/**************************************************************************** add all the privileges to a privilege array ****************************************************************************/ NTSTATUS add_all_privilege(PRIVILEGE_SET *priv_set) { NTSTATUS result = NT_STATUS_OK; LUID_ATTR set; set.attr = 0; set.luid.high = 0; /* TODO: set a proper list of privileges */ set.luid.low = SE_PRIV_ADD_USERS; result = add_privilege(priv_set, set); NTSTATUS_CHECK(result, done, "add_all_privilege", "add_privilege"); set.luid.low = SE_PRIV_ADD_MACHINES; result = add_privilege(priv_set, set); NTSTATUS_CHECK(result, done, "add_all_privilege", "add_privilege"); set.luid.low = SE_PRIV_PRINT_OPERATOR; result = add_privilege(priv_set, set); NTSTATUS_CHECK(result, done, "add_all_privilege", "add_privilege"); return result; }
/** * @brief * main - the entry point in pbs_account_win.c * * @param[in] argc - argument count * @param[in] argv - argument variables. * @param[in] env - environment values. * * @return int * @retval 0 : success * @retval !=0 : error code */ main(int argc, char *argv[]) { SID *sa_sid = NULL; /* service account SID */ char sa_name[PBS_MAXHOSTNAME+UNLEN+2] = {'\0'}; /* service account name */ /* domain\user\0 */ int ret_val = 0; int c_opt = 0; int s_opt = 0; int a_opt = 0; int p_opt = 0; int R_opt = 0; int U_opt = 0; int instid_opt = 0; char service_bin_path[MAXPATHLEN+1] = {'\0'}; char service_name[MAXPATHLEN+1] = {'\0'}; int i = 0; char outputfile[MAXPATHLEN+1] = {'\0'}; char instanceName[MAXPATHLEN+1] = {'\0'}; int output_fd = -1; struct passwd *pw = NULL; char *p = NULL; winsock_init(); /*test for real deal or just version and exit*/ execution_mode(argc, argv); strcpy(exec_unamef, getlogin_full()); strcpy(exec_dname, "."); if ((p=strchr(exec_unamef, '\\'))) { *p = '\0'; strcpy(exec_dname, exec_unamef); *p = '\\'; } strcpy(sa_password, ""); strcpy(outputfile, ""); /* with no option, check only if service account exists */ if (argc == 1) { int in_domain_environment = 0; char dname[PBS_MAXHOSTNAME+1] = {'\0'}; char dctrl[PBS_MAXHOSTNAME+1] = {'\0'}; wchar_t unamew[UNLEN+1] = {'\0'}; wchar_t dctrlw[PBS_MAXHOSTNAME+1] = {'\0'}; USER_INFO_0 *ui1_ptr = NULL; NET_API_STATUS netst = 0; /* figure out the domain controller hostname (dctrl) */ /* in domain environment, */ /* domain name (dname) != domain controller hostname */ /* in standalone environment, */ /* domain name (dname) == domain controller hostname */ in_domain_environment = GetComputerDomainName(dname); strcpy(dctrl, dname); if (in_domain_environment) { char dname_a[PBS_MAXHOSTNAME+1]; get_dcinfo(dname, dname_a, dctrl); } /* convert strings to "wide" format */ mbstowcs(unamew, service_accountname, UNLEN+1); mbstowcs(dctrlw, dctrl, PBS_MAXHOSTNAME+1); netst = wrap_NetUserGetInfo(dctrlw, unamew, 1, (LPBYTE *)&ui1_ptr); if (strlen(winlog_buffer) > 0) { fprintf(stderr, "%s\n", winlog_buffer); } if (netst == NERR_UserNotFound) { fprintf(stderr, "%s not found!\n", service_accountname); if (in_domain_environment && stricmp(exec_dname, dname) != 0) { fprintf(stderr, "But no privilege to create service account %s\\%s!\n", dname, service_accountname); ret_val=2; } else { ret_val=1; } } else if ((netst == ERROR_ACCESS_DENIED) || (netst == ERROR_LOGON_FAILURE)) { fprintf(stderr, "no privilege to obtain info for service account %s\\%s!\n", dname, service_accountname); ret_val= 2; } else { fprintf(stderr, "service account is %s\\%s!\n", dname, service_accountname); ret_val = 0; } if (ui1_ptr != NULL) NetApiBufferFree(ui1_ptr); goto end_pbs_account; } i = 1; while (i < argc) { if (strcmp(argv[i], "-c") == 0) { c_opt = 1; i++; } else if (strcmp(argv[i], "--ci") == 0) { c_opt = 1; for_info_only = 1; i++; } else if (strcmp(argv[i], "-s") == 0) { s_opt = 1; i++; } else if (strcmp(argv[i], "-a") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No service account name argument supplied!