X-Git-Url: http://git.iain.cx/?a=blobdiff_plain;f=service.cpp;h=898d987605e3328a1186dbe8f0e2aa25e1da77d6;hb=6d0e20215772e976fcf364f16e005199d4f3b726;hp=5a732b09007bedfe60a121d12e3a656a7d98d69f;hpb=8663869ce7d0e0aedbd05dcba47f5472f7ac8c2e;p=nssm.git diff --git a/service.cpp b/service.cpp index 5a732b0..898d987 100644 --- a/service.cpp +++ b/service.cpp @@ -1,8 +1,5 @@ #include "nssm.h" -/* This is explicitly a wide string. */ -#define NSSM_LOGON_AS_SERVICE_RIGHT L"SeServiceLogonRight" - bool is_admin; bool use_critical_section; @@ -256,8 +253,8 @@ static unsigned long WINAPI shutdown_service(void *arg) { } /* Connect to the service manager */ -SC_HANDLE open_service_manager() { - SC_HANDLE ret = OpenSCManager(0, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS); +SC_HANDLE open_service_manager(unsigned long access) { + SC_HANDLE ret = OpenSCManager(0, SERVICES_ACTIVE_DATABASE, access); if (! ret) { if (is_admin) log_event(EVENTLOG_ERROR_TYPE, NSSM_EVENT_OPENSCMANAGER_FAILED, 0); return 0; @@ -267,8 +264,8 @@ SC_HANDLE open_service_manager() { } /* Open a service by name or display name. */ -SC_HANDLE open_service(SC_HANDLE services, TCHAR *service_name, TCHAR *canonical_name, unsigned long canonical_namelen) { - SC_HANDLE service_handle = OpenService(services, service_name, SERVICE_ALL_ACCESS); +SC_HANDLE open_service(SC_HANDLE services, TCHAR *service_name, unsigned long access, TCHAR *canonical_name, unsigned long canonical_namelen) { + SC_HANDLE service_handle = OpenService(services, service_name, access); if (service_handle) { if (canonical_name && canonical_name != service_name) { if (_sntprintf_s(canonical_name, canonical_namelen, _TRUNCATE, _T("%s"), service_name) < 0) { @@ -334,7 +331,7 @@ SC_HANDLE open_service(SC_HANDLE services, TCHAR *service_name, TCHAR *canonical } HeapFree(GetProcessHeap(), 0, status); - return open_service(services, canonical_name, 0, 0); + return open_service(services, canonical_name, access, 0, 0); } } @@ -342,7 +339,7 @@ SC_HANDLE open_service(SC_HANDLE services, TCHAR *service_name, TCHAR *canonical } /* Recurse so we can get an error message. */ - return open_service(services, service_name, 0, 0); + return open_service(services, service_name, access, 0, 0); } QUERY_SERVICE_CONFIG *query_service_config(const TCHAR *service_name, SC_HANDLE service_handle) { @@ -475,165 +472,20 @@ int get_service_username(const TCHAR *service_name, const QUERY_SERVICE_CONFIG * if (! qsc) return 1; - if (str_equiv(qsc->lpServiceStartName, NSSM_LOCALSYSTEM_ACCOUNT)) return 0; - - size_t len = _tcslen(qsc->lpServiceStartName); - *username = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, (len + 1) * sizeof(TCHAR)); - if (! *username) { - print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("username"), _T("get_service_username()")); - return 2; - } - - memmove(*username, qsc->lpServiceStartName, (len + 1) * sizeof(TCHAR)); - *usernamelen = len; - - return 0; -} - -int grant_logon_as_service(const TCHAR *username) { - if (! username) return 0; - if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 0; - - /* Open Policy object. */ - LSA_OBJECT_ATTRIBUTES attributes; - ZeroMemory(&attributes, sizeof(attributes)); - - LSA_HANDLE policy; - - NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, &policy); - if (status) { - print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status))); - return 1; - } - - /* Look up SID for the account. */ - LSA_UNICODE_STRING lsa_username; -#ifdef UNICODE - lsa_username.Buffer = (wchar_t *) username; - lsa_username.Length = (unsigned short) _tcslen(username) * sizeof(TCHAR); - lsa_username.MaximumLength = lsa_username.Length + sizeof(TCHAR); -#else - size_t buflen; - mbstowcs_s(&buflen, NULL, 0, username, _TRUNCATE); - lsa_username.MaximumLength = (unsigned short) buflen * sizeof(wchar_t); - lsa_username.Length = lsa_username.MaximumLength - sizeof(wchar_t); - lsa_username.