Wrapper process and its child processes, with a single command: .\wrapper.exe -qr ../conf/wrapper.conf

Example (configuration): 
wrapper.ntservice.required_privileges=SeIncreaseWorkingSetPrivilege, SeUndockPrivilege, SeImpersonatePrivilege

wrapper.event.jvm_prelaunch.command.privileges.disable=ALL
wrapper.event.jvm_prelaunch.command.privileges.remove=SeIncreaseWorkingSetPrivilege

wrapper.java.privileges.enable=SeUndockPrivilege, SeTimeZonePrivilege
wrapper.java.privileges.remove=SeImpersonatePrivilege

Example (output): 
.\wrapper.exe -qr ..\conf\wrapper.conf
STATUS | wrapperm | Required privileges for the testwrapper3 service:
STATUS | wrapperm |   SeChangeNotifyPrivilege (DEFAULT, ENABLED)
STATUS | wrapperm |   SeIncreaseWorkingSetPrivilege (DISABLED)
STATUS | wrapperm |   SeUndockPrivilege (DISABLED)
STATUS | wrapperm |   SeImpersonatePrivilege (DEFAULT, ENABLED)
STATUS | wrapperm |
STATUS | wrapperm | Child processes:
STATUS | wrapperm |   myscript.bat: Effective privileges:
STATUS | wrapperm |   myscript.bat:   SeChangeNotifyPrivilege (DISABLED)
STATUS | wrapperm |   myscript.bat:   SeUndockPrivilege (DISABLED)
STATUS | wrapperm |   myscript.bat:   SeImpersonatePrivilege (DISABLED)
STATUS | wrapperm |
STATUS | wrapperm |   java.exe: Effective privileges:
STATUS | wrapperm |   java.exe:   SeChangeNotifyPrivilege (DEFAULT, ENABLED)
STATUS | wrapperm |   java.exe:   SeUndockPrivilege (ENABLED)
STATUS | wrapperm |   java.exe:   SeIncreaseWorkingSetPrivilege (DISABLED)


It is also possible to query the privileges of a different service by adding '=', followed by the service name, to the -qr option ('-qr=serviceName').

Query the privileges using the service name: 
.\wrapper.exe -qr=myservice ../conf/wrapper-license.conf