// // Determines if user is a member of the local group group_name // // 1 = yes, 0 = no, -1 = error // int perm::userInLocalGroup( const char *account, const char *domain, const char *group_name ) { LOCALGROUP_MEMBERS_INFO_3 *buf, *cur; // group members output buffer pointers dprintf(D_FULLDEBUG,"in perm::userInLocalGroup() looking at group '%s'\n", (group_name) ? group_name : "NULL"); unsigned long entries_read; unsigned long total_entries; NET_API_STATUS status; wchar_t group_name_unicode[MAX_GROUP_LENGTH+1]; _snwprintf(group_name_unicode, MAX_GROUP_LENGTH+1, L"%S", group_name); DWORD_PTR resume_handle = 0; do { // loop until we have checked all the group members status = NetLocalGroupGetMembers ( NULL, // servername group_name_unicode, // name of group 3, // information level (BYTE**) &buf, // pointer to buffer that receives data 16384, // preferred length of data &entries_read, // number of entries read &total_entries, // total entries available &resume_handle // resume handle ); switch ( status ) { case ERROR_ACCESS_DENIED: dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: ERROR_ACCESS_DENIED\n"); NetApiBufferFree( buf ); dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: (total entries: %d, entries read: %d )\n", total_entries, entries_read ); return -1; break; case NERR_InvalidComputer: dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: ERROR_InvalidComputer\n"); NetApiBufferFree( buf ); dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: (total entries: %d, entries read: %d )\n", total_entries, entries_read ); return -1; break; case ERROR_NO_SUCH_ALIAS: dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: ERROR_NO_SUCH_ALIAS\n"); NetApiBufferFree( buf ); dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: (total entries: %d, entries read: %d )\n", total_entries, entries_read ); return -1; break; } DWORD i; for ( i = 0, cur = buf; i < entries_read; ++ i, ++ cur ) { wchar_t* member_unicode = cur->lgrmi3_domainandname; // convert unicode string to ansi string char member[MAX_DOMAIN_LENGTH+MAX_ACCOUNT_LENGTH+2]; // domain+acct+slash+null snprintf(member, MAX_DOMAIN_LENGTH+MAX_ACCOUNT_LENGTH+2, "%S", member_unicode); // compare domain and name to find a match char *member_name, *member_domain; getDomainAndName( member, member_domain, member_name ); if ( domainAndNameMatch (account, member_name, domain, member_domain) ) { NetApiBufferFree( buf ); return 1; } } } while ( status == ERROR_MORE_DATA ); // having exited the for loop without finding anything, we conclude // that the account does not exist in the explicit access structure NetApiBufferFree( buf ); return 0; } // end if is a local group
bool JobInfoCommunicator::initUserPrivWindows( void ) { // Win32 // taken origionally from OsProc::StartJob. Here we create the // user and initialize user_priv. // By default, assume execute login may be shared by other processes. setExecuteAccountIsDedicated( NULL ); // we support running the job as other users if the user // is specifed in the config file, and the account's password // is properly stored in our credential stash. char *name = NULL; char *domain = NULL; bool init_priv_succeeded = true; bool run_as_owner = allowRunAsOwner( false, false ); // TODO.. // Currently vmgahp for VMware VM universe can't run as user on Windows. // It seems like a bug of VMware. VMware command line tool such as "vmrun" // requires Administrator privilege. // So here we set name and domain with my_username and my_domainname // -jaeyoung 06/15/07 if( job_universe == CONDOR_UNIVERSE_VM ) { #if 0 // If "VM_UNIV_NOBODY_USER" is defined in Condor configuration file, // wee will use it. char *vm_jobs_as = param("VM_UNIV_NOBODY_USER"); if (vm_jobs_as) { getDomainAndName(vm_jobs_as, domain, name); /* * name and domain are now just pointers into vm_jobs_as * buffer. copy these values into their own buffer so we * deallocate below. */ if ( name ) { name = strdup(name); } if ( domain ) { domain = strdup(domain); } free(vm_jobs_as); } #endif MyString vm_type; job_ad->LookupString(ATTR_JOB_VM_TYPE, vm_type); if( strcasecmp(vm_type.Value(), CONDOR_VM_UNIVERSE_VMWARE) == MATCH ) { name = my_username(); domain = my_domainname(); } } if( !name ) { if ( run_as_owner ) { job_ad->LookupString(ATTR_OWNER,&name); job_ad->LookupString(ATTR_NT_DOMAIN,&domain); } } if ( !name ) { char slot_user[255]; MyString slotName = ""; slotName = Starter->getMySlotName(); slotName.upper_case(); sprintf(slot_user, "%s_USER", slotName); char *run_jobs_as = param(slot_user); if (run_jobs_as) { getDomainAndName(run_jobs_as, domain, name); /* * name and domain are now just pointers into run_jobs_as * buffer. copy these values into their own buffer so we * deallocate below. */ if ( name ) { name = strdup(name); } if ( domain ) { domain = strdup(domain); } free(run_jobs_as); } } if ( name ) { if (!init_user_ids(name, domain)) { dprintf(D_ALWAYS, "Could not initialize user_priv as \"%s\\%s\".\n" "\tMake sure this account's password is securely stored " "with condor_store_cred.\n", domain, name ); init_priv_succeeded = false; } else { MyString login_name; joinDomainAndName(name, domain, login_name); if( checkDedicatedExecuteAccounts( login_name.Value() ) ) { setExecuteAccountIsDedicated( login_name.Value() ); } } } else if ( !can_switch_ids() ) { char *u = my_username(); char *d = my_domainname(); if ( !init_user_ids(u, d) ) { // shouldn't happen - we always can get our own token dprintf(D_ALWAYS, "Could not initialize user_priv with our own token!\n"); init_priv_succeeded = false; } free(u); free(d); } else if( init_user_ids("nobody", ".") ) { // just init a new nobody user; dynuser handles the rest. // the "." means Local Machine to LogonUser setExecuteAccountIsDedicated( get_user_loginname() ); } else { dprintf( D_ALWAYS, "ERROR: Could not initialize user_priv " "as \"nobody\"\n" ); init_priv_succeeded = false; } if ( name ) free(name); if ( domain ) free(domain); user_priv_is_initialized = init_priv_succeeded; return init_priv_succeeded; }