/**
*
* @brief Recursively change permissions for administrators group
* and Service account in a directory tree.
*
* @param[in] path - the target file/directory
*
* @return void
*
*/
void
make_dir_files_service_account_read(char *path)
{
DIR *dir;
struct dirent *pdirent;
char dirfile[MAXPATHLEN+1];
char *username = NULL;
username = getlogin_full();
secure_file2(path, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
dir = opendir(path);
if (dir == NULL) {
return;
}
while (errno = 0, (pdirent = readdir(dir)) != NULL) {
if (strcmp(pdirent->d_name, ".") == 0 ||
strcmp(pdirent->d_name, "..") == 0)
continue;
sprintf(dirfile, "%s/%s", path, pdirent->d_name);
secure_file2(dirfile, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
#ifdef DEBUG
printf("securing file %s: full access to admin and %s \n", dirfile, username);
#endif
}
#ifdef DEBUG
if (errno != 0 && errno != ENOENT)
printf("readdir error; %s\n", path);
#endif
(void)closedir(dir);
}
/**
* @brief
* main - the entry point in pbs_account_win.c
*
* @param[in] argc - argument count
* @param[in] argv - argument variables.
* @param[in] env - environment values.
*
* @return int
* @retval 0 : success
* @retval !=0 : error code
*/
main(int argc, char *argv[])
{
SID *sa_sid = NULL; /* service account SID */
char sa_name[PBS_MAXHOSTNAME+UNLEN+2] = {'\0'}; /* service account name */
/* domain\user\0 */
int ret_val = 0;
int c_opt = 0;
int s_opt = 0;
int a_opt = 0;
int p_opt = 0;
int R_opt = 0;
int U_opt = 0;
int instid_opt = 0;
char service_bin_path[MAXPATHLEN+1] = {'\0'};
char service_name[MAXPATHLEN+1] = {'\0'};
int i = 0;
char outputfile[MAXPATHLEN+1] = {'\0'};
char instanceName[MAXPATHLEN+1] = {'\0'};
int output_fd = -1;
struct passwd *pw = NULL;
char *p = NULL;
winsock_init();
/*test for real deal or just version and exit*/
execution_mode(argc, argv);
strcpy(exec_unamef, getlogin_full());
strcpy(exec_dname, ".");
if ((p=strchr(exec_unamef, '\\'))) {
*p = '\0';
strcpy(exec_dname, exec_unamef);
*p = '\\';
}
strcpy(sa_password, "");
strcpy(outputfile, "");
/* with no option, check only if service account exists */
if (argc == 1) {
int in_domain_environment = 0;
char dname[PBS_MAXHOSTNAME+1] = {'\0'};
char dctrl[PBS_MAXHOSTNAME+1] = {'\0'};
wchar_t unamew[UNLEN+1] = {'\0'};
wchar_t dctrlw[PBS_MAXHOSTNAME+1] = {'\0'};
USER_INFO_0 *ui1_ptr = NULL;
NET_API_STATUS netst = 0;
/* figure out the domain controller hostname (dctrl) */
/* in domain environment, */
/* domain name (dname) != domain controller hostname */
/* in standalone environment, */
/* domain name (dname) == domain controller hostname */
in_domain_environment = GetComputerDomainName(dname);
strcpy(dctrl, dname);
if (in_domain_environment) {
char dname_a[PBS_MAXHOSTNAME+1];
get_dcinfo(dname, dname_a, dctrl);
}
/* convert strings to "wide" format */
mbstowcs(unamew, service_accountname, UNLEN+1);
mbstowcs(dctrlw, dctrl, PBS_MAXHOSTNAME+1);
netst = wrap_NetUserGetInfo(dctrlw, unamew, 1,
(LPBYTE *)&ui1_ptr);
if (strlen(winlog_buffer) > 0) {
fprintf(stderr, "%s\n", winlog_buffer);
}
if (netst == NERR_UserNotFound) {
fprintf(stderr, "%s not found!\n", service_accountname);
if (in_domain_environment &&
stricmp(exec_dname, dname) != 0) {
fprintf(stderr,
"But no privilege to create service account %s\\%s!\n",
dname, service_accountname);
ret_val=2;
} else {
ret_val=1;
}
} else if ((netst == ERROR_ACCESS_DENIED) ||
(netst == ERROR_LOGON_FAILURE)) {
fprintf(stderr,
"no privilege to obtain info for service account %s\\%s!\n",
dname, service_accountname);
ret_val= 2;
} else {
fprintf(stderr, "service account is %s\\%s!\n",
dname, service_accountname);
ret_val = 0;
}
if (ui1_ptr != NULL)
NetApiBufferFree(ui1_ptr);
goto end_pbs_account;
}
i = 1;
while (i < argc) {
if (strcmp(argv[i], "-c") == 0) {
c_opt = 1;
i++;
} else if (strcmp(argv[i], "--ci") == 0) {
c_opt = 1;
for_info_only = 1;
i++;
} else if (strcmp(argv[i], "-s") == 0) {
