X-Git-Url: http://git.iain.cx/?a=blobdiff_plain;f=service.cpp;h=eec22619c4983dec6877d15a2b0de8feffb95bd7;hb=b6cfe6e22a89192c1bdcf234f17a72fd9993d570;hp=b246443bf56394b87aed57288923f5cc27a5915c;hpb=2c60e5334f6df07bf42e7a91cf59638453eca473;p=nssm.git diff --git a/service.cpp b/service.cpp index b246443..eec2261 100644 --- a/service.cpp +++ b/service.cpp @@ -1,5 +1,8 @@ #include "nssm.h" +/* This is explicitly a wide string. */ +#define NSSM_LOGON_AS_SERVICE_RIGHT L"SeServiceLogonRight" + extern const TCHAR *exit_action_strings[]; bool is_admin; @@ -34,6 +37,180 @@ SC_HANDLE open_service_manager() { return ret; } +QUERY_SERVICE_CONFIG *query_service_config(const TCHAR *service_name, SC_HANDLE service_handle) { + QUERY_SERVICE_CONFIG *qsc; + unsigned long bufsize; + unsigned long error; + + QueryServiceConfig(service_handle, 0, 0, &bufsize); + error = GetLastError(); + if (error == ERROR_INSUFFICIENT_BUFFER) { + qsc = (QUERY_SERVICE_CONFIG *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize); + if (! qsc) { + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("QUERY_SERVICE_CONFIG"), _T("query_service_config()"), 0); + return 0; + } + } + else { + print_message(stderr, NSSM_MESSAGE_QUERYSERVICECONFIG_FAILED, service_name, error_string(error), 0); + return 0; + } + + if (! QueryServiceConfig(service_handle, qsc, bufsize, &bufsize)) { + HeapFree(GetProcessHeap(), 0, qsc); + print_message(stderr, NSSM_MESSAGE_QUERYSERVICECONFIG_FAILED, service_name, error_string(GetLastError()), 0); + return 0; + } + + return qsc; +} + +static int grant_logon_as_service(const TCHAR *username) { + if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 0; + + /* Open Policy object. */ + LSA_OBJECT_ATTRIBUTES attributes; + ZeroMemory(&attributes, sizeof(attributes)); + + LSA_HANDLE policy; + + NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, &policy); + if (status) { + print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status))); + return 1; + } + + /* Look up SID for the account. */ + LSA_UNICODE_STRING lsa_username; +#ifdef UNICODE + lsa_username.Buffer = (wchar_t *) username; + lsa_username.Length = (unsigned short) _tcslen(username) * sizeof(TCHAR); + lsa_username.MaximumLength = lsa_username.Length + sizeof(TCHAR); +#else + size_t buflen; + mbstowcs_s(&buflen, NULL, 0, username, _TRUNCATE); + lsa_username.MaximumLength = buflen * sizeof(wchar_t); + lsa_username.Length = lsa_username.MaximumLength - sizeof(wchar_t); + lsa_username.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), 0, lsa_username.MaximumLength); + if (lsa_username.Buffer) mbstowcs_s(&buflen, lsa_username.Buffer, lsa_username.MaximumLength, username, _TRUNCATE); + else { + LsaClose(policy); + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("grant_logon_as_service()")); + return 2; + } +#endif + + LSA_REFERENCED_DOMAIN_LIST *translated_domains; + LSA_TRANSLATED_SID *translated_sid; + status = LsaLookupNames(policy, 1, &lsa_username, &translated_domains, &translated_sid); +#ifndef UNICODE + HeapFree(GetProcessHeap(), 0, lsa_username.Buffer); +#endif + if (status) { + LsaFreeMemory(translated_domains); + LsaFreeMemory(translated_sid); + LsaClose(policy); + print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status))); + return 3; + } + + if (translated_sid->Use != SidTypeUser) { + LsaFreeMemory(translated_domains); + LsaFreeMemory(translated_sid); + LsaClose(policy); + print_message(stderr, NSSM_GUI_INVALID_USERNAME, username); + return 4; + } + + LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex]; + if (! trust || ! IsValidSid(trust->Sid)) { + LsaFreeMemory(translated_domains); + LsaFreeMemory(translated_sid); + LsaClose(policy); + print_message(stderr, NSSM_GUI_INVALID_USERNAME, username); + return 4; + } + + /* GetSidSubAuthority*() return pointers! */ + unsigned char *n = GetSidSubAuthorityCount(trust->Sid); + + /* Convert translated SID to SID. */ + SID *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1)); + if (! sid) { + LsaFreeMemory(translated_domains); + LsaFreeMemory(translated_sid); + LsaClose(policy); + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("grant_logon_as_service")); + return 4; + } + + unsigned long error; + if (! InitializeSid(sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) { + error = GetLastError(); + HeapFree(GetProcessHeap(), 0, sid); + LsaFreeMemory(translated_domains); + LsaFreeMemory(translated_sid); + LsaClose(policy); + print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error)); + return 5; + } + + for (unsigned char i = 0; i <= *n; i++) { + unsigned long *sub = GetSidSubAuthority(sid, i); + if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i); + else *sub = translated_sid->RelativeId; + } + + LsaFreeMemory(translated_domains); + LsaFreeMemory(translated_sid); + + /* Check if the SID has the "Log on as a service" right. */ + LSA_UNICODE_STRING lsa_right; + lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT; + lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t); + lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t); + + LSA_UNICODE_STRING *rights; + unsigned long count = ~0; + status = LsaEnumerateAccountRights(policy, sid, &rights, &count); + if (status) { + /* + If the account has no rights set LsaEnumerateAccountRights() will