2 * Unix SMB/CIFS implementation.
6 * Copyright (c) 2005 Marcin Krzysztof Porwit
7 * Copyright (c) 2005 Gerald (Jerry) Carter
8 * Copyright (c) 2011 Andreas Schneider <asn@samba.org>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "services/services.h"
26 #include "services/svc_winreg_glue.h"
27 #include "rpc_client/cli_winreg_int.h"
28 #include "rpc_client/cli_winreg.h"
29 #include "../librpc/gen_ndr/ndr_winreg_c.h"
30 #include "../libcli/security/security.h"
32 #define TOP_LEVEL_SERVICES_KEY "SYSTEM\\CurrentControlSet\\Services"
34 struct security_descriptor
* svcctl_gen_service_sd(TALLOC_CTX
*mem_ctx
)
36 struct security_descriptor
*sd
= NULL
;
37 struct security_acl
*theacl
= NULL
;
38 struct security_ace ace
[4];
42 /* Basic access for everyone */
43 init_sec_ace(&ace
[i
++], &global_sid_World
,
44 SEC_ACE_TYPE_ACCESS_ALLOWED
, SERVICE_READ_ACCESS
, 0);
46 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Power_Users
,
47 SEC_ACE_TYPE_ACCESS_ALLOWED
, SERVICE_EXECUTE_ACCESS
, 0);
49 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Server_Operators
,
50 SEC_ACE_TYPE_ACCESS_ALLOWED
, SERVICE_ALL_ACCESS
, 0);
51 init_sec_ace(&ace
[i
++], &global_sid_Builtin_Administrators
,
52 SEC_ACE_TYPE_ACCESS_ALLOWED
, SERVICE_ALL_ACCESS
, 0);
54 /* Create the security descriptor */
55 theacl
= make_sec_acl(mem_ctx
,
63 sd
= make_sec_desc(mem_ctx
,
64 SECURITY_DESCRIPTOR_REVISION_1
,
65 SEC_DESC_SELF_RELATIVE
,
78 struct security_descriptor
*svcctl_get_secdesc(TALLOC_CTX
*mem_ctx
,
79 struct messaging_context
*msg_ctx
,
80 const struct auth_session_info
*session_info
,
83 struct dcerpc_binding_handle
*h
= NULL
;
84 uint32_t access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
85 struct policy_handle hive_hnd
, key_hnd
;
86 struct security_descriptor
*sd
= NULL
;
89 WERROR result
= WERR_OK
;
91 key
= talloc_asprintf(mem_ctx
,
93 TOP_LEVEL_SERVICES_KEY
, name
);
98 status
= dcerpc_winreg_int_hklm_openkey(mem_ctx
,
108 if (!NT_STATUS_IS_OK(status
)) {
109 DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
110 key
, nt_errstr(status
)));
113 if (!W_ERROR_IS_OK(result
)) {
114 DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
115 key
, win_errstr(result
)));
119 status
= dcerpc_winreg_query_sd(mem_ctx
,
125 if (!NT_STATUS_IS_OK(status
)) {
126 DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
127 "%s\n", nt_errstr(status
)));
130 if (W_ERROR_EQUAL(result
, WERR_FILE_NOT_FOUND
)) {
131 goto fallback_to_default_sd
;
132 } else if (!W_ERROR_IS_OK(result
)) {
133 DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
134 "%s\n", win_errstr(result
)));
140 fallback_to_default_sd
:
141 DEBUG(6, ("svcctl_get_secdesc: constructing default secdesc for "
142 "service [%s]\n", name
));
143 sd
= svcctl_gen_service_sd(mem_ctx
);
149 bool svcctl_set_secdesc(struct messaging_context
*msg_ctx
,
150 const struct auth_session_info
*session_info
,
152 struct security_descriptor
*sd
)
154 struct dcerpc_binding_handle
*h
= NULL
;
155 uint32_t access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
156 struct policy_handle hive_hnd
;
157 struct policy_handle key_hnd
= { 0, };
162 WERROR result
= WERR_OK
;
164 tmp_ctx
= talloc_stackframe();
165 if (tmp_ctx
== NULL
) {
169 key
= talloc_asprintf(tmp_ctx
, "%s\\%s", TOP_LEVEL_SERVICES_KEY
, name
