account.cpp 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331
  1. #include "nssm.h"
  2. #include <sddl.h>
  3. #ifndef STATUS_SUCCESS
  4. #define STATUS_SUCCESS ERROR_SUCCESS
  5. #endif
  6. extern imports_t imports;
  7. /* Open Policy object. */
  8. int open_lsa_policy(LSA_HANDLE *policy) {
  9. LSA_OBJECT_ATTRIBUTES attributes;
  10. ZeroMemory(&attributes, sizeof(attributes));
  11. NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, policy);
  12. if (status != STATUS_SUCCESS) {
  13. print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status)));
  14. return 1;
  15. }
  16. return 0;
  17. }
  18. /* Look up SID for an account. */
  19. int username_sid(const TCHAR *username, SID **sid, LSA_HANDLE *policy) {
  20. LSA_HANDLE handle;
  21. if (! policy) {
  22. policy = &handle;
  23. if (open_lsa_policy(policy)) return 1;
  24. }
  25. /*
  26. LsaLookupNames() can't look up .\username but can look up
  27. %COMPUTERNAME%\username. ChangeServiceConfig() writes .\username to the
  28. registry when %COMPUTERNAME%\username is a passed as a parameter. We
  29. need to preserve .\username when calling ChangeServiceConfig() without
  30. changing the username, but expand to %COMPUTERNAME%\username when calling
  31. LsaLookupNames().
  32. */
  33. TCHAR *expanded;
  34. unsigned long expandedlen;
  35. if (_tcsnicmp(_T(".\\"), username, 2)) {
  36. expandedlen = (unsigned long) (_tcslen(username) + 1) * sizeof(TCHAR);
  37. expanded = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, expandedlen);
  38. if (! expanded) {
  39. print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("expanded"), _T("username_sid"));
  40. if (policy == &handle) LsaClose(handle);
  41. return 2;
  42. }
  43. memmove(expanded, username, expandedlen);
  44. }
  45. else {
  46. TCHAR computername[MAX_COMPUTERNAME_LENGTH + 1];
  47. expandedlen = _countof(computername);
  48. GetComputerName(computername, &expandedlen);
  49. expandedlen += (unsigned long) _tcslen(username);
  50. expanded = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, expandedlen * sizeof(TCHAR));
  51. if (! expanded) {
  52. print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("expanded"), _T("username_sid"));
  53. if (policy == &handle) LsaClose(handle);
  54. return 2;
  55. }
  56. _sntprintf_s(expanded, expandedlen, _TRUNCATE, _T("%s\\%s"), computername, username + 2);
  57. }
  58. LSA_UNICODE_STRING lsa_username;
  59. int ret = to_utf16(expanded, &lsa_username.Buffer, (unsigned long *) &lsa_username.Length);
  60. HeapFree(GetProcessHeap(), 0, expanded);
  61. if (ret) {
  62. if (policy == &handle) LsaClose(handle);
  63. print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("username_sid()"));
  64. return 4;
  65. }
  66. lsa_username.Length *= sizeof(wchar_t);
  67. lsa_username.MaximumLength = lsa_username.Length + sizeof(wchar_t);
  68. LSA_REFERENCED_DOMAIN_LIST *translated_domains;
  69. LSA_TRANSLATED_SID *translated_sid;
  70. NTSTATUS status = LsaLookupNames(*policy, 1, &lsa_username, &translated_domains, &translated_sid);
  71. HeapFree(GetProcessHeap(), 0, lsa_username.Buffer);
  72. if (policy == &handle) LsaClose(handle);
  73. if (status != STATUS_SUCCESS) {
  74. LsaFreeMemory(translated_domains);
  75. LsaFreeMemory(translated_sid);
  76. print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status)));
  77. return 5;
  78. }
  79. if (translated_sid->Use != SidTypeUser && translated_sid->Use != SidTypeWellKnownGroup) {
  80. LsaFreeMemory(translated_domains);
  81. LsaFreeMemory(translated_sid);
  82. print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
  83. return 6;
  84. }
  85. LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex];
  86. if (! trust || ! IsValidSid(trust->Sid)) {
  87. LsaFreeMemory(translated_domains);
  88. LsaFreeMemory(translated_sid);
  89. print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
  90. return 7;
  91. }
  92. /* GetSidSubAuthority*() return pointers! */
  93. unsigned char *n = GetSidSubAuthorityCount(trust->Sid);
  94. /* Convert translated SID to SID. */
  95. *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1));
  96. if (! *sid) {