\n"); usage(argv[0]); exit(1); } a_opt = 1; strcpy(service_accountname, argv[i+1]); i+=2; } else if (strcmp(argv[i], "-p") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No password argument supplied!\n"); usage(argv[0]); exit(1); } p_opt = 1; strcpy(sa_password, argv[i+1]); cache_usertoken_and_homedir(service_accountname, NULL, 0, read_sa_password, (char*)service_accountname, decrypt_sa_password, 1); i+=2; } else if (strcmp(argv[i], "--reg") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No service binary path given\n"); usage(argv[0]); exit(1); } R_opt = 1; strcpy(service_bin_path, argv[i+1]); i+=2; } else if (strcmp(argv[i], "--unreg") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No service binary path given\n"); usage(argv[0]); exit(1); } U_opt = 1; strcpy(service_bin_path, argv[i+1]); i+=2; } else if (strcmp(argv[i], "-o") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No output path argument supplied!\n"); usage(argv[0]); exit(1); } p_opt = 1; strcpy(outputfile, argv[i+1]); i+=2; } else if (strncmp(argv[i], "--instid", strlen("--instid")) == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No instance id supplied!\n"); usage(argv[0]); exit(1); } instid_opt = 1; strncpy(instanceName, argv[i+1], MAXPATHLEN); i+=2; } else { fprintf(stderr, "Unknown option %s\n", argv[i]); usage(argv[0]); exit(1); } } if (strlen(outputfile) > 0) { if ((output_fd=open(outputfile, O_RDWR|O_CREAT, 0600)) != -1) { _dup2(output_fd, 1); /* put stdout in file */ _dup2(output_fd, 2); /* put stderr in file */ } } /* prompt for password if not supplied with -p */ if ((c_opt || R_opt) && (strcmp(sa_password, "") == 0)) { prompt_to_get_password(sa_password); cache_usertoken_and_homedir(service_accountname, NULL, 0, read_sa_password, (char *)service_accountname, decrypt_sa_password, 1); } /* Need to get service_name */ if (R_opt || U_opt) { char *p = NULL; int k = 0; strcpy(service_name, service_bin_path); if ((p=strrchr(service_bin_path, '\\'))) { strcpy(service_name, p+1); } if ((p=strrchr(service_name, '.'))) {/*remove .exe portion*/ *p = '\0'; } /* translate from lower-case to upper-case */ for (k=0; k < strlen(service_name); k++) { service_name[k] = toupper(service_name[k]); } if (instid_opt) { strcat_s(service_name, MAXPATHLEN, "_"); strcat_s(service_name, MAXPATHLEN, instanceName); } } if (c_opt) { if (add_service_account(sa_password) == 0) { ret_val = 3; goto end_pbs_account; } } if (s_opt || R_opt) { /* need service account name */ sa_sid = getusersid2(service_accountname, sa_name); if (sa_sid == NULL) { fprintf(stderr, "%s not found!\n", service_accountname); ret_val= 1; goto end_pbs_account; } if (!isAdminPrivilege(service_accountname)) { fprintf(stderr, "%s is not ADMIN! - %s\n", service_accountname, winlog_buffer); ret_val = 2; goto end_pbs_account; } } if (s_opt) { int r1, r2, r3, r4; printf("Setting the following privileges to %s:\n", sa_name); r1 = add_privilege(sa_sid, SE_CREATE_TOKEN_NAME); r2 = add_privilege(sa_sid, SE_ASSIGNPRIMARYTOKEN_NAME); r3 = add_privilege(sa_sid, SE_SERVICE_LOGON_NAME); r4 = add_privilege(sa_sid, SE_TCB_NAME); if ((r1 != 0) || (r2 != 0) || (r3 != 0) || (r4 != 0)) { ret_val = 4; goto end_pbs_account; } } if (R_opt) { ret_val = register_scm(__TEXT(service_name), service_bin_path, sa_name, sa_password); } if (U_opt) { ret_val = unregister_scm(__TEXT(service_name)); } end_pbs_account: if (sa_sid != NULL) LocalFree(sa_sid); if (strlen(sa_password) > 0) memset((char *)sa_password, 0, strlen(sa_password)); if (output_fd != -1) (void)close(output_fd); exit(ret_val); }