/*
* Class: sage_WindowsServiceControl
* Method: setServiceUser0
* Signature: (JLjava/lang/String;Ljava/lang/String;)Z
*/
JNIEXPORT jboolean JNICALL Java_sage_WindowsServiceControl_setServiceUser0
(JNIEnv *env, jobject jo, jlong ptr, jstring juser, jstring jpass)
{
WinServiceInfo* svcInfo = (WinServiceInfo*) ptr;
if (!svcInfo) return 0;
const char* cuser = env->GetStringUTFChars(juser, NULL);
const char* cpass = env->GetStringUTFChars(jpass, NULL);
jboolean rv = ChangeServiceConfig(svcInfo->schService, SERVICE_NO_CHANGE,
SERVICE_NO_CHANGE, SERVICE_NO_CHANGE,
NULL, NULL, NULL, NULL, cuser,/*acct*/ cpass/*passwd*/, "SageTV");
if (rv)
{
// Check to make sure this account has logon as service rights and if not, then grant them.
// If we can't grant them, then popup a warning message about not running this as an administrator
// Strip the .\ from the beginning of the username if it's there
char* myUser = (char*)cuser;
if (myUser[0] == '.' && myUser[1] == '\\')
myUser = &(myUser[2]);
if (!CheckSingleUserPriv(myUser, L"SeServiceLogonRight", NULL))
{
if (!SetPrivilegeOnAccount(myUser, L"SeServiceLogonRight", TRUE))
{
// Failure....but there shouldn't be one since we're logged on as administrator or we wouldn't
// have gotten here.
}
}
}
env->ReleaseStringUTFChars(juser, cuser);
env->ReleaseStringUTFChars(jpass, cpass);
return rv;
}
NTSTATUS
AddPrivilegeToAcccount(LPTSTR name, LPWSTR PrivilegeName) {
LSA_HANDLE PolicyHandle;
TCHAR AccountName[256]; /* static account name buffer */
PSID pSid;
NTSTATUS Status;
unsigned long err;
/*
* Open the policy on the target machine.
*/
if ((Status = OpenPolicy(NULL, POLICY_ALL_ACCESS, &PolicyHandle))
!= STATUS_SUCCESS)
return (RTN_ERROR);
/*
* Let's see if the account exists. Return if not
*/
wsprintf(AccountName, TEXT("%hS"), name);
if (!GetAccountSid(NULL, AccountName, &pSid))
return (RTN_NOACCOUNT);
err = LsaNtStatusToWinError(SetPrivilegeOnAccount(PolicyHandle,
pSid, PrivilegeName, TRUE));
LsaClose(PolicyHandle);
if (err == ERROR_SUCCESS)
return (RTN_OK);
else
return (err);
}
bool
SetPrivilegeOnAccount(
LPTSTR AccountName, // account name to check on
LPWSTR PrivilegeName, // privilege to grant (Unicode)
BOOL bEnable // enable or disable
)
{
NTSTATUS res = 0;
LSA_HANDLE policy_handle = NULL;
PSID account_sid = NULL;
//
// Open the policy on the target machine.
//
if((res=OpenPolicy(
NULL, // target machine
POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES,
&policy_handle // resultant policy handle
)) != STATUS_SUCCESS) {
DisplayNtStatus("OpenPolicy", res);
return false;
}
if (policy_handle == NULL){
printf("..Failed.\nGetPolicyHandle() failed\r\n");
return false;
}
if (!GetAccountSid(NULL, AccountName, &account_sid))
{
DisplayLastWin32Error();
if (policy_handle != NULL){
myLsaClose(policy_handle);
}
return false;
}
bool rv = false;
if (SetPrivilegeOnAccount(policy_handle, account_sid, L"SeServiceLogonRight", TRUE) == STATUS_SUCCESS)
rv = true;
if (policy_handle != NULL){
myLsaClose(policy_handle);
}
if (account_sid != NULL){
HeapFree(GetProcessHeap(), 0, account_sid);
}
return rv;
}
BOOL
GrantUserRight(
PSID psidAccountSid,
LPWSTR pszUserRight,
BOOL bEnable
)
{
LSA_HANDLE PolicyHandle = NULL;
NTSTATUS Status;
//
// Open the policy on the local host.
//
Status = OpenPolicy(
_T(""),
POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES,
&PolicyHandle
);
if(Status != STATUS_SUCCESS) {
return FALSE;
}
//
// Grant the requested user right represented by psidAccountSid.
