123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253 |
- #include "nssm.h"
- #include <sddl.h>
- extern imports_t imports;
- /* Open Policy object. */
- int open_lsa_policy(LSA_HANDLE *policy) {
- LSA_OBJECT_ATTRIBUTES attributes;
- ZeroMemory(&attributes, sizeof(attributes));
- NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, policy);
- if (status) {
- print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status)));
- return 1;
- }
- return 0;
- }
- /* Look up SID for an account. */
- int username_sid(const TCHAR *username, SID **sid, LSA_HANDLE *policy) {
- LSA_HANDLE handle;
- if (! policy) {
- policy = &handle;
- if (open_lsa_policy(policy)) return 1;
- }
- LSA_UNICODE_STRING lsa_username;
- #ifdef UNICODE
- lsa_username.Buffer = (wchar_t *) username;
- lsa_username.Length = (unsigned short) _tcslen(username) * sizeof(TCHAR);
- lsa_username.MaximumLength = lsa_username.Length + sizeof(TCHAR);
- #else
- size_t buflen;
- mbstowcs_s(&buflen, NULL, 0, username, _TRUNCATE);
- lsa_username.MaximumLength = (unsigned short) buflen * sizeof(wchar_t);
- lsa_username.Length = lsa_username.MaximumLength - sizeof(wchar_t);
- lsa_username.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), 0, lsa_username.MaximumLength);
- if (lsa_username.Buffer) mbstowcs_s(&buflen, lsa_username.Buffer, lsa_username.MaximumLength, username, _TRUNCATE);
- else {
- if (policy == &handle) LsaClose(handle);
- print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("username_sid()"));
- return 2;
- }
- #endif
- LSA_REFERENCED_DOMAIN_LIST *translated_domains;
- LSA_TRANSLATED_SID *translated_sid;
- NTSTATUS status = LsaLookupNames(*policy, 1, &lsa_username, &translated_domains, &translated_sid);
- #ifndef UNICODE
- HeapFree(GetProcessHeap(), 0, lsa_username.Buffer);
- #endif
- if (policy == &handle) LsaClose(handle);
- if (status) {
- LsaFreeMemory(translated_domains);
- LsaFreeMemory(translated_sid);
- print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status)));
- return 3;
- }
- if (translated_sid->Use != SidTypeUser && translated_sid->Use != SidTypeWellKnownGroup) {
- LsaFreeMemory(translated_domains);
- LsaFreeMemory(translated_sid);
- print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
- return 4;
- }
- LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex];
- if (! trust || ! IsValidSid(trust->Sid)) {
- LsaFreeMemory(translated_domains);
- LsaFreeMemory(translated_sid);
- print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
- return 5;
- }
- /* GetSidSubAuthority*() return pointers! */
- unsigned char *n = GetSidSubAuthorityCount(trust->Sid);
- /* Convert translated SID to SID. */
- *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1));
- if (! *sid) {
- LsaFreeMemory(translated_domains);
- LsaFreeMemory(translated_sid);
- print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("grant_logon_as_service"));
- return 6;
- }
- unsigned long error;
- if (! InitializeSid(*sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) {
- error = GetLastError();
- HeapFree(GetProcessHeap(), 0, *sid);
- LsaFreeMemory(translated_domains);
- LsaFreeMemory(translated_sid);
- print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error));
- return 7;
- }
- for (unsigned char i = 0; i <= *n; i++) {
- unsigned long *sub = GetSidSubAuthority(*sid, i);
- if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i);
- else *sub = translated_sid->RelativeId;
- }
- int ret = 0;
- if (translated_sid->Use == SidTypeWellKnownGroup && ! well_known_sid(*sid)) {
- print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
- ret = 8;
- }
- LsaFreeMemory(translated_domains);
- LsaFreeMemory(translated_sid);
- return ret;
- }
- int username_sid(const TCHAR *username, SID **sid) {
- return username_sid(username, sid, 0);
- }
- /* Do two usernames map to the same SID? */
- int username_equiv(const TCHAR *a, const TCHAR *b) {
- SID *sid_a, *sid_b;
- if (username_sid(a, &sid_a)) return 0;
- if (username_sid(b, &sid_b)) {
- FreeSid(sid_a);
- return 0;
- }
- int ret = 0;
- if (EqualSid(sid_a, sid_b)) ret = 1;
- FreeSid(sid_a);
- FreeSid(sid_b);
- return ret;
- }
- /* Does the username represent the LocalSystem account? */
- int is_localsystem(const TCHAR *username) {
- if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 1;
- if (! imports.IsWellKnownSid) return 0;
- SID *sid;
- if (username_sid(username, &sid)) return 0;
- int ret = 0;
- if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) ret = 1;
- FreeSid(sid);
- return ret;
- }
- /*
- Get well-known alias for LocalSystem and friends.