s_opt = 1;
i++;
} else if (strcmp(argv[i], "-a") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No service account name argument supplied!\n");
usage(argv[0]);
exit(1);
}
a_opt = 1;
strcpy(service_accountname, argv[i+1]);
i+=2;
} else if (strcmp(argv[i], "-p") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No password argument supplied!\n");
usage(argv[0]);
exit(1);
}
p_opt = 1;
strcpy(sa_password, argv[i+1]);
cache_usertoken_and_homedir(service_accountname, NULL, 0,
read_sa_password, (char*)service_accountname,
decrypt_sa_password, 1);
i+=2;
} else if (strcmp(argv[i], "--reg") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No service binary path given\n");
usage(argv[0]);
exit(1);
}
R_opt = 1;
strcpy(service_bin_path, argv[i+1]);
i+=2;
} else if (strcmp(argv[i], "--unreg") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No service binary path given\n");
usage(argv[0]);
exit(1);
}
U_opt = 1;
strcpy(service_bin_path, argv[i+1]);
i+=2;
} else if (strcmp(argv[i], "-o") == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No output path argument supplied!\n");
usage(argv[0]);
exit(1);
}
p_opt = 1;
strcpy(outputfile, argv[i+1]);
i+=2;
} else if (strncmp(argv[i], "--instid", strlen("--instid")) == 0) {
if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) {
fprintf(stderr, "No instance id supplied!\n");
usage(argv[0]);
exit(1);
}
instid_opt = 1;
strncpy(instanceName, argv[i+1], MAXPATHLEN);
i+=2;
} else {
fprintf(stderr, "Unknown option %s\n", argv[i]);
usage(argv[0]);
exit(1);
}
}
if (strlen(outputfile) > 0) {
if ((output_fd=open(outputfile, O_RDWR|O_CREAT, 0600)) != -1) {
_dup2(output_fd, 1); /* put stdout in file */
_dup2(output_fd, 2); /* put stderr in file */
}
}
/* prompt for password if not supplied with -p */
if ((c_opt || R_opt) && (strcmp(sa_password, "") == 0)) {
prompt_to_get_password(sa_password);
cache_usertoken_and_homedir(service_accountname, NULL, 0,
read_sa_password, (char *)service_accountname,
decrypt_sa_password, 1);
}
/* Need to get service_name */
if (R_opt || U_opt) {
char *p = NULL;
int k = 0;
strcpy(service_name, service_bin_path);
if ((p=strrchr(service_bin_path, '\\'))) {
strcpy(service_name, p+1);
}
if ((p=strrchr(service_name, '.'))) {/*remove .exe portion*/
*p = '\0';
}
/* translate from lower-case to upper-case */
for (k=0; k < strlen(service_name); k++) {
service_name[k] = toupper(service_name[k]);
}
if (instid_opt) {
strcat_s(service_name, MAXPATHLEN, "_");
strcat_s(service_name, MAXPATHLEN, instanceName);
}
}
if (c_opt) {
if (add_service_account(sa_password) == 0) {
ret_val = 3;
goto end_pbs_account;
}
}
if (s_opt || R_opt) { /* need service account name */
sa_sid = getusersid2(service_accountname, sa_name);
if (sa_sid == NULL) {
fprintf(stderr, "%s not found!\n", service_accountname);
ret_val= 1;
goto end_pbs_account;
}
if (!isAdminPrivilege(service_accountname)) {
fprintf(stderr, "%s is not ADMIN! - %s\n",
service_accountname, winlog_buffer);
ret_val = 2;
goto end_pbs_account;
}
}
if (s_opt) {
int r1, r2, r3, r4;
printf("Setting the following privileges to %s:\n", sa_name);
r1 = add_privilege(sa_sid, SE_CREATE_TOKEN_NAME);
r2 = add_privilege(sa_sid, SE_ASSIGNPRIMARYTOKEN_NAME);
r3 = add_privilege(sa_sid, SE_SERVICE_LOGON_NAME);
r4 = add_privilege(sa_sid, SE_TCB_NAME);
if ((r1 != 0) || (r2 != 0) || (r3 != 0) || (r4 != 0)) {
ret_val = 4;
goto end_pbs_account;
}
}
if (R_opt) {
ret_val = register_scm(__TEXT(service_name), service_bin_path,
sa_name, sa_password);
}
if (U_opt) {
ret_val = unregister_scm(__TEXT(service_name));
}
end_pbs_account:
if (sa_sid != NULL)
LocalFree(sa_sid);
if (strlen(sa_password) > 0)
memset((char *)sa_password, 0, strlen(sa_password));
if (output_fd != -1)
(void)close(output_fd);
exit(ret_val);
}
/**
*
* @brief
* Secures all the files' permissions (and recreate directories)
* that are related to pbs_mom service.
