2 * Unix SMB/CIFS implementation.
6 * Copyright (c) 2005 Marcin Krzysztof Porwit
7 * Copyright (c) 2005 Gerald (Jerry) Carter
8 * Copyright (c) 2011 Andreas Schneider <asn@samba.org>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, see <http://www.gnu.org/licenses/>.
25 #include "services/services.h"
26 #include "services/svc_winreg_glue.h"
27 #include "rpc_client/cli_winreg_int.h"
28 #include "rpc_client/cli_winreg.h"
29 #include "../librpc/gen_ndr/ndr_winreg_c.h"
30 #include "../libcli/security/security.h"
32 #define TOP_LEVEL_SERVICES_KEY "SYSTEM\\CurrentControlSet\\Services"
34 struct security_descriptor* svcctl_gen_service_sd(TALLOC_CTX *mem_ctx)
36 struct security_descriptor *sd = NULL;
37 struct security_acl *theacl = NULL;
38 struct security_ace ace[4];
42 /* Basic access for everyone */
43 init_sec_ace(&ace[i++], &global_sid_World,
44 SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_READ_ACCESS, 0);
46 init_sec_ace(&ace[i++], &global_sid_Builtin_Power_Users,
47 SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_EXECUTE_ACCESS, 0);
49 init_sec_ace(&ace[i++], &global_sid_Builtin_Server_Operators,
50 SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_ALL_ACCESS, 0);
51 init_sec_ace(&ace[i++], &global_sid_Builtin_Administrators,
52 SEC_ACE_TYPE_ACCESS_ALLOWED, SERVICE_ALL_ACCESS, 0);
54 /* Create the security descriptor */
55 theacl = make_sec_acl(mem_ctx,
63 sd = make_sec_desc(mem_ctx,
64 SECURITY_DESCRIPTOR_REVISION_1,
65 SEC_DESC_SELF_RELATIVE,
78 struct security_descriptor *svcctl_get_secdesc(TALLOC_CTX *mem_ctx,
79 struct messaging_context *msg_ctx,
80 const struct auth_session_info *session_info,
83 struct dcerpc_binding_handle *h = NULL;
84 uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
85 struct policy_handle hive_hnd, key_hnd;
86 struct security_descriptor *sd = NULL;
89 WERROR result = WERR_OK;
91 key = talloc_asprintf(mem_ctx,
93 TOP_LEVEL_SERVICES_KEY, name);
98 status = dcerpc_winreg_int_hklm_openkey(mem_ctx,
108 if (!NT_STATUS_IS_OK(status)) {
109 DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
110 key, nt_errstr(status)));
113 if (!W_ERROR_IS_OK(result)) {
114 DEBUG(2, ("svcctl_set_secdesc: Could not open %s - %s\n",
115 key, win_errstr(result)));
119 status = dcerpc_winreg_query_sd(mem_ctx,
125 if (!NT_STATUS_IS_OK(status)) {
126 DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
127 "%s\n", nt_errstr(status)));
130 if (W_ERROR_EQUAL(result, WERR_BADFILE)) {
131 goto fallback_to_default_sd;
132 } else if (!W_ERROR_IS_OK(result)) {
133 DEBUG(2, ("svcctl_get_secdesc: error getting value 'Security': "
134 "%s\n", win_errstr(result)));
140 fallback_to_default_sd:
141 DEBUG(6, ("svcctl_get_secdesc: constructing default secdesc for "
142 "service [%s]\n", name));
143 sd = svcctl_gen_service_sd(mem_ctx);
149 bool svcctl_set_secdesc(struct messaging_context *msg_ctx,
150 const struct auth_session_info *session_info,
152 struct security_descriptor *sd)
154 struct dcerpc_binding_handle *h = NULL;
155 uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
156 struct policy_handle hive_hnd;
157 struct policy_handle key_hnd = { 0, };
162 WERROR result = WERR_OK;
164 tmp_ctx = talloc_stackframe();
165 if (tmp_ctx == NULL) {
