Ejemplo n.º 1
0
 def add_user_privilege(self, privilege):
   try:
     acc_sid = win32security.LookupAccountName(self.dcName, self.userName)[0]
     win32security.LsaAddAccountRights(self._policy, acc_sid, (privilege,))
   except pywintypes.error as e:
     return UserHelper.ACTION_FAILED, e.strerror
   return UserHelper.ACTION_OK, "Privilege added."
Ejemplo n.º 2
0
 def user_rights_policy(self, policy):
     actual_users = []
     granted = []
     deleted = []
     for val in win32security.LsaEnumerateAccountsWithUserRight(win32security.LsaOpenPolicy("", 25), policy["right_type"]):
         actual_users.append(win32security.LookupAccountSid(None, val)[0])
     file_users = policy["value_data"]
     if (file_users == '' or file_users == "Undefined") and len(actual_users) != 0:
         for user in actual_users:
             try:
                 win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]])
                 deleted.append(user)
             except Exception as e:
                 continue
         return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
     
     file_users = file_users.replace("'", "").replace('"', '').split('&&')
     file_users = [user.strip() for user in file_users]
     for user in file_users:
         try:
             if user not in actual_users:
                 win32security.LsaAddAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], [policy["right_type"]])
                 granted.append(user)
         except Exception as e:
             continue
     for user in actual_users:
         try:
             if user not in file_users:
                 win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]])
                 deleted.append(user)
         except Exception as e:
             continue
     return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
Ejemplo n.º 3
0
def ConfigureLogOnAsAServicePolicy(accountName):
    # Modifies LocalSecurityPolicy to allow run buildbot as specified user
    # You can do it manually by running "secpol.msc"
    # Open Local Policies > User Rights Assignment > Log on as a service
    # Add User or Group...
    #
    # Args:
    #  accountName(str): fully qualified string in the domain_name\user_name format.
    #                    use ".\user_name" format for local account
    SE_SERVICE_LOGON_RIGHT = "SeServiceLogonRight"
    try:
        if "\\" not in accountName or accountName.startswith(".\\"):
            computerName = os.environ['COMPUTERNAME']
            if not computerName:
                computerName = win32api.GetComputerName()
                if not computerName:
                    print("error: Cannot determine computer name")
                    return
            accountName = "{}\\{}".format(computerName,
                                          accountName.lstrip(".\\"))

        account = win32security.LookupAccountName(None, accountName)
        accountSid = account[0]
        sid = win32security.ConvertSidToStringSid(accountSid)
    except win32api.error as err:
        print("error {} ({}): {}".format(err.winerror, err.funcname,
                                         err.strerror))
        return

    with GetLocalSecurityPolicyHandle(
            '', win32security.POLICY_ALL_ACCESS) as policy:
        win32security.LsaAddAccountRights(policy, accountSid,
                                          [SE_SERVICE_LOGON_RIGHT])

    # verify if policy was really modified
    with GetLocalSecurityPolicyHandle(
            '', win32security.POLICY_ALL_ACCESS) as policy:
        try:
            privileges = win32security.LsaEnumerateAccountRights(
                policy, accountSid)
        except win32api.error as err:
            # If no account rights are found or if the function fails for any other reason,
            # the function returns throws winerror.ERROR_FILE_NOT_FOUND or any other
            print("error {} ({}): {}".format(err.winerror, err.funcname,
                                             err.strerror))
            privileges = []

        if SE_SERVICE_LOGON_RIGHT in privileges:
            print("Account {}({}) has granted {} privilege.".format(
                accountName, sid, SE_SERVICE_LOGON_RIGHT))
        else:
            print("error: Account {}({}) does not have {} privilege.".format(
                accountName, sid, SE_SERVICE_LOGON_RIGHT))
Ejemplo n.º 4
0
 def user_rights_policy(self, policy, val):
     granted = val["granted"]
     deleted = val["deleted"]
     for user in granted:
         try:
             win32security.LsaRemoveAccountRights(
                 win32security.LsaOpenPolicy("", 25),
                 win32security.LookupAccountName(None, user)[0], 0,
                 [policy["right_type"]])
         except Exception as e:
             continue
     for user in deleted:
         try:
             win32security.LsaAddAccountRights(
                 win32security.LsaOpenPolicy("", 25),
                 win32security.LookupAccountName(None, user)[0],
                 [policy["right_type"]])
         except Exception as e:
             continue
     return {"status": 0, "msg": "Success"}
Ejemplo n.º 5
0
     win32con.SE_PRIVILEGE_ENABLED)  ##doesn't seem to be in ntsecuritycon.py ?
)

ph = win32api.GetCurrentProcess()
th = win32security.OpenProcessToken(
    ph, win32security.TOKEN_ALL_ACCESS)  ##win32con.TOKEN_ADJUST_PRIVILEGES)
win32security.AdjustTokenPrivileges(th, 0, new_privs)

