\r
nssm set <servicename> ObjectName <username> correct horse battery staple\r
\r
+The following well-known usernames do not need a password. The password\r
+parameter can be omitted when using them:\r
+\r
+ "LocalSystem" aka "System" aka "NT Authority\System"\r
+ "Local Service" aka "NT Authority\Local Service"\r
+ "Network Service" aka "NT Authority\Network Service"\r
+\r
\r
The Start parameter is used to query or set the startup type of the service.\r
Valid service startup types are as follows:\r
--- /dev/null
+#include "nssm.h"
+
+#include <sddl.h>
+
+extern imports_t imports;
+
+/* Open Policy object. */
+int open_lsa_policy(LSA_HANDLE *policy) {
+ LSA_OBJECT_ATTRIBUTES attributes;
+ ZeroMemory(&attributes, sizeof(attributes));
+
+ NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, policy);
+ if (status) {
+ print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status)));
+ return 1;
+ }
+
+ return 0;
+}
+
+/* Look up SID for an account. */
+int username_sid(const TCHAR *username, SID **sid, LSA_HANDLE *policy) {
+ LSA_HANDLE handle;
+ if (! policy) {
+ policy = &handle;
+ if (open_lsa_policy(policy)) return 1;
+ }
+
+ LSA_UNICODE_STRING lsa_username;
+#ifdef UNICODE
+ lsa_username.Buffer = (wchar_t *) username;
+ lsa_username.Length = (unsigned short) _tcslen(username) * sizeof(TCHAR);
+ lsa_username.MaximumLength = lsa_username.Length + sizeof(TCHAR);
+#else
+ size_t buflen;
+ mbstowcs_s(&buflen, NULL, 0, username, _TRUNCATE);
+ lsa_username.MaximumLength = (unsigned short) buflen * sizeof(wchar_t);
+ lsa_username.Length = lsa_username.MaximumLength - sizeof(wchar_t);
+ lsa_username.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), 0, lsa_username.MaximumLength);
+ if (lsa_username.Buffer) mbstowcs_s(&buflen, lsa_username.Buffer, lsa_username.MaximumLength, username, _TRUNCATE);
+ else {
+ if (policy == &handle) LsaClose(handle);
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("username_sid()"));
+ return 2;
+ }
+#endif
+
+ LSA_REFERENCED_DOMAIN_LIST *translated_domains;
+ LSA_TRANSLATED_SID *translated_sid;
+ NTSTATUS status = LsaLookupNames(*policy, 1, &lsa_username, &translated_domains, &translated_sid);
+#ifndef UNICODE
+ HeapFree(GetProcessHeap(), 0, lsa_username.Buffer);
+#endif
+ if (policy == &handle) LsaClose(handle);
+ if (status) {
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_sid);
+ print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status)));
+ return 3;
+ }
+
+ if (translated_sid->Use != SidTypeUser && translated_sid->Use != SidTypeWellKnownGroup) {
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_sid);
+ print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
+ return 4;
+ }
+
+ LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex];
+ if (! trust || ! IsValidSid(trust->Sid)) {
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_sid);
+ print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
+ return 5;
+ }
+
+ /* GetSidSubAuthority*() return pointers! */
+ unsigned char *n = GetSidSubAuthorityCount(trust->Sid);
+
+ /* Convert translated SID to SID. */
+ *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1));
+ if (! *sid) {
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_sid);
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("grant_logon_as_service"));
+ return 6;
+ }
+
+ unsigned long error;
+ if (! InitializeSid(*sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) {
+ error = GetLastError();
+ HeapFree(GetProcessHeap(), 0, *sid);
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_sid);
+ print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error));
+ return 7;
+ }
+
+ for (unsigned char i = 0; i <= *n; i++) {
+ unsigned long *sub = GetSidSubAuthority(*sid, i);
+ if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i);
+ else *sub = translated_sid->RelativeId;
+ }
+
+ int ret = 0;
+ if (translated_sid->Use == SidTypeWellKnownGroup && requires_password(*sid)) {
+ print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);
+ ret = 8;
+ }
+
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_sid);
+
+ return ret;
+}
+
+int username_sid(const TCHAR *username, SID **sid) {
+ return username_sid(username, sid, 0);
+}
+
+/* Do two usernames map to the same SID? */
+int username_equiv(const TCHAR *a, const TCHAR *b) {
+ SID *sid_a, *sid_b;
+ if (username_sid(a, &sid_a)) return 0;
+
+ if (username_sid(b, &sid_b)) {
+ FreeSid(sid_a);
+ return 0;
+ }
+
+ int ret = 0;
+ if (EqualSid(sid_a, sid_b)) ret = 1;
+
+ FreeSid(sid_a);
+ FreeSid(sid_b);
+
+ return ret;
+}
+
+/* Does the username represent the LocalSystem account? */
+int is_localsystem(const TCHAR *username) {
+ if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 1;
+ if (! imports.IsWellKnownSid) return 0;
+
+ SID *sid;
+ if (username_sid(username, &sid)) return 0;
+
+ int ret = 0;
+ if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) ret = 1;
+
+ FreeSid(sid);
+
+ return ret;
+}
+
+/*
+ Find the canonical name for a well-known account name.
