Command to dump service configuration.

[nssm.git] / account.cpp

#include "nssm.h"\r
\r
#include <sddl.h>\r
\r
extern imports_t imports;\r
\r
/* Open Policy object. */\r
int open_lsa_policy(LSA_HANDLE *policy) {\r
  LSA_OBJECT_ATTRIBUTES attributes;\r
  ZeroMemory(&attributes, sizeof(attributes));\r
\r
  NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, policy);\r
  if (status) {\r
    print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status)));\r
    return 1;\r
  }\r
\r
  return 0;\r
}\r
\r
/* Look up SID for an account. */\r
int username_sid(const TCHAR *username, SID **sid, LSA_HANDLE *policy) {\r
  LSA_HANDLE handle;\r
  if (! policy) {\r
    policy = &handle;\r
    if (open_lsa_policy(policy)) return 1;\r
  }\r
\r
  /*\r
    LsaLookupNames() can't look up .\username but can look up\r
    %COMPUTERNAME%\username.  ChangeServiceConfig() writes .\username to the\r
    registry when %COMPUTERNAME%\username is a passed as a parameter.  We\r
    need to preserve .\username when calling ChangeServiceConfig() without\r
    changing the username, but expand to %COMPUTERNAME%\username when calling\r
    LsaLookupNames().\r
  */\r
  TCHAR *expanded;\r
  unsigned long expandedlen;\r
  if (_tcsnicmp(_T(".\\"), username, 2)) {\r
    expandedlen = (unsigned long) (_tcslen(username) + 1) * sizeof(TCHAR);\r
    expanded = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, expandedlen);\r
    if (! expanded) {\r
      print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("expanded"), _T("username_sid"));\r
      if (policy == &handle) LsaClose(handle);\r
      return 2;\r
    }\r
    memmove(expanded, username, expandedlen);\r
  }\r
  else {\r
    TCHAR computername[MAX_COMPUTERNAME_LENGTH + 1];\r
    expandedlen = _countof(computername);\r
    GetComputerName(computername, &expandedlen);\r
    expandedlen += (unsigned long) _tcslen(username);\r
\r
    expanded = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, expandedlen * sizeof(TCHAR));\r
    if (! expanded) {\r
      print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("expanded"), _T("username_sid"));\r
      if (policy == &handle) LsaClose(handle);\r
      return 2;\r
    }\r
    _sntprintf_s(expanded, expandedlen, _TRUNCATE, _T("%s\\%s"), computername, username + 2);\r
  }\r
\r
  LSA_UNICODE_STRING lsa_username;\r
#ifdef UNICODE\r
  lsa_username.Buffer = (wchar_t *) expanded;\r
  lsa_username.Length = (unsigned short) _tcslen(expanded) * sizeof(TCHAR);\r
  lsa_username.MaximumLength = lsa_username.Length + sizeof(TCHAR);\r
#else\r
  size_t buflen;\r
  mbstowcs_s(&buflen, NULL, 0, expanded, _TRUNCATE);\r
  lsa_username.MaximumLength = (unsigned short) buflen * sizeof(wchar_t);\r
  lsa_username.Length = lsa_username.MaximumLength - sizeof(wchar_t);\r
  lsa_username.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), 0, lsa_username.MaximumLength);\r
  if (lsa_username.Buffer) mbstowcs_s(&buflen, lsa_username.Buffer, lsa_username.MaximumLength, expanded, _TRUNCATE);\r
  else {\r
    if (policy == &handle) LsaClose(handle);\r
    HeapFree(GetProcessHeap(), 0, expanded);\r
    print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("username_sid()"));\r
    return 4;\r
  }\r
#endif\r
\r
  LSA_REFERENCED_DOMAIN_LIST *translated_domains;\r
  LSA_TRANSLATED_SID *translated_sid;\r
  NTSTATUS status = LsaLookupNames(*policy, 1, &lsa_username, &translated_domains, &translated_sid);\r
#ifndef UNICODE\r
  HeapFree(GetProcessHeap(), 0, lsa_username.Buffer);\r
#endif\r
  HeapFree(GetProcessHeap(), 0, expanded);\r
  if (policy == &handle) LsaClose(handle);\r
  if (status) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_sid);\r
    print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status)));\r
    return 5;\r
  }\r
\r
  if (translated_sid->Use != SidTypeUser && translated_sid->Use != SidTypeWellKnownGroup) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_sid);\r
