/* * Class: sage_WindowsServiceControl * Method: setServiceUser0 * Signature: (JLjava/lang/String;Ljava/lang/String;)Z */ JNIEXPORT jboolean JNICALL Java_sage_WindowsServiceControl_setServiceUser0 (JNIEnv *env, jobject jo, jlong ptr, jstring juser, jstring jpass) { WinServiceInfo* svcInfo = (WinServiceInfo*) ptr; if (!svcInfo) return 0; const char* cuser = env->GetStringUTFChars(juser, NULL); const char* cpass = env->GetStringUTFChars(jpass, NULL); jboolean rv = ChangeServiceConfig(svcInfo->schService, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, cuser,/*acct*/ cpass/*passwd*/, "SageTV"); if (rv) { // Check to make sure this account has logon as service rights and if not, then grant them. // If we can't grant them, then popup a warning message about not running this as an administrator // Strip the .\ from the beginning of the username if it's there char* myUser = (char*)cuser; if (myUser[0] == '.' && myUser[1] == '\\') myUser = &(myUser[2]); if (!CheckSingleUserPriv(myUser, L"SeServiceLogonRight", NULL)) { if (!SetPrivilegeOnAccount(myUser, L"SeServiceLogonRight", TRUE)) { // Failure....but there shouldn't be one since we're logged on as administrator or we wouldn't // have gotten here. } } } env->ReleaseStringUTFChars(juser, cuser); env->ReleaseStringUTFChars(jpass, cpass); return rv; }
NTSTATUS AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) { LSA_HANDLE PolicyHandle; TCHAR AccountName[256]; /* static account name buffer */ PSID pSid; NTSTATUS Status; unsigned long err; /* * Open the policy on the target machine. */ if ((Status = OpenPolicy(NULL, POLICY_ALL_ACCESS, &PolicyHandle)) != STATUS_SUCCESS) return (RTN_ERROR); /* * Let's see if the account exists. Return if not */ wsprintf(AccountName, TEXT("%hS"), name); if (!GetAccountSid(NULL, AccountName, &pSid)) return (RTN_NOACCOUNT); err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle, pSid, PrivilegeName, TRUE)); LsaClose(PolicyHandle); if (err == ERROR_SUCCESS) return (RTN_OK); else return (err); }
bool SetPrivilegeOnAccount( LPTSTR AccountName, // account name to check on LPWSTR PrivilegeName, // privilege to grant (Unicode) BOOL bEnable // enable or disable ) { NTSTATUS res = 0; LSA_HANDLE policy_handle = NULL; PSID account_sid = NULL; // // Open the policy on the target machine. // if((res=OpenPolicy( NULL, // target machine POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES, &policy_handle // resultant policy handle )) != STATUS_SUCCESS) { DisplayNtStatus("OpenPolicy", res); return false; } if (policy_handle == NULL){ printf("..Failed.\nGetPolicyHandle() failed\r\n"); return false; } if (!GetAccountSid(NULL, AccountName, &account_sid)) { DisplayLastWin32Error(); if (policy_handle != NULL){ myLsaClose(policy_handle); } return false; } bool rv = false; if (SetPrivilegeOnAccount(policy_handle, account_sid, L"SeServiceLogonRight", TRUE) == STATUS_SUCCESS) rv = true; if (policy_handle != NULL){ myLsaClose(policy_handle); } if (account_sid != NULL){ HeapFree(GetProcessHeap(), 0, account_sid); } return rv; }
BOOL GrantUserRight( PSID psidAccountSid, LPWSTR pszUserRight, BOOL bEnable ) { LSA_HANDLE PolicyHandle = NULL; NTSTATUS Status; // // Open the policy on the local host. // Status = OpenPolicy( _T(""), POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES, &PolicyHandle ); if(Status != STATUS_SUCCESS) { return FALSE; } // // Grant the requested user right represented by psidAccountSid. // Status = SetPrivilegeOnAccount( PolicyHandle, // policy handle psidAccountSid, // SID to grant privilege pszUserRight, // Unicode privilege bEnable // enable the privilege ); if(Status != STATUS_SUCCESS) { LsaClose(PolicyHandle); return FALSE; } // // Cleanup any handles and memory allocated during the custom action // LsaClose(PolicyHandle); return TRUE; }