+ MUST ONLY BE USED for well-known account names.
+ Must call LocalFree() on result.
+*/
+TCHAR *canonical_username(const TCHAR *username) {
+ SID *user_sid;
+ TCHAR *canon;
+ size_t len;
+
+ if (is_localsystem(username)) {
+ len = (_tcslen(NSSM_LOCALSYSTEM_ACCOUNT) + 1) * sizeof(TCHAR);
+ canon = (TCHAR *) LocalAlloc(LPTR, len);
+ if (! canon) {
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, NSSM_LOCALSYSTEM_ACCOUNT, _T("canonical_username"));
+ return 0;
+ }
+ memmove(canon, NSSM_LOCALSYSTEM_ACCOUNT, len);
+ _tprintf(_T("it's localsystem = %s!\n"), canon);
+ return canon;
+ }
+
+ if (! imports.CreateWellKnownSid) return 0;
+
+ if (username_sid(username, &user_sid)) return 0;
+
+ /*
+ LsaLookupSids will return the canonical username but the result won't
+ include the NT Authority part. Thus we must look that up as well.
+ */
+ unsigned long ntsidsize = SECURITY_MAX_SID_SIZE;
+ SID *ntauth_sid = (SID *) HeapAlloc(GetProcessHeap(), 0, ntsidsize);
+ if (! ntauth_sid) {
+ HeapFree(GetProcessHeap(), 0, user_sid);
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("NT Authority"), _T("canonical_username"));
+ return 0;
+ }
+
+ if (! imports.CreateWellKnownSid(WinNtAuthoritySid, NULL, ntauth_sid, &ntsidsize)) {
+ HeapFree(GetProcessHeap(), 0, ntauth_sid);
+ print_message(stderr, NSSM_MESSAGE_CREATEWELLKNOWNSID_FAILED, _T("WinNtAuthoritySid"));
+ return 0;
+ }
+
+ LSA_HANDLE policy;
+ if (open_lsa_policy(&policy)) return 0;
+
+ LSA_REFERENCED_DOMAIN_LIST *translated_domains;
+ LSA_TRANSLATED_NAME *translated_names;
+
+ unsigned long n = 2;
+ PSID *sids = (PSID *) HeapAlloc(GetProcessHeap(), 0, n * sizeof(PSID));
+ sids[0] = user_sid;
+ sids[1] = ntauth_sid;
+
+ NTSTATUS status = LsaLookupSids(policy, n, (PSID *) sids, &translated_domains, &translated_names);
+ HeapFree(GetProcessHeap(), 0, user_sid);
+ HeapFree(GetProcessHeap(), 0, ntauth_sid);
+ HeapFree(GetProcessHeap(), 0, sids);
+ LsaClose(policy);
+ if (status) {
+ print_message(stderr, NSSM_MESSAGE_LSALOOKUPSIDS_FAILED);
+ return 0;
+ }
+
+ /* Look up the account name. */
+ LSA_TRANSLATED_NAME *translated_name = &(translated_names[0]);
+ if (translated_name->Use != SidTypeWellKnownGroup) {
+ print_message(stderr, NSSM_GUI_INVALID_USERNAME);
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_names);
+ return 0;
+ }
+
+ LSA_UNICODE_STRING *lsa_group = &translated_name->Name;
+
+ /* Look up NT Authority. */
+ translated_name = &(translated_names[1]);
+ if (translated_name->Use != SidTypeDomain) {
+ print_message(stderr, NSSM_GUI_INVALID_USERNAME);
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_names);
+ return 0;
+ }
+
+ /* In theory these pointers should all be valid if we got this far... */
+ LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_name->DomainIndex];
+ LSA_UNICODE_STRING *lsa_domain = &trust->Name;
+
+ TCHAR *domain, *group;
+ unsigned long lsa_domain_len = lsa_domain->Length;
+ unsigned long lsa_group_len = lsa_group->Length;
+ len = lsa_domain_len + lsa_group_len + 2;
+
+#ifdef UNICODE
+ domain = lsa_domain->Buffer;
+ group = lsa_group->Buffer;
