//
// Determines if user is a member of the local group group_name
//
// 1 = yes, 0 = no, -1 = error
//
int perm::userInLocalGroup( const char *account, const char *domain, const char *group_name ) {
LOCALGROUP_MEMBERS_INFO_3 *buf, *cur; // group members output buffer pointers
dprintf(D_FULLDEBUG,"in perm::userInLocalGroup() looking at group '%s'\n", (group_name) ? group_name : "NULL");
unsigned long entries_read;
unsigned long total_entries;
NET_API_STATUS status;
wchar_t group_name_unicode[MAX_GROUP_LENGTH+1];
_snwprintf(group_name_unicode, MAX_GROUP_LENGTH+1, L"%S", group_name);
DWORD_PTR resume_handle = 0;
do { // loop until we have checked all the group members
status = NetLocalGroupGetMembers (
NULL, // servername
group_name_unicode, // name of group
3, // information level
(BYTE**) &buf, // pointer to buffer that receives data
16384, // preferred length of data
&entries_read, // number of entries read
&total_entries, // total entries available
&resume_handle // resume handle
);
switch ( status ) {
case ERROR_ACCESS_DENIED:
dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: ERROR_ACCESS_DENIED\n");
NetApiBufferFree( buf );
dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: (total entries: %d, entries read: %d )\n",
total_entries, entries_read );
return -1;
break;
case NERR_InvalidComputer:
dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: ERROR_InvalidComputer\n");
NetApiBufferFree( buf );
dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: (total entries: %d, entries read: %d )\n",
total_entries, entries_read );
return -1;
break;
case ERROR_NO_SUCH_ALIAS:
dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: ERROR_NO_SUCH_ALIAS\n");
NetApiBufferFree( buf );
dprintf(D_ALWAYS, "perm::NetLocalGroupGetMembers failed: (total entries: %d, entries read: %d )\n",
total_entries, entries_read );
return -1;
break;
}
DWORD i;
for ( i = 0, cur = buf; i < entries_read; ++ i, ++ cur )
{
wchar_t* member_unicode = cur->lgrmi3_domainandname;
// convert unicode string to ansi string
char member[MAX_DOMAIN_LENGTH+MAX_ACCOUNT_LENGTH+2]; // domain+acct+slash+null
snprintf(member, MAX_DOMAIN_LENGTH+MAX_ACCOUNT_LENGTH+2, "%S", member_unicode);
// compare domain and name to find a match
char *member_name, *member_domain;
getDomainAndName( member, member_domain, member_name );
if ( domainAndNameMatch (account, member_name, domain, member_domain) )
{
NetApiBufferFree( buf );
return 1;
}
}
} while ( status == ERROR_MORE_DATA );
// having exited the for loop without finding anything, we conclude
// that the account does not exist in the explicit access structure
NetApiBufferFree( buf );
return 0;
} // end if is a local group
bool
JobInfoCommunicator::initUserPrivWindows( void )
{
// Win32
// taken origionally from OsProc::StartJob. Here we create the
// user and initialize user_priv.
// By default, assume execute login may be shared by other processes.
setExecuteAccountIsDedicated( NULL );
// we support running the job as other users if the user
// is specifed in the config file, and the account's password
// is properly stored in our credential stash.
char *name = NULL;
char *domain = NULL;
bool init_priv_succeeded = true;
bool run_as_owner = allowRunAsOwner( false, false );
// TODO..
// Currently vmgahp for VMware VM universe can't run as user on Windows.
// It seems like a bug of VMware. VMware command line tool such as "vmrun"
// requires Administrator privilege.
// So here we set name and domain with my_username and my_domainname
// -jaeyoung 06/15/07
if( job_universe == CONDOR_UNIVERSE_VM ) {
#if 0
// If "VM_UNIV_NOBODY_USER" is defined in Condor configuration file,
// wee will use it.
char *vm_jobs_as = param("VM_UNIV_NOBODY_USER");
if (vm_jobs_as) {
getDomainAndName(vm_jobs_as, domain, name);
/*
* name and domain are now just pointers into vm_jobs_as
* buffer. copy these values into their own buffer so we
* deallocate below.
*/
if ( name ) {
name = strdup(name);
}
if ( domain ) {
domain = strdup(domain);
}
free(vm_jobs_as);
}
#endif
MyString vm_type;
job_ad->LookupString(ATTR_JOB_VM_TYPE, vm_type);
if( strcasecmp(vm_type.Value(), CONDOR_VM_UNIVERSE_VMWARE) == MATCH ) {
name = my_username();
domain = my_domainname();
}
}
if( !name ) {
if ( run_as_owner ) {
job_ad->LookupString(ATTR_OWNER,&name);
job_ad->LookupString(ATTR_NT_DOMAIN,&domain);
}
}
if ( !name ) {
char slot_user[255];
MyString slotName = "";
slotName = Starter->getMySlotName();
slotName.upper_case();
sprintf(slot_user, "%s_USER", slotName);
char *run_jobs_as = param(slot_user);
if (run_jobs_as) {
getDomainAndName(run_jobs_as, domain, name);
/*
* name and domain are now just pointers into run_jobs_as
* buffer. copy these values into their own buffer so we
* deallocate below.
*/
if ( name ) {
name = strdup(name);
}
if ( domain ) {
domain = strdup(domain);
}
free(run_jobs_as);
}
}
if ( name ) {
if (!init_user_ids(name, domain)) {
dprintf(D_ALWAYS, "Could not initialize user_priv as \"%s\\%s\".\n"
"\tMake sure this account's password is securely stored "
"with condor_store_cred.\n", domain, name );
init_priv_succeeded = false;
}
else {
MyString login_name;
joinDomainAndName(name, domain, login_name);
if( checkDedicatedExecuteAccounts( login_name.Value() ) ) {
setExecuteAccountIsDedicated( login_name.Value() );
}
}
} else if ( !can_switch_ids() ) {
char *u = my_username();
char *d = my_domainname();
if ( !init_user_ids(u, d) ) {
// shouldn't happen - we always can get our own token
dprintf(D_ALWAYS, "Could not initialize user_priv with our own token!\n");
init_priv_succeeded = false;
}
free(u);
free(d);
} else if( init_user_ids("nobody", ".") ) {
// just init a new nobody user; dynuser handles the rest.
// the "." means Local Machine to LogonUser
setExecuteAccountIsDedicated( get_user_loginname() );
}
else {
dprintf( D_ALWAYS, "ERROR: Could not initialize user_priv "
"as \"nobody\"\n" );
init_priv_succeeded = false;
}
if ( name ) free(name);
if ( domain ) free(domain);
user_priv_is_initialized = init_priv_succeeded;
return init_priv_succeeded;
}