- Returns a pointer to a static string. DO NOT try to free it.
- */
- const TCHAR *well_known_sid(SID *sid) {
- if (! imports.IsWellKnownSid) return 0;
- if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) return NSSM_LOCALSYSTEM_ACCOUNT;
- if (imports.IsWellKnownSid(sid, WinLocalServiceSid)) return NSSM_LOCALSERVICE_ACCOUNT;
- if (imports.IsWellKnownSid(sid, WinNetworkServiceSid)) return NSSM_NETWORKSERVICE_ACCOUNT;
- return 0;
- }
- const TCHAR *well_known_username(const TCHAR *username) {
- if (! username) return NSSM_LOCALSYSTEM_ACCOUNT;
- if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return NSSM_LOCALSYSTEM_ACCOUNT;
- SID *sid;
- int r = username_sid(username, &sid);
- if (username_sid(username, &sid)) return 0;
- const TCHAR *well_known = well_known_sid(sid);
- FreeSid(sid);
- return well_known;
- }
- int grant_logon_as_service(const TCHAR *username) {
- if (! username) return 0;
- /* Open Policy object. */
- LSA_OBJECT_ATTRIBUTES attributes;
- ZeroMemory(&attributes, sizeof(attributes));
- LSA_HANDLE policy;
- NTSTATUS status;
- if (open_lsa_policy(&policy)) return 1;
- /* Look up SID for the account. */
- SID *sid;
- if (username_sid(username, &sid, &policy)) {
- LsaClose(policy);
- return 2;
- }
- /*
- Shouldn't happen because it should have been checked before callling this function.
- */
- if (well_known_sid(sid)) {
- LsaClose(policy);
- return 3;
- }
- /* Check if the SID has the "Log on as a service" right. */
- LSA_UNICODE_STRING lsa_right;
- lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT;
- lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t);
- lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t);
- LSA_UNICODE_STRING *rights;
- unsigned long count = ~0;
- status = LsaEnumerateAccountRights(policy, sid, &rights, &count);
- if (status) {
- /*
- If the account has no rights set LsaEnumerateAccountRights() will return
- STATUS_OBJECT_NAME_NOT_FOUND and set count to 0.
- */
- unsigned long error = LsaNtStatusToWinError(status);
- if (error != ERROR_FILE_NOT_FOUND) {
- FreeSid(sid);
- LsaClose(policy);
- print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error));
- return 4;
- }
- }
- for (unsigned long i = 0; i < count; i++) {
- if (rights[i].Length != lsa_right.Length) continue;
- if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue;
- /* The SID has the right. */
- FreeSid(sid);
- LsaFreeMemory(rights);
- LsaClose(policy);
- return 0;
- }
- LsaFreeMemory(rights);
- /* Add the right. */
- status = LsaAddAccountRights(policy, sid, &lsa_right, 1);
- FreeSid(sid);
- LsaClose(policy);
- if (status) {
- print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status)));
- return 5;
- }
- print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username);
- return 0;
- }
|