+#else
+ size_t buflen;
+
+ wcstombs_s(&buflen, NULL, 0, lsa_domain->Buffer, _TRUNCATE);
+ domain = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, buflen);
+ if (! domain) {
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("domain"), _T("canonical_username"));
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_names);
+ return 0;
+ }
+ wcstombs_s(&buflen, (char *) domain, buflen, lsa_domain->Buffer, _TRUNCATE);
+
+ wcstombs_s(&buflen, NULL, 0, lsa_group->Buffer, _TRUNCATE);
+ group = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, buflen);
+ if (! group) {
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("group"), _T("canonical_username"));
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_names);
+ return 0;
+ }
+ wcstombs_s(&buflen, (char *) group, buflen, lsa_group->Buffer, _TRUNCATE);
+#endif
+
+ canon = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, len * sizeof(TCHAR));
+ if (! canon) {
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_names);
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("canon"), _T("canonical_username"));
+ return 0;
+ }
+
+ _sntprintf_s(canon, len, _TRUNCATE, _T("%s\\%s"), domain, group);
+
+#ifndef UNICODE
+ HeapFree(GetProcessHeap(), 0, domain);
+ HeapFree(GetProcessHeap(), 0, group);
+#endif
+
+ LsaFreeMemory(translated_domains);
+ LsaFreeMemory(translated_names);
+
+ return canon;
+}
+
+/* Does the SID type require a password? */
+int requires_password(SID *sid) {
+ if (! imports.IsWellKnownSid) return -1;
+ if (imports.IsWellKnownSid(sid, WinLocalSystemSid)) return 0;
+ if (imports.IsWellKnownSid(sid, WinLocalServiceSid)) return 0;
+ if (imports.IsWellKnownSid(sid, WinNetworkServiceSid)) return 0;;
+ return 1;
+}
+
+/* Does the username require a password? */
+int requires_password(const TCHAR *username) {
+ if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 0;
+
+ SID *sid;
+ int r = username_sid(username, &sid);
+ if (username_sid(username, &sid)) return 0;
+
+ int ret = 0;
+ ret = requires_password(sid);
+
+ FreeSid(sid);
+
+ return ret;
+}
+
+int grant_logon_as_service(const TCHAR *username) {
+ if (! username) return 0;
+ if (! requires_password(username)) return 0;
+
+ /* Open Policy object. */
+ LSA_OBJECT_ATTRIBUTES attributes;
+ ZeroMemory(&attributes, sizeof(attributes));
+
+ LSA_HANDLE policy;
+ NTSTATUS status;
+
+ if (open_lsa_policy(&policy)) return 1;
+
+ /* Look up SID for the account. */
+ SID *sid;
+ if (username_sid(username, &sid, &policy)) {
+ LsaClose(policy);
+ return 2;
+ }
+
+ /* Check if the SID has the "Log on as a service" right. */
+ LSA_UNICODE_STRING lsa_right;
+ lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT;
+ lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t);
+ lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t);
+
+ LSA_UNICODE_STRING *rights;
+ unsigned long count = ~0;
+ status = LsaEnumerateAccountRights(policy, sid, &rights, &count);
+ if (status) {
+ /*
+ If the account has no rights set LsaEnumerateAccountRights() will return
+ STATUS_OBJECT_NAME_NOT_FOUND and set count to 0.