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), 0, lsa_username.MaximumLength); - if (lsa_username.Buffer) mbstowcs_s(&buflen, lsa_username.Buffer, lsa_username.MaximumLength, username, _TRUNCATE); - else { - LsaClose(policy); - print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("grant_logon_as_service()")); - return 2; - } -#endif - - LSA_REFERENCED_DOMAIN_LIST *translated_domains; - LSA_TRANSLATED_SID *translated_sid; - status = LsaLookupNames(policy, 1, &lsa_username, &translated_domains, &translated_sid); -#ifndef UNICODE - HeapFree(GetProcessHeap(), 0, lsa_username.Buffer); -#endif - if (status) { - LsaFreeMemory(translated_domains); - LsaFreeMemory(translated_sid); - LsaClose(policy); - print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status))); - return 3; - } - - if (translated_sid->Use != SidTypeUser) { - LsaFreeMemory(translated_domains); - LsaFreeMemory(translated_sid); - LsaClose(policy); - print_message(stderr, NSSM_GUI_INVALID_USERNAME, username); - return 4; - } - - LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex]; - if (! trust || ! IsValidSid(trust->Sid)) { - LsaFreeMemory(translated_domains); - LsaFreeMemory(translated_sid); - LsaClose(policy); - print_message(stderr, NSSM_GUI_INVALID_USERNAME, username); - return 4; - } - - /* GetSidSubAuthority*() return pointers! */ - unsigned char *n = GetSidSubAuthorityCount(trust->Sid); - - /* Convert translated SID to SID. */ - SID *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1)); - if (! sid) { - LsaFreeMemory(translated_domains); - LsaFreeMemory(translated_sid); - LsaClose(policy); - print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("grant_logon_as_service")); - return 4; - } - - unsigned long error; - if (! InitializeSid(sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) { - error = GetLastError(); - HeapFree(GetProcessHeap(), 0, sid); - LsaFreeMemory(translated_domains); - LsaFreeMemory(translated_sid); - LsaClose(policy); - print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error)); - return 5; - } - - for (unsigned char i = 0; i <= *n; i++) { - unsigned long *sub = GetSidSubAuthority(sid, i); - if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i); - else *sub = translated_sid->RelativeId; - } - - LsaFreeMemory(translated_domains); - LsaFreeMemory(translated_sid); - - /* Check if the SID has the "Log on as a service" right. */ - LSA_UNICODE_STRING lsa_right; - lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT; - lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t); - lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t); + if (qsc->lpServiceStartName[0]) { + if (is_localsystem(qsc->lpServiceStartName)) return 0; - LSA_UNICODE_STRING *rights; - unsigned long count = ~0; - status = LsaEnumerateAccountRights(policy, sid, &rights, &count); - if (status) { - /* - If the account has no rights set LsaEnumerateAccountRights() will return - STATUS_OBJECT_NAME_NOT_FOUND and set count to 0. - */ - error = LsaNtStatusToWinError(status); - if (error != ERROR_FILE_NOT_FOUND) { - HeapFree(GetProcessHeap(), 0, sid); - LsaClose(policy); - print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error)); - return 4; + size_t len = _tcslen(qsc->lpServiceStartName); + *username = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, (len + 1) * sizeof(TCHAR)); + if (! *username) { + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("username"), _T("get_service_username()")); + return 2; } - } - - for (unsigned long i = 0; i < count; i++) { - if (rights[i].Length != lsa_right.Length) continue; - if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue; - /* The SID has the right. */ - HeapFree(GetProcessHeap(), 0, sid); - LsaFreeMemory(rights); - LsaClose(policy); - return 0; - } - LsaFreeMemory(rights); - /* Add the right. */ - status = LsaAddAccountRights(policy, sid, &lsa_right, 1); - HeapFree(GetProcessHeap(), 0, sid); - LsaClose(policy); - if (status) { - print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status))); - return 5; + memmove(*username, qsc->lpServiceStartName, (len + 1) * sizeof(TCHAR)); + *usernamelen = len; } - print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username); return 0; } @@ -791,6 +643,10 @@ int pre_edit_service(int argc, TCHAR **argv) { additional = argv[3]; remainder = 4; } + else if (str_equiv(setting->name, NSSM_NATIVE_OBJECTNAME) && mode == MODE_SETTING) { + additional = argv[3]; + remainder = 4; + } else { additional = argv[remainder]; if (argc < mandatory) return usage(1); @@ -801,14 +657,16 @@ int pre_edit_service(int argc, TCHAR **argv) { _sntprintf_s(service->name, _countof(service->name), _TRUNCATE, _T("%s"), service_name); /* Open service manager */ - SC_HANDLE services = open_service_manager(); + SC_HANDLE services = open_service_manager(SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE); if (! services) { print_message(stderr, NSSM_MESSAGE_OPEN_SERVICE_MANAGER_FAILED); return 2; } /* Try to open the service */ - service->handle = open_service(services, service->name, service->name, _countof(service->name)); + unsigned long access = SERVICE_QUERY_CONFIG; + if (mode != MODE_GETTING) access |= SERVICE_CHANGE_CONFIG; + service->handle = open_service(services, service->name, access, service->name, _countof(service->name)); if (! service->handle) { CloseServiceHandle(services); return 3; @@ -933,6 +791,9 @@ int pre_edit_service(int argc, TCHAR **argv) { /* Unset the parameter. */ value.string = 0; } + else if (remainder == argc) { + value.string = 0; + } else { /* Set the parameter. */ size_t len = 0; @@ -1008,7 +869,7 @@ int install_service(nssm_service_t *service) { if (! service) return 1; /* Open service manager */ - SC_HANDLE services = open_service_manager(); + SC_HANDLE services = open_service_manager(SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE); if (! services) { print_message(stderr, NSSM_MESSAGE_OPEN_SERVICE_MANAGER_FAILED); cleanup_nssm_service(service); @@ -1077,9 +938,12 @@ int edit_service(nssm_service_t *service, bool editing) { } else if (editing) username = NSSM_LOCALSYSTEM_ACCOUNT; - if (grant_logon_as_service(username)) { - print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username); - return 5; + if (well_known_username(username)) password = _T(""); + else { + if (grant_logon_as_service(username)) { + print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username); + return 5; + } } if (! ChangeServiceConfig(service->handle, service->type, startup, SERVICE_NO_CHANGE, 0, 0, 0, 0, username, password, service->displayname)) { @@ -1124,13 +988,33 @@ int control_service(unsigned long control, int argc, TCHAR **argv) { TCHAR *service_name = argv[0]; TCHAR canonical_name[SERVICE_NAME_LENGTH]; - SC_HANDLE services = open_service_manager(); + SC_HANDLE services = open_service_manager(SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE); if (! services) { print_message(stderr, NSSM_MESSAGE_OPEN_SERVICE_MANAGER_FAILED); return 2; } - SC_HANDLE service_handle = open_service(services, service_name, canonical_name, _countof(canonical_name)); + unsigned long access = SERVICE_QUERY_STATUS; + switch (control) { + case NSSM_SERVICE_CONTROL_START: + access |= SERVICE_START; + break; + + case SERVICE_CONTROL_CONTINUE: + case SERVICE_CONTROL_PAUSE: + access |= SERVICE_PAUSE_CONTINUE; + break; + + case SERVICE_CONTROL_STOP: + access |= SERVICE_STOP; + break; + + case NSSM_SERVICE_CONTROL_ROTATE: + access |= SERVICE_USER_DEFINED_CONTROL; + break; + } + + SC_HANDLE service_handle = open_service(services, service_name, access, canonical_name, _countof(canonical_name)); if (! service_handle) { CloseServiceHandle(services); return 3; @@ -1228,14 +1112,14 @@ int remove_service(nssm_service_t *service) { if (! service) return 1; /* Open service manager */ - SC_HANDLE services = open_service_manager(); + SC_HANDLE services = open_service_manager(SC_MANAGER_CONNECT | SC_MANAGER_ENUMERATE_SERVICE); if (! services) { print_message(stderr, NSSM_MESSAGE_OPEN_SERVICE_MANAGER_FAILED); return 2; } /* Try to open the service */ - service->handle = open_service(services, service->name, service->name, _countof(service->name)); + service->handle = open_service(services, service->name, DELETE, service->name, _countof(service->name)); if (! service->handle) { CloseServiceHandle(services); return 3; @@ -1305,9 +1189,9 @@ void WINAPI service_main(unsigned long argc, TCHAR **argv) { /* Try to create the exit action parameters; we don't care if it fails */ create_exit_action(service->name, exit_action_strings[0], false); - SC_HANDLE services = open_service_manager(); + SC_HANDLE services = open_service_manager(SC_MANAGER_CONNECT); if (services) { - service->handle = OpenService(services, service->name, SC_MANAGER_ALL_ACCESS); + service->handle = open_service(services, service->name, SERVICE_CHANGE_CONFIG, 0, 0); set_service_recovery(service); CloseServiceHandle(services); }