    print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);\r
    return 6;\r
  }\r
\r
  LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex];\r
  if (! trust || ! IsValidSid(trust->Sid)) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_sid);\r
    print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);\r
    return 7;\r
  }\r
\r
  /* GetSidSubAuthority*() return pointers! */\r
  unsigned char *n = GetSidSubAuthorityCount(trust->Sid);\r
\r
  /* Convert translated SID to SID. */\r
  *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1));\r
  if (! *sid) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_sid);\r
    print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("username_sid"));\r
    return 8;\r
  }\r
\r
  unsigned long error;\r
  if (! InitializeSid(*sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) {\r
    error = GetLastError();\r
    HeapFree(GetProcessHeap(), 0, *sid);\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_sid);\r
    print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error));\r
    return 9;\r
  }\r
\r
  for (unsigned char i = 0; i <= *n; i++) {\r
    unsigned long *sub = GetSidSubAuthority(*sid, i);\r
    if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i);\r
    else *sub = translated_sid->RelativeId;\r
  }\r
\r
  int ret = 0;\r
  if (translated_sid->Use == SidTypeWellKnownGroup && ! well_known_sid(*sid)) {\r
    print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);\r
    ret = 10;\r
  }\r
\r
  LsaFreeMemory(translated_domains);\r
  LsaFreeMemory(translated_sid);\r
\r
  return ret;\r
}\r
\r
int username_sid(const TCHAR *username, SID **sid) {\r
  return username_sid(username, sid, 0);\r
}\r
\r
int canonicalise_username(const TCHAR *username, TCHAR **canon) {\r
  LSA_HANDLE policy;\r
  if (open_lsa_policy(&policy)) return 1;\r
\r
  SID *sid;\r
  if (username_sid(username, &sid, &policy)) return 2;\r
  PSID sids = { sid };\r
\r
  LSA_REFERENCED_DOMAIN_LIST *translated_domains;\r
  LSA_TRANSLATED_NAME *translated_name;\r
  NTSTATUS status = LsaLookupSids(policy, 1, &sids, &translated_domains, &translated_name);\r
  if (status) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_name);\r
    print_message(stderr, NSSM_MESSAGE_LSALOOKUPSIDS_FAILED, error_string(LsaNtStatusToWinError(status)));\r
    return 3;\r
  }\r
\r
  LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_name->DomainIndex];\r
  LSA_UNICODE_STRING lsa_canon;\r
  lsa_canon.Length = translated_name->Name.Length + trust->Name.Length + sizeof(wchar_t);\r
  lsa_canon.MaximumLength = lsa_canon.Length + sizeof(wchar_t);\r
  lsa_canon.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, lsa_canon.MaximumLength);\r
  if (! lsa_canon.Buffer) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_name);\r
    print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("lsa_canon"), _T("username_sid"));\r
    return 9;\r
  }\r
\r
  /* Buffer is wchar_t but Length is in bytes. */\r
  memmove((char *) lsa_canon.Buffer, trust->Name.Buffer, trust->Name.Length);\r
  memmove((char *) lsa_canon.Buffer + trust->Name.Length, L"\\", sizeof(wchar_t));\r
  memmove((char *) lsa_canon.Buffer + trust->Name.Length + sizeof(wchar_t), translated_name->Name.Buffer, translated_name->Name.Length);\r
\r
#ifdef UNICODE\r
  *canon = lsa_canon.Buffer;\r
#else\r
  size_t buflen;\r
  wcstombs_s(&buflen, NULL, 0, lsa_canon.Buffer, _TRUNCATE);\r
  *canon = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, buflen);\r
  if (! *canon) {\r
    LsaFreeMemory(translated_domains);\r
    LsaFreeMemory(translated_name);\r
    print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("canon"), _T("username_sid"));\r
    return 10;\r
  }\r
  wcstombs_s(&buflen, *canon, buflen, lsa_canon.Buffer, _TRUNCATE);\r
  HeapFree(GetProcessHeap(), 0, lsa_canon.Buffer);\r
#endif\r
\r
  LsaFreeMemory(translated_domains);\r