+ */
+ unsigned long error = LsaNtStatusToWinError(status);
+ if (error != ERROR_FILE_NOT_FOUND) {
+ FreeSid(sid);
+ LsaClose(policy);
+ print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error));
+ return 4;
+ }
+ }
+
+ for (unsigned long i = 0; i < count; i++) {
+ if (rights[i].Length != lsa_right.Length) continue;
+ if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue;
+ /* The SID has the right. */
+ FreeSid(sid);
+ LsaFreeMemory(rights);
+ LsaClose(policy);
+ return 0;
+ }
+ LsaFreeMemory(rights);
+
+ /* Add the right. */
+ status = LsaAddAccountRights(policy, sid, &lsa_right, 1);
+ FreeSid(sid);
+ LsaClose(policy);
+ if (status) {
+ print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status)));
+ return 5;
+ }
+
+ print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username);
+ return 0;
+}
--- /dev/null
+#ifndef ACCOUNT_H
+#define ACCOUNT_H
+
+#include <ntsecapi.h>
+
+/* Not really an account. The canonical name is NT Authority\System. */
+#define NSSM_LOCALSYSTEM_ACCOUNT _T("LocalSystem")
+/* This is explicitly a wide string. */
+#define NSSM_LOGON_AS_SERVICE_RIGHT L"SeServiceLogonRight"
+
+
+int open_lsa_policy(LSA_HANDLE *);
+int username_sid(const TCHAR *, SID **, LSA_HANDLE *);
+int username_sid(const TCHAR *, SID **);
+int username_equiv(const TCHAR *, const TCHAR *);
+int is_localsystem(const TCHAR *);
+TCHAR *canonical_username(const TCHAR *);
+int requires_password(SID *);
+int requires_password(const TCHAR *);
+int grant_logon_as_service(const TCHAR *);
+
+#endif
}\r
\r
/*\r
- Special case LOCALSYSTEM.\r
+ Special case for well-known accounts.\r
Ignore the password if we're editing and the username hasn't changed.\r
*/\r
- if (str_equiv(service->username, NSSM_LOCALSYSTEM_ACCOUNT)) {\r
- HeapFree(GetProcessHeap(), 0, service->username);\r
- service->username = 0;\r
- service->usernamelen = 0;\r
+ if (! requires_password(service->username)) {\r
+ if (is_localsystem(service->username)) {
+ HeapFree(GetProcessHeap(), 0, service->username);\r
+ service->username = 0;\r
+ service->usernamelen = 0;\r
+ }
+ else {
+ TCHAR *canon = canonical_username(service->username);
+ HeapFree(GetProcessHeap(), 0, service->username);\r
+ service->username = 0;\r
+ service->usernamelen = 0;\r
+ if (canon) {
+ service->usernamelen = _tcslen(canon) + 1;
+ service->username = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, service->usernamelen * sizeof(TCHAR));
+ if (! service->username) {
+ LocalFree(canon);
+ print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("canon"), _T("install()"));
+ return 6;
+ }
+ memmove(service->username, canon, service->usernamelen * sizeof(TCHAR));
+ LocalFree(canon);
+ }
+ else return 6;
+ }
}\r
else {\r
/* Password. */\r
/* Remember if we are admin */\r
check_admin();\r
\r
+ /* Set up function pointers. */\r
+ if (get_imports()) exit(111);\r
+\r
/* Elevate */\r
if (argc > 1) {\r
/*\r
This will save time when running with no arguments from a command prompt.\r
*/\r
if (! GetStdHandle(STD_INPUT_HANDLE)) {\r
- /* Set up function pointers. */\r
- if (get_imports()) exit(111);\r
-\r
/* Start service magic */\r
SERVICE_TABLE_ENTRY table[] = { { NSSM, service_main }, { 0, 0 } };\r
if (! StartServiceCtrlDispatcher(table)) {\r
#include <tchar.h>\r
#include <windows.h>\r
#include "service.h"\r
+#include "account.h"\r
#include "console.h"\r
#include "env.h"\r
#include "event.h"\r