*
*/
void
secure_mom_files(void)
{
DIR *dir;
char path[MAXPATHLEN+1];
HANDLE hfile;
char *username = NULL;
char logb[LOG_BUF_SIZE] = {'\0' } ;
if (pbs_conf.pbs_home_path == NULL) {
sprintf(logb,"no home_path!");
log_err(-1, "secure_mom_files", logb);
return;
}
username = getlogin_full();
sprintf(path, "%s/mom_priv", pbs_conf.pbs_home_path);
create_dir_everyone_read(path);
dir = opendir(path);
if (dir != NULL) {
struct dirent *pdirent;
char fpath[MAXPATHLEN+1];
while (errno = 0,
(pdirent = readdir(dir)) != NULL) {
char *p;
if (p = strrchr(pdirent->d_name, '.')) {
int baselen = strlen(p)-4;
if (baselen < 0)
continue;
if (strcmpi(p+baselen, ".bat") == 0) {
sprintf(fpath, "%s/%s", path, pdirent->d_name);
sprintf(logb,"securing file %s", fpath);
log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
secure_file2(fpath, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
"\\Everyone", READS_MASK|READ_CONTROL);
}
}
}
if (errno != 0 && errno != ENOENT) {
sprintf(logb,"readdir error; %s", path);
log_err(-1, "secure_mom_files", logb);
}
(void)closedir(dir);
}
sprintf(path, "%s/mom_priv/config", pbs_conf.pbs_home_path);
hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0,
OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
if (hfile != INVALID_HANDLE_VALUE) {
sprintf(logb,"created file %s", path);
log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
CloseHandle(hfile);
}
sprintf(logb,"securing %s for admin-only access", path);
log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
secure_file2(path, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
sprintf(path, "%s/mom_logs", pbs_conf.pbs_home_path);
create_dir_everyone_read(path);
sprintf(path, "%s/mom_priv/jobs", pbs_conf.pbs_home_path);
create_dir_everyone_read(path);
sprintf(path, "%s/mom_priv/hooks", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
sprintf(path, "%s/mom_priv/hooks/tmp", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
}
/**
*
* @brief Secures all the files' permissions (and recreate directories) that are
* related to pbs_server service to full control for administrators group
* and to read for everyone group.
*
* @return void
*
*/
void
secure_server_files()
{
char path[MAXPATHLEN+1];
HANDLE hfile;
char *username = NULL;
char logb[LOG_BUF_SIZE] = {'\0' } ;
if (pbs_conf.pbs_home_path == NULL) {
sprintf(logb,"no home_path!");
log_err(-1, "secure_server_files", logb);
return;
}
username = getlogin_full();
sprintf(path, "%s/server_priv", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
sprintf(path, "%s/server_priv/jobs", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
sprintf(path, "%s/server_priv/users", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
sprintf(path, "%s/server_priv/hooks", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
sprintf(path, "%s/server_priv/hooks/tmp", pbs_conf.pbs_home_path);
create_dir_admin_service_account_full_access(path);
sprintf(path, "%s/server_priv/license_file",
pbs_conf.pbs_home_path);
secure_file2(path, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
sprintf(path, "%s/server_priv/resourcedef",
pbs_conf.pbs_home_path);
hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0,
OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
if (hfile != INVALID_HANDLE_VALUE) {
sprintf(logb,"created file %s", path);
log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
CloseHandle(hfile);
}
sprintf(logb,"securing %s for admin-only access", path);
log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
secure_file2(path, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
sprintf(path, "%s/server_logs", pbs_conf.pbs_home_path);
create_dir_everyone_read(path);
sprintf(path, "%s/server_priv/accounting",
pbs_conf.pbs_home_path);
create_dir_everyone_read(path);
sprintf(path, "%s/lib/python", pbs_conf.pbs_exec_path);
make_dir_files_everyone_read(path);
/*
* Permissions of the file $PBS_HOME/server_priv/svrlive, on creation, is set to
* read/write for administrator group. However, on Windows Vista, a combination of a
* reboot after installation and permission setting on server_priv (earlier in this
* function) changes the permission of the svrlive file, thus disallowing server
* database saves (resulting in cascading failures, e.g., job submission). Thus we
* "reset" the permissions on the svrlive file here to what it is supposed to be.
*/
sprintf(path, "%s/server_priv/svrlive", pbs_conf.pbs_home_path);
sprintf(logb,"securing %s for admin-only access", path);
log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb);
secure_file2(path, "Administrators",
READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED,
username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED);
secure_server_datastore_files();
}