);
174 status
= dcerpc_winreg_int_hklm_openkey(tmp_ctx
,
184 if (!NT_STATUS_IS_OK(status
)) {
185 DEBUG(0, ("svcctl_set_secdesc: Could not open %s - %s\n",
186 key
, nt_errstr(status
)));
189 if (!W_ERROR_IS_OK(result
)) {
190 DEBUG(0, ("svcctl_set_secdesc: Could not open %s - %s\n",
191 key
, win_errstr(result
)));
195 if (is_valid_policy_hnd(&key_hnd
)) {
196 dcerpc_winreg_CloseKey(h
, tmp_ctx
, &key_hnd
, &result
);
200 enum winreg_CreateAction action
= REG_ACTION_NONE
;
201 struct winreg_String wkey
= { 0, };
202 struct winreg_String wkeyclass
;
204 wkey
.name
= talloc_asprintf(tmp_ctx
, "%s\\Security", key
);
205 if (wkey
.name
== NULL
) {
206 result
= WERR_NOT_ENOUGH_MEMORY
;
210 ZERO_STRUCT(wkeyclass
);
213 status
= dcerpc_winreg_CreateKey(h
,
224 if (!NT_STATUS_IS_OK(status
)) {
225 DEBUG(2, ("svcctl_set_secdesc: Could not create key %s: %s\n",
226 wkey
.name
, nt_errstr(status
)));
229 if (!W_ERROR_IS_OK(result
)) {
230 DEBUG(2, ("svcctl_set_secdesc: Could not create key %s: %s\n",
231 wkey
.name
, win_errstr(result
)));
235 status
= dcerpc_winreg_set_sd(tmp_ctx
,
241 if (!NT_STATUS_IS_OK(status
)) {
244 if (!W_ERROR_IS_OK(result
)) {
252 if (is_valid_policy_hnd(&key_hnd
)) {
253 dcerpc_winreg_CloseKey(h
, tmp_ctx
, &key_hnd
, &result
);
256 talloc_free(tmp_ctx
);
260 const char *svcctl_get_string_value(TALLOC_CTX
*mem_ctx
,
261 struct messaging_context
*msg_ctx
,
262 const struct auth_session_info
*session_info
,
263 const char *key_name
,
264 const char *value_name
)
266 struct dcerpc_binding_handle
*h
= NULL
;
267 uint32_t access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
268 struct policy_handle hive_hnd
, key_hnd
;
269 const char *data
= NULL
;
273 WERROR result
= WERR_OK
;
275 tmp_ctx
= talloc_stackframe();
276 if (tmp_ctx
== NULL
) {
280 path
= talloc_asprintf(tmp_ctx
, "%s\\%s",
281 TOP_LEVEL_SERVICES_KEY
, key_name
);
286 status
= dcerpc_winreg_int_hklm_openkey(tmp_ctx
,
296 if (!NT_STATUS_IS_OK(status
)) {
297 DEBUG(2, ("svcctl_get_string_value: Could not open %s - %s\n",
298 path
, nt_errstr(status
)));
301 if (!W_ERROR_IS_OK(result
)) {
302 DEBUG(2, ("svcctl_get_string_value: Could not open %s - %s\n",
303 path
, win_errstr(result
)));
307 status
= dcerpc_winreg_query_sz(mem_ctx
,
315 talloc_free(tmp_ctx
);
319 /********************************************************************
320 ********************************************************************/
322 const char *svcctl_lookup_dispname(TALLOC_CTX
*mem_ctx
,
323 struct messaging_context
*msg_ctx
,
324 const struct auth_session_info
*session_info
,
327 const char *display_name
= NULL
;
329 display_name
= svcctl_get_string_value(mem_ctx
,
335 if (display_name
== NULL
) {
336 display_name
= talloc_strdup(mem_ctx
, name
);
342 /********************************************************************
343 ********************************************************************/
345 const char *svcctl_lookup_description(TALLOC_CTX
*mem_ctx
,
346 struct messaging_context
*msg_ctx
,
347 const struct auth_session_info
*session_info
,
350 const char *description
= NULL
;
352 description
= svcctl_get_string_value(mem_ctx
,
358 if (description
== NULL
) {
359 description
= talloc_strdup(mem_ctx
, "Unix Service");
365 /* vim: set ts=8 sw=8 noet cindent syntax=c.doxygen: */