Name="Source Files"\r
Filter="cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
>\r
+ <File\r
+ RelativePath="account.cpp"\r
+ >\r
+ </File>\r
<File\r
RelativePath="console.cpp"\r
>\r
Name="Header Files"\r
Filter="h;hpp;hxx;hm;inl"\r
>\r
+ <File\r
+ RelativePath="account.h"\r
+ >\r
+ </File>\r
<File\r
RelativePath="console.h"\r
>\r
#include "nssm.h"\r
\r
-/* This is explicitly a wide string. */\r
-#define NSSM_LOGON_AS_SERVICE_RIGHT L"SeServiceLogonRight"\r
-\r
bool is_admin;\r
bool use_critical_section;\r
\r
\r
if (! qsc) return 1;\r
\r
- if (str_equiv(qsc->lpServiceStartName, NSSM_LOCALSYSTEM_ACCOUNT)) return 0;\r
+ if (is_localsystem(qsc->lpServiceStartName)) return 0;\r
\r
size_t len = _tcslen(qsc->lpServiceStartName);\r
*username = (TCHAR *) HeapAlloc(GetProcessHeap(), 0, (len + 1) * sizeof(TCHAR));\r
return 0;\r
}\r
\r
-int grant_logon_as_service(const TCHAR *username) {\r
- if (! username) return 0;\r
- if (str_equiv(username, NSSM_LOCALSYSTEM_ACCOUNT)) return 0;\r
-\r
- /* Open Policy object. */\r
- LSA_OBJECT_ATTRIBUTES attributes;\r
- ZeroMemory(&attributes, sizeof(attributes));\r
-\r
- LSA_HANDLE policy;\r
-\r
- NTSTATUS status = LsaOpenPolicy(0, &attributes, POLICY_ALL_ACCESS, &policy);\r
- if (status) {\r
- print_message(stderr, NSSM_MESSAGE_LSAOPENPOLICY_FAILED, error_string(LsaNtStatusToWinError(status)));\r
- return 1;\r
- }\r
-\r
- /* Look up SID for the account. */\r
- LSA_UNICODE_STRING lsa_username;\r
-#ifdef UNICODE\r
- lsa_username.Buffer = (wchar_t *) username;\r
- lsa_username.Length = (unsigned short) _tcslen(username) * sizeof(TCHAR);\r
- lsa_username.MaximumLength = lsa_username.Length + sizeof(TCHAR);\r
-#else\r
- size_t buflen;\r
- mbstowcs_s(&buflen, NULL, 0, username, _TRUNCATE);\r
- lsa_username.MaximumLength = (unsigned short) buflen * sizeof(wchar_t);\r
- lsa_username.Length = lsa_username.MaximumLength - sizeof(wchar_t);\r
- lsa_username.Buffer = (wchar_t *) HeapAlloc(GetProcessHeap(), 0, lsa_username.MaximumLength);\r
- if (lsa_username.Buffer) mbstowcs_s(&buflen, lsa_username.Buffer, lsa_username.MaximumLength, username, _TRUNCATE);\r
- else {\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("LSA_UNICODE_STRING"), _T("grant_logon_as_service()"));\r
- return 2;\r
- }\r
-#endif\r
-\r
- LSA_REFERENCED_DOMAIN_LIST *translated_domains;\r
- LSA_TRANSLATED_SID *translated_sid;\r
- status = LsaLookupNames(policy, 1, &lsa_username, &translated_domains, &translated_sid);\r
-#ifndef UNICODE\r
- HeapFree(GetProcessHeap(), 0, lsa_username.Buffer);\r
-#endif\r
- if (status) {\r
- LsaFreeMemory(translated_domains);\r
- LsaFreeMemory(translated_sid);\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_MESSAGE_LSALOOKUPNAMES_FAILED, username, error_string(LsaNtStatusToWinError(status)));\r
- return 3;\r
- }\r
-\r
- if (translated_sid->Use != SidTypeUser) {\r
- LsaFreeMemory(translated_domains);\r
- LsaFreeMemory(translated_sid);\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);\r
- return 4;\r
- }\r
-\r
- LSA_TRUST_INFORMATION *trust = &translated_domains->Domains[translated_sid->DomainIndex];\r
- if (! trust || ! IsValidSid(trust->Sid)) {\r
- LsaFreeMemory(translated_domains);\r
- LsaFreeMemory(translated_sid);\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_GUI_INVALID_USERNAME, username);\r
- return 4;\r
- }\r
-\r
- /* GetSidSubAuthority*() return pointers! */\r