  LsaFreeMemory(translated_name);\r
\r
  return 0;\r
}\r
\r
/* Do two usernames map to the same SID? */\r
int username_equiv(const TCHAR *a, const TCHAR *b) {\r
  SID *sid_a, *sid_b;\r
  if (username_sid(a, &sid_a)) return 0;\r
\r
  if (username_sid(b, &sid_b)) {\r
    FreeSid(sid_a);\r
    return 0;\r
  }\r
\r
  int ret = 0;\r
  if (EqualSid(sid_a, sid_b)) ret = 1;\r
\r
  FreeSid(sid_a);\r
  FreeSid(sid_b);\r
\r
  return ret;\r
}\r
\r
/* Does the username represent the LocalSystem account? */\r
int is_localsystem(const TCHAR *username) {\r
  if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 1;\r
  if (! imports.IsWellKnownSid) return 0;\r
\r
  SID *sid;\r
  if (username_sid(username, &sid)) return 0;\r
\r
  int ret = 0;\r
  if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) ret = 1;\r
\r
  FreeSid(sid);\r
\r
  return ret;\r
}\r
\r
/*\r
  Get well-known alias for LocalSystem and friends.\r
  Returns a pointer to a static string.  DO NOT try to free it.\r
*/\r
const TCHAR *well_known_sid(SID *sid) {\r
  if (! imports.IsWellKnownSid) return 0;\r
  if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) return NSSM_LOCALSYSTEM_ACCOUNT;\r
  if (imports.IsWellKnownSid(sid, WinLocalServiceSid)) return NSSM_LOCALSERVICE_ACCOUNT;\r
  if (imports.IsWellKnownSid(sid, WinNetworkServiceSid)) return NSSM_NETWORKSERVICE_ACCOUNT;\r
  return 0;\r
}\r
\r
const TCHAR *well_known_username(const TCHAR *username) {\r
  if (! username) return NSSM_LOCALSYSTEM_ACCOUNT;\r
  if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return NSSM_LOCALSYSTEM_ACCOUNT;\r
  SID *sid;\r
  if (username_sid(username, &sid)) return 0;\r
\r
  const TCHAR *well_known = well_known_sid(sid);\r
  FreeSid(sid);\r
\r
  return well_known;\r
}\r
\r
int grant_logon_as_service(const TCHAR *username) {\r
  if (! username) return 0;\r
\r
  /* Open Policy object. */\r
  LSA_OBJECT_ATTRIBUTES attributes;\r
  ZeroMemory(&attributes, sizeof(attributes));\r
\r
  LSA_HANDLE policy;\r
  NTSTATUS status;\r
\r
  if (open_lsa_policy(&policy)) return 1;\r
\r
  /* Look up SID for the account. */\r
  SID *sid;\r
  if (username_sid(username, &sid, &policy)) {\r
    LsaClose(policy);\r
    return 2;\r
  }\r
\r
  /*\r
    Shouldn't happen because it should have been checked before callling this function.\r
  */\r
  if (well_known_sid(sid)) {\r
    LsaClose(policy);\r
    return 3;\r
  }\r
\r
  /* Check if the SID has the "Log on as a service" right. */\r
  LSA_UNICODE_STRING lsa_right;\r
  lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT;\r
  lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t);\r
  lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t);\r
\r
  LSA_UNICODE_STRING *rights;\r
  unsigned long count = ~0;\r
  status = LsaEnumerateAccountRights(policy, sid, &rights, &count);\r
  if (status) {\r
    /*\r
      If the account has no rights set LsaEnumerateAccountRights() will return\r
      STATUS_OBJECT_NAME_NOT_FOUND and set count to 0.\r
    */\r
    unsigned long error = LsaNtStatusToWinError(status);\r
    if (error != ERROR_FILE_NOT_FOUND) {\r
      FreeSid(sid);\r
      LsaClose(policy);\r
      print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error));\r
      return 4;\r
    }\r
  }\r
\r
  for (unsigned long i = 0; i < count; i++) {\r
    if (rights[i].Length != lsa_right.Length) continue;\r
    if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue;\r
    /* The SID has the right. */\r
    FreeSid(sid);\r
    LsaFreeMemory(rights);\r
    LsaClose(policy);\r
    return 0;\r
  }\r
  LsaFreeMemory(rights);\r
\r
  /* Add the right. */\r
  status = LsaAddAccountRights(policy, sid, &lsa_right, 1);\r
  FreeSid(sid);\r
  LsaClose(policy);\r
  if (status) {\r
    print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status)));\r
    return 5;\r
  }\r
\r
  print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username);\r
  return 0;\r
}\r