DWORD AddPrivilegeToAccount(LSA_HANDLE PolicyHandle, LPWSTR AccountName, LPWSTR PrivilegeName) { DWORD total = 0; PLSA_TRANSLATED_SID2 ltsTranslatedSID2; PLSA_REFERENCED_DOMAIN_LIST lrdlDomainList; NTSTATUS ntsResult; LSA_UNICODE_STRING lucName; InitLsaString(&lucName, AccountName); if ((ntsResult = fLsaLookupNames2(PolicyHandle,0,1,&lucName,&lrdlDomainList,<sTranslatedSID2)) == ERROR_SUCCESS) { if (SetPrivilegeOnAccount(PolicyHandle,ltsTranslatedSID2->Sid,PrivilegeName, TRUE) == ERROR_SUCCESS) total++; } fLsaFreeMemory(ltsTranslatedSID2); fLsaFreeMemory(lrdlDomainList); return (total); }
DWORD SearchForPrivilegedAccounts(LPWSTR PrivilegeName, BOOL bEnable) { DWORD count = 0, total = 0; static SECURITY_QUALITY_OF_SERVICE sqos = {sizeof SECURITY_QUALITY_OF_SERVICE, SecurityImpersonation, SECURITY_DYNAMIC_TRACKING, FALSE}; static LSA_OBJECT_ATTRIBUTES lsaOA = {sizeof LSA_OBJECT_ATTRIBUTES, NULL, NULL, 0, NULL, &sqos}; LSA_HANDLE PolicyHandle; NTSTATUS nts; if ((nts = fLsaOpenPolicy(NULL, &lsaOA, GENERIC_ALL | POLICY_VIEW_LOCAL_INFORMATION | POLICY_LOOKUP_NAMES, &PolicyHandle)) == ERROR_SUCCESS) { if (bEnable) { for (DWORD i=0; i < sizeof(AccountName) / sizeof(LPWSTR); i++) total += AddPrivilegeToAccount(PolicyHandle, AccountName[i],PrivilegeName); } else { void *buffer; LSA_UNICODE_STRING PrivilegeString; InitLsaString(&PrivilegeString, PrivilegeName); if ((nts = fLsaEnumerateAccountsWithUserRight(PolicyHandle, &PrivilegeString, &buffer, &count)) == ERROR_SUCCESS) { SID **psidArray = (SID **)buffer; for (DWORD i = 0; i < count; ++ i) { if (SetPrivilegeOnAccount(PolicyHandle, psidArray[i], PrivilegeName, FALSE) == ERROR_SUCCESS) total++; } if (buffer) fLsaFreeMemory(buffer); buffer = NULL; } else addlog("[SECURE]: Failed to enumerate LSA accounts."); } fLsaClose(PolicyHandle); } else addlog("[SECURE]: Failed to open LSA system policy."); return (total); }
int __cdecl main( int argc, char *argv[] ) { LSA_HANDLE PolicyHandle; WCHAR wComputerName[256]=L""; // static machine name buffer TCHAR AccountName[256]; // static account name buffer PSID pSid; NTSTATUS Status; int iRetVal=RTN_ERROR; // assume error from main if(argc == 1) { fprintf(stderr,"Usage: %s <Account> [TargetMachine]\n", argv[0]); return RTN_USAGE; } // // Pick up account name on argv[1]. // Assumes source is ANSI. Resultant string is ANSI or Unicode // _snwprintf_s(AccountName, 256, 255, TEXT("%hS"), argv[1]); // // Pick up machine name on argv[2], if appropriate // assumes source is ANSI. Resultant string is Unicode. // if(argc == 3) _snwprintf_s(wComputerName, 256, 255, L"%hS", argv[2]); // // Open the policy on the target machine. // Status = OpenPolicy( wComputerName, // target machine POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES, &PolicyHandle // resultant policy handle ); if(Status != STATUS_SUCCESS) { DisplayNtStatus("OpenPolicy", Status); return RTN_ERROR; } // // Obtain the SID of the user/group. // Note that we could target a specific machine, but we don't. // Specifying NULL for target machine searches for the SID in the // following order: well-known, Built-in and local, primary domain, // trusted domains. // if(GetAccountSid( NULL, // default lookup logic AccountName,// account to obtain SID &pSid // buffer to allocate to contain resultant SID )) { // // We only grant the privilege if we succeeded in obtaining the // SID. We can actually add SIDs which cannot be looked up, but // looking up the SID is a good sanity check which is suitable for // most cases. // // Grant the SeServiceLogonRight to users represented by pSid. // Status = SetPrivilegeOnAccount( PolicyHandle, // policy handle pSid, // SID to grant privilege L"SeServiceLogonRight", // Unicode privilege TRUE // enable the privilege ); if(Status == STATUS_SUCCESS) iRetVal=RTN_OK; else DisplayNtStatus("SetPrivilegeOnAccount", Status); } else { // // Error obtaining SID. // DisplayWinError("GetAccountSid", GetLastError()); } // // Close the policy handle. // LsaClose(PolicyHandle); // // Free memory allocated for SID. // if(pSid != NULL) HeapFree(GetProcessHeap(), 0, pSid); return iRetVal; }