- unsigned char *n = GetSidSubAuthorityCount(trust->Sid);\r
-\r
- /* Convert translated SID to SID. */\r
- SID *sid = (SID *) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, GetSidLengthRequired(*n + 1));\r
- if (! sid) {\r
- LsaFreeMemory(translated_domains);\r
- LsaFreeMemory(translated_sid);\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_MESSAGE_OUT_OF_MEMORY, _T("SID"), _T("grant_logon_as_service"));\r
- return 4;\r
- }\r
-\r
- unsigned long error;\r
- if (! InitializeSid(sid, GetSidIdentifierAuthority(trust->Sid), *n + 1)) {\r
- error = GetLastError();\r
- HeapFree(GetProcessHeap(), 0, sid);\r
- LsaFreeMemory(translated_domains);\r
- LsaFreeMemory(translated_sid);\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_MESSAGE_INITIALIZESID_FAILED, username, error_string(error));\r
- return 5;\r
- }\r
-\r
- for (unsigned char i = 0; i <= *n; i++) {\r
- unsigned long *sub = GetSidSubAuthority(sid, i);\r
- if (i < *n) *sub = *GetSidSubAuthority(trust->Sid, i);\r
- else *sub = translated_sid->RelativeId;\r
- }\r
-\r
- LsaFreeMemory(translated_domains);\r
- LsaFreeMemory(translated_sid);\r
-\r
- /* Check if the SID has the "Log on as a service" right. */\r
- LSA_UNICODE_STRING lsa_right;\r
- lsa_right.Buffer = NSSM_LOGON_AS_SERVICE_RIGHT;\r
- lsa_right.Length = (unsigned short) wcslen(lsa_right.Buffer) * sizeof(wchar_t);\r
- lsa_right.MaximumLength = lsa_right.Length + sizeof(wchar_t);\r
-\r
- LSA_UNICODE_STRING *rights;\r
- unsigned long count = ~0;\r
- status = LsaEnumerateAccountRights(policy, sid, &rights, &count);\r
- if (status) {\r
- /*\r
- If the account has no rights set LsaEnumerateAccountRights() will return\r
- STATUS_OBJECT_NAME_NOT_FOUND and set count to 0.\r
- */\r
- error = LsaNtStatusToWinError(status);\r
- if (error != ERROR_FILE_NOT_FOUND) {\r
- HeapFree(GetProcessHeap(), 0, sid);\r
- LsaClose(policy);\r
- print_message(stderr, NSSM_MESSAGE_LSAENUMERATEACCOUNTRIGHTS_FAILED, username, error_string(error));\r
- return 4;\r
- }\r
- }\r
-\r
- for (unsigned long i = 0; i < count; i++) {\r
- if (rights[i].Length != lsa_right.Length) continue;\r
- if (_wcsnicmp(rights[i].Buffer, lsa_right.Buffer, lsa_right.MaximumLength)) continue;\r
- /* The SID has the right. */\r
- HeapFree(GetProcessHeap(), 0, sid);\r
- LsaFreeMemory(rights);\r
- LsaClose(policy);\r
- return 0;\r
- }\r
- LsaFreeMemory(rights);\r
-\r
- /* Add the right. */\r
- status = LsaAddAccountRights(policy, sid, &lsa_right, 1);\r
- HeapFree(GetProcessHeap(), 0, sid);\r
- LsaClose(policy);\r
- if (status) {\r
- print_message(stderr, NSSM_MESSAGE_LSAADDACCOUNTRIGHTS_FAILED, error_string(LsaNtStatusToWinError(status)));\r
- return 5;\r
- }\r
-\r
- print_message(stdout, NSSM_MESSAGE_GRANTED_LOGON_AS_SERVICE, username);\r
- return 0;\r
-}\r
-\r
/* Set default values which aren't zero. */\r
void set_nssm_service_defaults(nssm_service_t *service) {\r
if (! service) return;\r
}\r
else if (editing) username = NSSM_LOCALSYSTEM_ACCOUNT;\r
\r
- if (grant_logon_as_service(username)) {\r
- print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username);\r
- return 5;\r
+ if (requires_password(username)) {\r
+ if (grant_logon_as_service(username)) {\r
+ print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username);\r
+ return 5;\r
+ }\r
}\r
\r
if (! ChangeServiceConfig(service->handle, service->type, startup, SERVICE_NO_CHANGE, 0, 0, 0, 0, username, password, service->displayname)) {\r