  97. LsaFreeMemory(translated_domains);
  98. LsaFreeMemory(translated_sid);
  99. print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("username_sid"));
  100. return 8;
  101. }
  102. unsigned long error;
  103. if (! InitializeSid(*sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) {
  104. error = GetLastError();
  105. HeapFree(GetProcessHeap(), 0, *sid);
  106. LsaFreeMemory(translated_domains);
  107. LsaFreeMemory(translated_sid);
  108. print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error));
  109. return 9;
  110. }
  111. for (unsigned char i = 0; i <= *n; i++) {
  112. unsigned long *sub = GetSidSubAuthority(*sid, i);
  113. if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i);
  114. else *sub = translated_sid->RelativeId;
  115. }
  116. ret = 0;
  117. if (translated_sid->Use == SidTypeWellKnownGroup && ! well_known_sid(*sid)) {
  118. print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
  119. ret = 10;
  120. }
  121. LsaFreeMemory(translated_domains);
  122. LsaFreeMemory(translated_sid);
  123. return ret;
  124. }
  125. int username_sid(const TCHAR *username, SID **sid) {
  126. return username_sid(username, sid, 0);
  127. }
  128. int canonicalise_username(const TCHAR *username, TCHAR **canon) {
  129. LSA_HANDLE policy;
  130. if (open_lsa_policy(&policy)) return 1;
  131. SID *sid;
  132. if (username_sid(username, &sid, &policy)) return 2;
  133. PSID sids = { sid };
  134. LSA_REFERENCED_DOMAIN_LIST *translated_domains;
  135. LSA_TRANSLATED_NAME *translated_name;
  136. NTSTATUS status = LsaLookupSids(policy, 1, &sids, &translated_domains, &translated_name);
  137. if (status != STATUS_SUCCESS) {
  138. LsaFreeMemory(translated_domains);
  139. LsaFreeMemory(translated_name);
  140. print_message(stderr, NSSM_MESSAGE_LSALOOKUPSIDS_FAILED, error_string(LsaNtStatusToWinError(status)));
  141. return 3;
  142. }
  143. LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_name->DomainIndex];
  144. LSA_UNICODE_STRING lsa_canon;
  145. lsa_canon.Length = translated_name->Name.Length + trust->Name.Length + sizeof(wchar_t);
  146. lsa_canon.MaximumLength = lsa_canon.Length + sizeof(wchar_t);
  147. lsa_canon.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lsa_canon.MaximumLength);
  148. if (! lsa_canon.Buffer) {
  149. LsaFreeMemory(translated_domains);
  150. LsaFreeMemory(translated_name);
  151. print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("lsa_canon"), _T("username_sid"));
  152. return 9;
  153. }
  154. /* Buffer is wchar_t but Length is in bytes. */
  155. memmove((char *) lsa_canon.Buffer, trust->Name.Buffer, trust->Name.Length);
  156. memmove((char *) lsa_canon.Buffer + trust->Name.Length, L"\\", sizeof(wchar_t));
  157. memmove((char *) lsa_canon.Buffer + trust->Name.Length + sizeof(wchar_t), translated_name->Name.Buffer, translated_name->Name.Length);
  158. unsigned long canonlen;
  159. if (from_utf16(lsa_canon.Buffer, canon, &canonlen)) {
  160. LsaFreeMemory(translated_domains);
  161. LsaFreeMemory(translated_name);
  162. print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("canon"), _T("username_sid"));
  163. return 10;
  164. }
  165. HeapFree(GetProcessHeap(), 0, lsa_canon.Buffer);
  166. LsaFreeMemory(translated_domains);
  167. LsaFreeMemory(translated_name);
  168. return 0;
  169. }
  170. /* Do two usernames map to the same SID? */
  171. int username_equiv(const TCHAR *a, const TCHAR *b) {
  172. SID *sid_a, *sid_b;
  173. if (username_sid(a, &sid_a)) return 0;
  174. if (username_sid(b, &sid_b)) {
  175. FreeSid(sid_a);
  176. return 0;
  177. }
  178. int ret = 0;
  179. if (EqualSid(sid_a, sid_b)) ret = 1;
  180. FreeSid(sid_a);
  181. FreeSid(sid_b);
  182. return ret;
  183. }
  184. /* Does the username represent the LocalSystem account? */
  185. int is_localsystem(const TCHAR *username) {
  186. if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 1;
  187. if (! imports.IsWellKnownSid) return 0;
  188. SID *sid;
  189. if (username_sid(username, &sid)) return 0;
  190. int ret = 0;
  191. if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) ret = 1;
  192. FreeSid(sid);
  193. return ret;