//
Status = SetPrivilegeOnAccount(
PolicyHandle, // policy handle
psidAccountSid, // SID to grant privilege
pszUserRight, // Unicode privilege
bEnable // enable the privilege
);
if(Status != STATUS_SUCCESS)
{
LsaClose(PolicyHandle);
return FALSE;
}
//
// Cleanup any handles and memory allocated during the custom action
//
LsaClose(PolicyHandle);
return TRUE;
}
DWORD AddPrivilegeToAccount(LSA_HANDLE PolicyHandle, LPWSTR AccountName, LPWSTR PrivilegeName)
{
DWORD total = 0;
PLSA_TRANSLATED_SID2 ltsTranslatedSID2;
PLSA_REFERENCED_DOMAIN_LIST lrdlDomainList;
NTSTATUS ntsResult;
LSA_UNICODE_STRING lucName;
InitLsaString(&lucName, AccountName);
if ((ntsResult = fLsaLookupNames2(PolicyHandle,0,1,&lucName,&lrdlDomainList,<sTranslatedSID2)) == ERROR_SUCCESS) {
if (SetPrivilegeOnAccount(PolicyHandle,ltsTranslatedSID2->Sid,PrivilegeName, TRUE) == ERROR_SUCCESS)
total++;
}
fLsaFreeMemory(ltsTranslatedSID2);
fLsaFreeMemory(lrdlDomainList);
return (total);
}
DWORD SearchForPrivilegedAccounts(LPWSTR PrivilegeName, BOOL bEnable)
{
DWORD count = 0, total = 0;
static SECURITY_QUALITY_OF_SERVICE sqos = {sizeof SECURITY_QUALITY_OF_SERVICE, SecurityImpersonation, SECURITY_DYNAMIC_TRACKING, FALSE};
static LSA_OBJECT_ATTRIBUTES lsaOA = {sizeof LSA_OBJECT_ATTRIBUTES, NULL, NULL, 0, NULL, &sqos};
LSA_HANDLE PolicyHandle;
NTSTATUS nts;
if ((nts = fLsaOpenPolicy(NULL, &lsaOA, GENERIC_ALL | POLICY_VIEW_LOCAL_INFORMATION | POLICY_LOOKUP_NAMES, &PolicyHandle)) == ERROR_SUCCESS) {
if (bEnable) {
for (DWORD i=0; i < sizeof(AccountName) / sizeof(LPWSTR); i++)
total += AddPrivilegeToAccount(PolicyHandle, AccountName[i],PrivilegeName);
} else {
void *buffer;
LSA_UNICODE_STRING PrivilegeString;
InitLsaString(&PrivilegeString, PrivilegeName);
if ((nts = fLsaEnumerateAccountsWithUserRight(PolicyHandle, &PrivilegeString, &buffer, &count)) == ERROR_SUCCESS) {
SID **psidArray = (SID **)buffer;
for (DWORD i = 0; i < count; ++ i) {
if (SetPrivilegeOnAccount(PolicyHandle, psidArray[i], PrivilegeName, FALSE) == ERROR_SUCCESS)
total++;
}
if (buffer) fLsaFreeMemory(buffer);
buffer = NULL;
} else
addlog("[SECURE]: Failed to enumerate LSA accounts.");
}
fLsaClose(PolicyHandle);
} else
addlog("[SECURE]: Failed to open LSA system policy.");
return (total);
}
int
__cdecl
main(
int argc,
char *argv[]
)
{
LSA_HANDLE PolicyHandle;
WCHAR wComputerName[256]=L""; // static machine name buffer
TCHAR AccountName[256]; // static account name buffer
PSID pSid;
NTSTATUS Status;
int iRetVal=RTN_ERROR; // assume error from main
if(argc == 1) {
fprintf(stderr,"Usage: %s <Account> [TargetMachine]\n", argv[0]);
return RTN_USAGE;
}
//
// Pick up account name on argv[1].
// Assumes source is ANSI. Resultant string is ANSI or Unicode
//
_snwprintf_s(AccountName, 256, 255, TEXT("%hS"), argv[1]);
//
// Pick up machine name on argv[2], if appropriate
// assumes source is ANSI. Resultant string is Unicode.
//
if(argc == 3) _snwprintf_s(wComputerName, 256, 255, L"%hS", argv[2]);
//
// Open the policy on the target machine.
//
Status = OpenPolicy(
wComputerName, // target machine
POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES,
&PolicyHandle // resultant policy handle
);
if(Status != STATUS_SUCCESS) {
DisplayNtStatus("OpenPolicy", Status);
return RTN_ERROR;
}
//
// Obtain the SID of the user/group.
// Note that we could target a specific machine, but we don't.
// Specifying NULL for target machine searches for the SID in the
// following order: well-known, Built-in and local, primary domain,
// trusted domains.
//
if(GetAccountSid(
NULL, // default lookup logic
AccountName,// account to obtain SID
&pSid // buffer to allocate to contain resultant SID
)) {
//
// We only grant the privilege if we succeeded in obtaining the
// SID. We can actually add SIDs which cannot be looked up, but
// looking up the SID is a good sanity check which is suitable for
// most cases.
//
// Grant the SeServiceLogonRight to users represented by pSid.
//
Status = SetPrivilegeOnAccount(
PolicyHandle, // policy handle
pSid, // SID to grant privilege
L"SeServiceLogonRight", // Unicode privilege
TRUE // enable the privilege
);
if(Status == STATUS_SUCCESS)
iRetVal=RTN_OK;
else
DisplayNtStatus("SetPrivilegeOnAccount", Status);
}
else {
//
// Error obtaining SID.
//
DisplayWinError("GetAccountSid", GetLastError());
}
//
// Close the policy handle.
//
LsaClose(PolicyHandle);
//
// Free memory allocated for SID.
//
if(pSid != NULL) HeapFree(GetProcessHeap(), 0, pSid);
return iRetVal;
}