#ifndef SERVICE_H\r
#define SERVICE_H\r
\r
-#include <ntsecapi.h>\r
-\r
/*\r
MSDN says the commandline in CreateProcess() is limited to 32768 characters\r
and the application name to MAX_PATH.\r
\r
#define ACTION_LEN 16\r
\r
-#define NSSM_LOCALSYSTEM_ACCOUNT _T("LocalSystem")\r
#define NSSM_KERNEL_DRIVER _T("SERVICE_KERNEL_DRIVER")\r
#define NSSM_FILE_SYSTEM_DRIVER _T("SERVICE_FILE_SYSTEM_DRIVER")\r
#define NSSM_WIN32_OWN_PROCESS _T("SERVICE_WIN32_OWN_PROCESS")\r
int get_service_description(const TCHAR *, SC_HANDLE, unsigned long, TCHAR *);\r
int get_service_startup(const TCHAR *, SC_HANDLE, const QUERY_SERVICE_CONFIG *, unsigned long *);\r
int get_service_username(const TCHAR *, const QUERY_SERVICE_CONFIG *, TCHAR **, size_t *);\r
-int grant_logon_as_service(const TCHAR *);\r
int pre_install_service(int, TCHAR **);\r
int pre_remove_service(int, TCHAR **);\r
int pre_edit_service(int, TCHAR **);\r
Logical syntax is: nssm set <service> ObjectName <username> <password>
That means the username is actually passed in the additional parameter.
*/
- bool localsystem = true;
+ bool localsystem = false;
TCHAR *username = NSSM_LOCALSYSTEM_ACCOUNT;
TCHAR *password = 0;
+ TCHAR *canon = 0;
if (additional) {
- if (! str_equiv(additional, NSSM_LOCALSYSTEM_ACCOUNT)) {
- localsystem = false;
- username = (TCHAR *) additional;
- if (value && value->string) password = value->string;
- else {
- /* We need a password if the account is not LOCALSYSTEM. */
- print_message(stderr, NSSM_MESSAGE_MISSING_PASSWORD, name);
- return -1;
- }
+ username = (TCHAR *) additional;
+ if (value && value->string) password = value->string;
+ }
+ else if (value && value->string) username = value->string;
+
+ if (requires_password(username)) {
+ if (! password) {
+ /* We need a password if the account requires it. */
+ print_message(stderr, NSSM_MESSAGE_MISSING_PASSWORD, name);
+ return -1;
+ }
+ }
+ else {
+ password = 0;
+ if (is_localsystem(username)) {
+ localsystem = true;
+ username = NSSM_LOCALSYSTEM_ACCOUNT;
+ }
+ else {
+ canon = canonical_username(username);
+ if (canon) username = canon;
}
}
QUERY_SERVICE_CONFIG *qsc = query_service_config(service_name, service_handle);
if (! qsc) {
if (password) SecureZeroMemory(password, _tcslen(password) * sizeof(TCHAR));
+ if (canon) LocalFree(canon);
return -1;
}
HeapFree(GetProcessHeap(), 0, qsc);
}
- if (grant_logon_as_service(username)) {
- if (password) SecureZeroMemory(password, _tcslen(password) * sizeof(TCHAR));
- print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username);
- return -1;
+ if (password) {
+ if (grant_logon_as_service(username)) {
+ if (password) SecureZeroMemory(password, _tcslen(password) * sizeof(TCHAR));
+ if (canon) LocalFree(canon);
+ print_message(stderr, NSSM_MESSAGE_GRANT_LOGON_AS_SERVICE_FAILED, username);
+ return -1;
+ }
}
if (! ChangeServiceConfig(service_handle, type, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, 0, 0, 0, 0, username, password, 0)) {
if (password) SecureZeroMemory(password, _tcslen(password) * sizeof(TCHAR));
+ if (canon) LocalFree(canon);
print_message(stderr, NSSM_MESSAGE_CHANGESERVICECONFIG_FAILED, error_string(GetLastError()));
return -1;
}
if (password) SecureZeroMemory(password, _tcslen(password) * sizeof(TCHAR));
+ if (canon) LocalFree(canon);
if (localsystem) return 0;
return 1;
git://git.iain.cx/iain / nssm.git / commitdiff