  194. }
  195. /*
  196. Get well-known alias for LocalSystem and friends.
  197. Returns a pointer to a static string. DO NOT try to free it.
  198. */
  199. const TCHAR *well_known_sid(SID *sid) {
  200. if (! imports.IsWellKnownSid) return 0;
  201. if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) return NSSM_LOCALSYSTEM_ACCOUNT;
  202. if (imports.IsWellKnownSid(sid, WinLocalServiceSid)) return NSSM_LOCALSERVICE_ACCOUNT;
  203. if (imports.IsWellKnownSid(sid, WinNetworkServiceSid)) return NSSM_NETWORKSERVICE_ACCOUNT;
  204. return 0;
  205. }
  206. const TCHAR *well_known_username(const TCHAR *username) {
  207. if (! username) return NSSM_LOCALSYSTEM_ACCOUNT;
  208. if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return NSSM_LOCALSYSTEM_ACCOUNT;
  209. SID *sid;
  210. if (username_sid(username, &sid)) return 0;
  211. const TCHAR *well_known = well_known_sid(sid);
  212. FreeSid(sid);
  213. return well_known;
  214. }
  215. int grant_logon_as_service(const TCHAR *username) {
  216. if (! username) return 0;
  217. /* Open Policy object. */
  218. LSA_OBJECT_ATTRIBUTES attributes;
  219. ZeroMemory(&attributes, sizeof(attributes));
  220. LSA_HANDLE policy;
  221. NTSTATUS status;
  222. if (open_lsa_policy(&policy)) return 1;
  223. /* Look up SID for the account. */
  224. SID *sid;
  225. if (username_sid(username, &sid, &policy)) {
  226. LsaClose(policy);
  227. return 2;
  228. }
  229. /*
  230. Shouldn't happen because it should have been checked before callling this function.
  231. */
  232. if (well_known_sid(sid)) {
  233. LsaClose(policy);
  234. return 3;
  235. }
  236. /* Check if the SID has the "Log on as a service" right. */
  237. LSA_UNICODE_STRING lsa_right;
  238. lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT;
  239. lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t);
  240. lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t);
  241. LSA_UNICODE_STRING *rights;
  242. unsigned long count = ~0;
  243. status = LsaEnumerateAccountRights(policy, sid, &rights, &count);
  244. if (status != STATUS_SUCCESS) {
  245. /*
  246. If the account has no rights set LsaEnumerateAccountRights() will return
  247. STATUS_OBJECT_NAME_NOT_FOUND and set count to 0.
  248. */
  249. unsigned long error = LsaNtStatusToWinError(status);
  250. if (error != ERROR_FILE_NOT_FOUND) {
  251. FreeSid(sid);
  252. LsaClose(policy);
  253. print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error));
  254. return 4;
  255. }
  256. }
  257. for (unsigned long i = 0; i < count; i++) {
  258. if (rights[i].Length != lsa_right.Length) continue;
  259. if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue;
  260. /* The SID has the right. */
  261. FreeSid(sid);
  262. LsaFreeMemory(rights);
  263. LsaClose(policy);
  264. return 0;
  265. }
  266. LsaFreeMemory(rights);
  267. /* Add the right. */
  268. status = LsaAddAccountRights(policy, sid, &lsa_right, 1);
  269. FreeSid(sid);
  270. LsaClose(policy);
  271. if (status != STATUS_SUCCESS) {
  272. print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status)));
  273. return 5;
  274. }
  275. print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username);
  276. return 0;
  277. }