policy_handle = win32security.GetPolicyHandle('',
                                              win32security.POLICY_ALL_ACCESS)
tmp_sid = win32security.LookupAccountName('', 'tmp')[0]

privs = [
    ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME,
    ntsecuritycon.SE_RESTORE_NAME, ntsecuritycon.SE_REMOTE_SHUTDOWN_NAME
]
win32security.LsaAddAccountRights(policy_handle, tmp_sid, privs)

privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid)
for priv in privlist:
    print(priv)

privs = [ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME]
win32security.LsaRemoveAccountRights(policy_handle, tmp_sid, 0, privs)

privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid)
for priv in privlist:
    print(priv)

win32security.LsaClose(policy_handle)
Ejemplo n.º 6
0
    def startasync(self, args, config):
        """
        First checks for a valid installation, then checks the grid,
        then registers the action: "node HOST start"
        """

        self.check_access(config=config)
        self.checkice()
        self.check_node(args)
        if self._isWindows():
            self.checkwindows(args)

        if 0 == self.status(args, node_only=True):
            self.ctx.die(876, "Server already running")

        self._initDir()
        # Do a check to see if we've started before.
        self._regdata()
        self.check([])

        user = args.user
        pasw = args.password
        descript = self._descript(args)

        if self._isWindows():
            svc_name = "OMERO.%s" % args.node
            output = self._query_service(svc_name)

            # Now check if the server exists
            if 0 <= output.find("DOESNOTEXIST"):
                binpath = """icegridnode.exe "%s" --deploy "%s" --service\
                %s""" % (self._icecfg(), descript, svc_name)

                # By default: "NT Authority\Local System"
                if not user:
                    try:
                        user = config.as_map()["omero.windows.user"]
                    except KeyError:
                        user = None
                if user is not None and len(user) > 0:
                    if not "\\" in user:
                        computername = win32api.GetComputerName()
                        user = "******".join([computername, user])
                    try:
                        # See #9967, code based on http://mail.python.org/\
                        # pipermail/python-win32/2010-October/010791.html
                        self.ctx.out("Granting SeServiceLogonRight to service"
                                     " user \"%s\"" % user)
                        policy_handle = win32security.LsaOpenPolicy(
                            None, win32security.POLICY_ALL_ACCESS)
                        sid_obj, domain, tmp = \
                            win32security.LookupAccountName(None, user)
                        win32security.LsaAddAccountRights(
                            policy_handle, sid_obj, ('SeServiceLogonRight', ))
                        win32security.LsaClose(policy_handle)
                    except pywintypes.error, details:
                        self.ctx.die(
                            200, "Error during service user set up:"
                            " (%s) %s" % (details[0], details[2]))
                    if not pasw:
                        try:
                            pasw = config.as_map()["omero.windows.pass"]
                        except KeyError:
                            pasw = self._ask_for_password(
                                " for service user \"%s\"" % user)
                else:
                    pasw = None

                hscm = win32service.OpenSCManager(
                    None, None, win32service.SC_MANAGER_ALL_ACCESS)
                try:
                    self.ctx.out("Installing %s Windows service." % svc_name)
                    hs = win32service.CreateService(
                        hscm, svc_name, svc_name,
                        win32service.SERVICE_ALL_ACCESS,
                        win32service.SERVICE_WIN32_OWN_PROCESS,
                        win32service.SERVICE_AUTO_START,
                        win32service.SERVICE_ERROR_NORMAL, binpath, None, 0,
                        None, user, pasw)
                    self.ctx.out("Successfully installed %s Windows service." %
                                 svc_name)
                    win32service.CloseServiceHandle(hs)
                finally:
                    win32service.CloseServiceHandle(hscm)

            # Then check if the server is already running
            if 0 <= output.find("RUNNING"):
                self.ctx.die(
                    201, "%s is already running. Use stop first" % svc_name)

            # Finally, try to start the service - delete if startup fails
            hscm = win32service.OpenSCManager(
                None, None, win32service.SC_MANAGER_ALL_ACCESS)
            try:
                try:
                    hs = win32service.OpenService(
                        hscm, svc_name, win32service.SC_MANAGER_ALL_ACCESS)
                    win32service.StartService(hs, None)
                    self.ctx.out("Starting %s Windows service." % svc_name)
                except pywintypes.error, details:
                    self.ctx.out("%s service startup failed: (%s) %s" %
                                 (svc_name, details[0], details[2]))
                    win32service.DeleteService(hs)
                    self.ctx.die(202, "%s service deleted." % svc_name)
            finally:
                win32service.CloseServiceHandle(hs)
                win32service.CloseServiceHandle(hscm)