return + STATUS_OBJECT_NAME_NOT_FOUND and set count to 0. + */ + error = LsaNtStatusToWinError(status); + if (error != ERROR_FILE_NOT_FOUND) { + HeapFree(GetProcessHeap(), 0, sid); + LsaClose(policy); + print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error)); + return 4; + } + } + + for (unsigned long i = 0; i < count; i++) { + if (rights[i].Length != lsa_right.Length) continue; + if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue; + /* The SID has the right. */ + HeapFree(GetProcessHeap(), 0, sid); + LsaFreeMemory(rights); + LsaClose(policy); + return 0; + } + LsaFreeMemory(rights); + + /* Add the right. */ + status = LsaAddAccountRights(policy, sid, &lsa_right, 1); + HeapFree(GetProcessHeap(), 0, sid); + LsaClose(policy); + if (status) { + print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status))); + return 5; + } + + print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username); + return 0; +} + /* Set default values which aren't zero. */ void set_nssm_service_defaults(nssm_service_t *service) { if (! service) return; @@ -90,7 +267,7 @@ int pre_install_service(int argc, TCHAR **argv) { if (argc < 2) return nssm_gui(IDD_INSTALL, service); if (! service) { - print_message(stderr, NSSM_EVENT_OUT_OF_MEMORY, _T("service"), _T("pre_install_service()")); + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("service"), _T("pre_install_service()")); return 1; } _sntprintf_s(service->exe, _countof(service->exe), _TRUNCATE, _T("%s"), argv[1]); @@ -148,29 +325,10 @@ int pre_edit_service(int argc, TCHAR **argv) { /* Get system details. */ unsigned long bufsize; unsigned long error; - QUERY_SERVICE_CONFIG *qsc; - - QueryServiceConfig(service->handle, 0, 0, &bufsize); - error = GetLastError(); - if (error == ERROR_INSUFFICIENT_BUFFER) { - qsc = (QUERY_SERVICE_CONFIG *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize); - if (! qsc) { - print_message(stderr, NSSM_EVENT_OUT_OF_MEMORY, _T("QUERY_SERVICE_CONFIG"), _T("pre_edit_service()"), 0); - return 4; - } - } - else { + QUERY_SERVICE_CONFIG *qsc = query_service_config(service->name, service->handle); + if (! qsc) { CloseHandle(service->handle); CloseServiceHandle(services); - print_message(stderr, NSSM_MESSAGE_QUERYSERVICECONFIG_FAILED, service->name, error_string(error), 0); - return 4; - } - - if (! QueryServiceConfig(service->handle, qsc, bufsize, &bufsize)) { - HeapFree(GetProcessHeap(), 0, qsc); - CloseHandle(service->handle); - CloseServiceHandle(services); - print_message(stderr, NSSM_MESSAGE_QUERYSERVICECONFIG_FAILED, service->name, error_string(GetLastError()), 0); return 4; } @@ -199,12 +357,16 @@ int pre_edit_service(int argc, TCHAR **argv) { HeapFree(GetProcessHeap(), 0, qsc); CloseHandle(service->handle); CloseServiceHandle(services); - print_message(stderr, NSSM_EVENT_OUT_OF_MEMORY, _T("username"), _T("pre_edit_service()")); + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("username"), _T("pre_edit_service()")); return 4; } } _sntprintf_s(service->displayname, _countof(service->displayname), _TRUNCATE, _T("%s"), qsc->lpDisplayName); + /* Get the canonical service name. We open it case insensitively. */ + bufsize = _countof(service->name); + GetServiceKeyName(services, service->displayname, service->name, &bufsize); + /* Remember the executable in case it isn't NSSM. */ _sntprintf_s(service->image, _countof(service->image), _TRUNCATE, _T("%s"), qsc->lpBinaryPathName); HeapFree(GetProcessHeap(), 0, qsc); @@ -218,7 +380,7 @@ int pre_edit_service(int argc, TCHAR **argv) { if (! info) { CloseHandle(service->handle); CloseServiceHandle(services); - print_message(stderr, NSSM_EVENT_OUT_OF_MEMORY, _T("SERVICE_DELAYED_AUTO_START_INFO"), _T("pre_edit_service()")); + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SERVICE_DELAYED_AUTO_START_INFO"), _T("pre_edit_service()")); return 5; } @@ -250,7 +412,7 @@ int pre_edit_service(int argc, TCHAR **argv) { if (! description) { CloseHandle(service->handle); CloseServiceHandle(services); - print_message(stderr, NSSM_EVENT_OUT_OF_MEMORY, _T("SERVICE_CONFIG_DESCRIPTION"), _T("pre_edit_service()")); + print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SERVICE_CONFIG_DESCRIPTION"), _T("pre_edit_service()")); return 6; } @@ -379,6 +541,11 @@ int edit_service(nssm_service_t *service, bool editing) { } else if (editing) username = NSSM_LOCALSYSTEM_ACCOUNT; + if (grant_logon_as_service(username)) { + print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username); + return 5; + } + if (! ChangeServiceConfig(service->handle, service->type, startup, SERVICE_NO_CHANGE, 0, 0, 0, 0, username, password, service->displayname)) { print_message(stderr, NSSM_MESSAGE_CHANGESERVICECONFIG_FAILED, error_string(GetLastError())); return 5; @@ -440,6 +607,12 @@ int remove_service(nssm_service_t *service) { return 3; } + /* Get the canonical service name. We open it case insensitively. */ + unsigned long bufsize = _countof(service->displayname); + GetServiceDisplayName(services, service->name, service->displayname, &bufsize); + bufsize = _countof(service->name); + GetServiceKeyName(services, service->displayname, service->name, &bufsize); + /* Try to delete the service */ if (! DeleteService(service->handle)) { print_message(stderr, NSSM_MESSAGE_DELETESERVICE_FAILED);