/** * * @brief Recursively change permissions for administrators group * and Service account in a directory tree. * * @param[in] path - the target file/directory * * @return void * */ void make_dir_files_service_account_read(char *path) { DIR *dir; struct dirent *pdirent; char dirfile[MAXPATHLEN+1]; char *username = NULL; username = getlogin_full(); secure_file2(path, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED); dir = opendir(path); if (dir == NULL) { return; } while (errno = 0, (pdirent = readdir(dir)) != NULL) { if (strcmp(pdirent->d_name, ".") == 0 || strcmp(pdirent->d_name, "..") == 0) continue; sprintf(dirfile, "%s/%s", path, pdirent->d_name); secure_file2(dirfile, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED); #ifdef DEBUG printf("securing file %s: full access to admin and %s \n", dirfile, username); #endif } #ifdef DEBUG if (errno != 0 && errno != ENOENT) printf("readdir error; %s\n", path); #endif (void)closedir(dir); }
/** * @brief * main - the entry point in pbs_account_win.c * * @param[in] argc - argument count * @param[in] argv - argument variables. * @param[in] env - environment values. * * @return int * @retval 0 : success * @retval !=0 : error code */ main(int argc, char *argv[]) { SID *sa_sid = NULL; /* service account SID */ char sa_name[PBS_MAXHOSTNAME+UNLEN+2] = {'\0'}; /* service account name */ /* domain\user\0 */ int ret_val = 0; int c_opt = 0; int s_opt = 0; int a_opt = 0; int p_opt = 0; int R_opt = 0; int U_opt = 0; int instid_opt = 0; char service_bin_path[MAXPATHLEN+1] = {'\0'}; char service_name[MAXPATHLEN+1] = {'\0'}; int i = 0; char outputfile[MAXPATHLEN+1] = {'\0'}; char instanceName[MAXPATHLEN+1] = {'\0'}; int output_fd = -1; struct passwd *pw = NULL; char *p = NULL; winsock_init(); /*test for real deal or just version and exit*/ execution_mode(argc, argv); strcpy(exec_unamef, getlogin_full()); strcpy(exec_dname, "."); if ((p=strchr(exec_unamef, '\\'))) { *p = '\0'; strcpy(exec_dname, exec_unamef); *p = '\\'; } strcpy(sa_password, ""); strcpy(outputfile, ""); /* with no option, check only if service account exists */ if (argc == 1) { int in_domain_environment = 0; char dname[PBS_MAXHOSTNAME+1] = {'\0'}; char dctrl[PBS_MAXHOSTNAME+1] = {'\0'}; wchar_t unamew[UNLEN+1] = {'\0'}; wchar_t dctrlw[PBS_MAXHOSTNAME+1] = {'\0'}; USER_INFO_0 *ui1_ptr = NULL; NET_API_STATUS netst = 0; /* figure out the domain controller hostname (dctrl) */ /* in domain environment, */ /* domain name (dname) != domain controller hostname */ /* in standalone environment, */ /* domain name (dname) == domain controller hostname */ in_domain_environment = GetComputerDomainName(dname); strcpy(dctrl, dname); if (in_domain_environment) { char dname_a[PBS_MAXHOSTNAME+1]; get_dcinfo(dname, dname_a, dctrl); } /* convert strings to "wide" format */ mbstowcs(unamew, service_accountname, UNLEN+1); mbstowcs(dctrlw, dctrl, PBS_MAXHOSTNAME+1); netst = wrap_NetUserGetInfo(dctrlw, unamew, 1, (LPBYTE *)&ui1_ptr); if (strlen(winlog_buffer) > 0) { fprintf(stderr, "%s\n", winlog_buffer); } if (netst == NERR_UserNotFound) { fprintf(stderr, "%s not found!\n", service_accountname); if (in_domain_environment && stricmp(exec_dname, dname) != 0) { fprintf(stderr, "But no privilege to create service account %s\\%s!\n", dname, service_accountname); ret_val=2; } else { ret_val=1; } } else if ((netst == ERROR_ACCESS_DENIED) || (netst == ERROR_LOGON_FAILURE)) { fprintf(stderr, "no privilege to obtain info for service account %s\\%s!\n", dname, service_accountname); ret_val= 2; } else { fprintf(stderr, "service account is %s\\%s!\n", dname, service_accountname); ret_val = 0; } if (ui1_ptr != NULL) NetApiBufferFree(ui1_ptr); goto end_pbs_account; } i = 1; while (i < argc) { if (strcmp(argv[i], "-c") == 0) { c_opt = 1; i++; } else if (strcmp(argv[i], "--ci") == 0) { c_opt = 1; for_info_only = 1; i++; } else if (strcmp(argv[i], "-s") == 0) { s_opt = 1; i++; } else if (strcmp(argv[i], "-a") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No service account name argument supplied!\n"); usage(argv[0]); exit(1); } a_opt = 1; strcpy(service_accountname, argv[i+1]); i+=2; } else if (strcmp(argv[i], "-p") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No password argument supplied!