169 key = talloc_asprintf(tmp_ctx, "%s\\%s", TOP_LEVEL_SERVICES_KEY, name);
174 status = dcerpc_winreg_int_hklm_openkey(tmp_ctx,
184 if (!NT_STATUS_IS_OK(status)) {
185 DEBUG(0, ("svcctl_set_secdesc: Could not open %s - %s\n",
186 key, nt_errstr(status)));
189 if (!W_ERROR_IS_OK(result)) {
190 DEBUG(0, ("svcctl_set_secdesc: Could not open %s - %s\n",
191 key, win_errstr(result)));
195 if (is_valid_policy_hnd(&key_hnd)) {
196 dcerpc_winreg_CloseKey(h, tmp_ctx, &key_hnd, &result);
200 enum winreg_CreateAction action = REG_ACTION_NONE;
201 struct winreg_String wkey = { 0, };
202 struct winreg_String wkeyclass;
204 wkey.name = talloc_asprintf(tmp_ctx, "%s\\Security", key);
205 if (wkey.name == NULL) {
210 ZERO_STRUCT(wkeyclass);
213 status = dcerpc_winreg_CreateKey(h,
224 if (!NT_STATUS_IS_OK(status)) {
225 DEBUG(2, ("svcctl_set_secdesc: Could not create key %s: %s\n",
226 wkey.name, nt_errstr(status)));
229 if (!W_ERROR_IS_OK(result)) {
230 DEBUG(2, ("svcctl_set_secdesc: Could not create key %s: %s\n",
231 wkey.name, win_errstr(result)));
235 status = dcerpc_winreg_set_sd(tmp_ctx,
241 if (!NT_STATUS_IS_OK(status)) {
244 if (!W_ERROR_IS_OK(result)) {
252 if (is_valid_policy_hnd(&key_hnd)) {
253 dcerpc_winreg_CloseKey(h, tmp_ctx, &key_hnd, &result);
256 talloc_free(tmp_ctx);
260 const char *svcctl_get_string_value(TALLOC_CTX *mem_ctx,
261 struct messaging_context *msg_ctx,
262 const struct auth_session_info *session_info,
263 const char *key_name,
264 const char *value_name)
266 struct dcerpc_binding_handle *h = NULL;
267 uint32_t access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
268 struct policy_handle hive_hnd, key_hnd;
269 const char *data = NULL;
273 WERROR result = WERR_OK;
275 tmp_ctx = talloc_stackframe();
276 if (tmp_ctx == NULL) {
280 path = talloc_asprintf(tmp_ctx, "%s\\%s",
281 TOP_LEVEL_SERVICES_KEY, key_name);
286 status = dcerpc_winreg_int_hklm_openkey(tmp_ctx,
296 if (!NT_STATUS_IS_OK(status)) {
297 DEBUG(2, ("svcctl_get_string_value: Could not open %s - %s\n",
298 path, nt_errstr(status)));
301 if (!W_ERROR_IS_OK(result)) {
302 DEBUG(2, ("svcctl_get_string_value: Could not open %s - %s\n",
303 path, win_errstr(result)));
307 status = dcerpc_winreg_query_sz(mem_ctx,
315 talloc_free(tmp_ctx);
319 /********************************************************************
320 ********************************************************************/
322 const char *svcctl_lookup_dispname(TALLOC_CTX *mem_ctx,
323 struct messaging_context *msg_ctx,
324 const struct auth_session_info *session_info,
327 const char *display_name = NULL;
329 display_name = svcctl_get_string_value(mem_ctx,
335 if (display_name == NULL) {
336 display_name = talloc_strdup(mem_ctx, name);
342 /********************************************************************
343 ********************************************************************/
345 const char *svcctl_lookup_description(TALLOC_CTX *mem_ctx,
346 struct messaging_context *msg_ctx,
347 const struct auth_session_info *session_info,
350 const char *description = NULL;
352 description = svcctl_get_string_value(mem_ctx,
358 if (description == NULL) {
359 description = talloc_strdup(mem_ctx, "Unix Service");
365 /* vim: set ts=8 sw=8 noet cindent syntax=c.doxygen: */