\n"); usage(argv[0]); exit(1); } p_opt = 1; strcpy(sa_password, argv[i+1]); cache_usertoken_and_homedir(service_accountname, NULL, 0, read_sa_password, (char*)service_accountname, decrypt_sa_password, 1); i+=2; } else if (strcmp(argv[i], "--reg") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No service binary path given\n"); usage(argv[0]); exit(1); } R_opt = 1; strcpy(service_bin_path, argv[i+1]); i+=2; } else if (strcmp(argv[i], "--unreg") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No service binary path given\n"); usage(argv[0]); exit(1); } U_opt = 1; strcpy(service_bin_path, argv[i+1]); i+=2; } else if (strcmp(argv[i], "-o") == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No output path argument supplied!\n"); usage(argv[0]); exit(1); } p_opt = 1; strcpy(outputfile, argv[i+1]); i+=2; } else if (strncmp(argv[i], "--instid", strlen("--instid")) == 0) { if ((argv[i+1] == NULL) || (argv[i+1][0] == '-')) { fprintf(stderr, "No instance id supplied!\n"); usage(argv[0]); exit(1); } instid_opt = 1; strncpy(instanceName, argv[i+1], MAXPATHLEN); i+=2; } else { fprintf(stderr, "Unknown option %s\n", argv[i]); usage(argv[0]); exit(1); } } if (strlen(outputfile) > 0) { if ((output_fd=open(outputfile, O_RDWR|O_CREAT, 0600)) != -1) { _dup2(output_fd, 1); /* put stdout in file */ _dup2(output_fd, 2); /* put stderr in file */ } } /* prompt for password if not supplied with -p */ if ((c_opt || R_opt) && (strcmp(sa_password, "") == 0)) { prompt_to_get_password(sa_password); cache_usertoken_and_homedir(service_accountname, NULL, 0, read_sa_password, (char *)service_accountname, decrypt_sa_password, 1); } /* Need to get service_name */ if (R_opt || U_opt) { char *p = NULL; int k = 0; strcpy(service_name, service_bin_path); if ((p=strrchr(service_bin_path, '\\'))) { strcpy(service_name, p+1); } if ((p=strrchr(service_name, '.'))) {/*remove .exe portion*/ *p = '\0'; } /* translate from lower-case to upper-case */ for (k=0; k < strlen(service_name); k++) { service_name[k] = toupper(service_name[k]); } if (instid_opt) { strcat_s(service_name, MAXPATHLEN, "_"); strcat_s(service_name, MAXPATHLEN, instanceName); } } if (c_opt) { if (add_service_account(sa_password) == 0) { ret_val = 3; goto end_pbs_account; } } if (s_opt || R_opt) { /* need service account name */ sa_sid = getusersid2(service_accountname, sa_name); if (sa_sid == NULL) { fprintf(stderr, "%s not found!\n", service_accountname); ret_val= 1; goto end_pbs_account; } if (!isAdminPrivilege(service_accountname)) { fprintf(stderr, "%s is not ADMIN! - %s\n", service_accountname, winlog_buffer); ret_val = 2; goto end_pbs_account; } } if (s_opt) { int r1, r2, r3, r4; printf("Setting the following privileges to %s:\n", sa_name); r1 = add_privilege(sa_sid, SE_CREATE_TOKEN_NAME); r2 = add_privilege(sa_sid, SE_ASSIGNPRIMARYTOKEN_NAME); r3 = add_privilege(sa_sid, SE_SERVICE_LOGON_NAME); r4 = add_privilege(sa_sid, SE_TCB_NAME); if ((r1 != 0) || (r2 != 0) || (r3 != 0) || (r4 != 0)) { ret_val = 4; goto end_pbs_account; } } if (R_opt) { ret_val = register_scm(__TEXT(service_name), service_bin_path, sa_name, sa_password); } if (U_opt) { ret_val = unregister_scm(__TEXT(service_name)); } end_pbs_account: if (sa_sid != NULL) LocalFree(sa_sid); if (strlen(sa_password) > 0) memset((char *)sa_password, 0, strlen(sa_password)); if (output_fd != -1) (void)close(output_fd); exit(ret_val); }
/** * * @brief * Secures all the files' permissions (and recreate directories) * that are related to pbs_mom service. * */ void secure_mom_files(void) { DIR *dir; char path[MAXPATHLEN+1]; HANDLE hfile; char *username = NULL; char logb[LOG_BUF_SIZE] = {'\0' } ; if (pbs_conf.pbs_home_path == NULL) { sprintf(logb,"no home_path!"); log_err(-1, "secure_mom_files", logb); return; } username = getlogin_full(); sprintf(path, "%s/mom_priv", pbs_conf.pbs_home_path); create_dir_everyone_read(path); dir = opendir(path); if (dir != NULL) { struct dirent *pdirent; char fpath[MAXPATHLEN+1]; while (errno = 0, (pdirent = readdir(dir)) != NULL) { char *p; if (p = strrchr(pdirent->d_name, '.')) { int baselen = strlen(p)-4; if (baselen < 0) continue; if (strcmpi(p+baselen, ".bat") == 0) { sprintf(fpath, "%s/%s", path, pdirent->d_name); sprintf(logb,"securing file %s", fpath); log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb); secure_file2(fpath, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, "\\Everyone", READS_MASK|READ_CONTROL); } } } if (errno != 0 && errno != ENOENT) { sprintf(logb,"readdir error; %s", path); log_err(-1, "secure_mom_files", logb); } (void)closedir(dir); } sprintf(path, "%s/mom_priv/config", pbs_conf.pbs_home_path); hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); if (hfile != INVALID_HANDLE_VALUE) { sprintf(logb,"created file %s", path); log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb); CloseHandle(hfile); } sprintf(logb,"securing %s for admin-only access", path); log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb); secure_file2(path, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED); sprintf(path, "%s/mom_logs", pbs_conf.pbs_home_path); create_dir_everyone_read(path); sprintf(path, "%s/mom_priv/jobs", pbs_conf.pbs_home_path); create_dir_everyone_read(path); sprintf(path, "%s/mom_priv/hooks", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); sprintf(path, "%s/mom_priv/hooks/tmp", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); }
/** * * @brief Secures all the files' permissions (and recreate directories) that are * related to pbs_server service to full control for administrators group * and to read for everyone group. * * @return void * */ void secure_server_files() { char path[MAXPATHLEN+1]; HANDLE hfile; char *username = NULL; char logb[LOG_BUF_SIZE] = {'\0' } ; if (pbs_conf.pbs_home_path == NULL) { sprintf(logb,"no home_path!"); log_err(-1, "secure_server_files", logb); return; } username = getlogin_full(); sprintf(path, "%s/server_priv", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); sprintf(path, "%s/server_priv/jobs", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); sprintf(path, "%s/server_priv/users", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); sprintf(path, "%s/server_priv/hooks", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); sprintf(path, "%s/server_priv/hooks/tmp", pbs_conf.pbs_home_path); create_dir_admin_service_account_full_access(path); sprintf(path, "%s/server_priv/license_file", pbs_conf.pbs_home_path); secure_file2(path, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED); sprintf(path, "%s/server_priv/resourcedef", pbs_conf.pbs_home_path); hfile = CreateFile(path, GENERIC_WRITE, FILE_SHARE_WRITE, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); if (hfile != INVALID_HANDLE_VALUE) { sprintf(logb,"created file %s", path); log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb); CloseHandle(hfile); } sprintf(logb,"securing %s for admin-only access", path); log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb); secure_file2(path, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED); sprintf(path, "%s/server_logs", pbs_conf.pbs_home_path); create_dir_everyone_read(path); sprintf(path, "%s/server_priv/accounting", pbs_conf.pbs_home_path); create_dir_everyone_read(path); sprintf(path, "%s/lib/python", pbs_conf.pbs_exec_path); make_dir_files_everyone_read(path); /* * Permissions of the file $PBS_HOME/server_priv/svrlive, on creation, is set to * read/write for administrator group. However, on Windows Vista, a combination of a * reboot after installation and permission setting on server_priv (earlier in this * function) changes the permission of the svrlive file, thus disallowing server * database saves (resulting in cascading failures, e.g., job submission). Thus we * "reset" the permissions on the svrlive file here to what it is supposed to be. */ sprintf(path, "%s/server_priv/svrlive", pbs_conf.pbs_home_path); sprintf(logb,"securing %s for admin-only access", path); log_event(PBSEVENT_SYSTEM | PBSEVENT_ADMIN | PBSEVENT_FORCE| PBSEVENT_DEBUG, PBS_EVENTCLASS_FILE, LOG_DEBUG, "", logb); secure_file2(path, "Administrators", READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED, username, READS_MASK|WRITES_MASK|STANDARD_RIGHTS_REQUIRED); secure_server_datastore_files(); }