def add_user_privilege(self, privilege): try: acc_sid = win32security.LookupAccountName(self.dcName, self.userName)[0] win32security.LsaAddAccountRights(self._policy, acc_sid, (privilege,)) except pywintypes.error as e: return UserHelper.ACTION_FAILED, e.strerror return UserHelper.ACTION_OK, "Privilege added."
def user_rights_policy(self, policy): actual_users = [] granted = [] deleted = [] for val in win32security.LsaEnumerateAccountsWithUserRight(win32security.LsaOpenPolicy("", 25), policy["right_type"]): actual_users.append(win32security.LookupAccountSid(None, val)[0]) file_users = policy["value_data"] if (file_users == '' or file_users == "Undefined") and len(actual_users) != 0: for user in actual_users: try: win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]]) deleted.append(user) except Exception as e: continue return {"status": 0, "msg": {"granted": granted, "deleted": deleted}} file_users = file_users.replace("'", "").replace('"', '').split('&&') file_users = [user.strip() for user in file_users] for user in file_users: try: if user not in actual_users: win32security.LsaAddAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], [policy["right_type"]]) granted.append(user) except Exception as e: continue for user in actual_users: try: if user not in file_users: win32security.LsaRemoveAccountRights(win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]]) deleted.append(user) except Exception as e: continue return {"status": 0, "msg": {"granted": granted, "deleted": deleted}}
def ConfigureLogOnAsAServicePolicy(accountName): # Modifies LocalSecurityPolicy to allow run buildbot as specified user # You can do it manually by running "secpol.msc" # Open Local Policies > User Rights Assignment > Log on as a service # Add User or Group... # # Args: # accountName(str): fully qualified string in the domain_name\user_name format. # use ".\user_name" format for local account SE_SERVICE_LOGON_RIGHT = "SeServiceLogonRight" try: if "\\" not in accountName or accountName.startswith(".\\"): computerName = os.environ['COMPUTERNAME'] if not computerName: computerName = win32api.GetComputerName() if not computerName: print("error: Cannot determine computer name") return accountName = "{}\\{}".format(computerName, accountName.lstrip(".\\")) account = win32security.LookupAccountName(None, accountName) accountSid = account[0] sid = win32security.ConvertSidToStringSid(accountSid) except win32api.error as err: print("error {} ({}): {}".format(err.winerror, err.funcname, err.strerror)) return with GetLocalSecurityPolicyHandle( '', win32security.POLICY_ALL_ACCESS) as policy: win32security.LsaAddAccountRights(policy, accountSid, [SE_SERVICE_LOGON_RIGHT]) # verify if policy was really modified with GetLocalSecurityPolicyHandle( '', win32security.POLICY_ALL_ACCESS) as policy: try: privileges = win32security.LsaEnumerateAccountRights( policy, accountSid) except win32api.error as err: # If no account rights are found or if the function fails for any other reason, # the function returns throws winerror.ERROR_FILE_NOT_FOUND or any other print("error {} ({}): {}".format(err.winerror, err.funcname, err.strerror)) privileges = [] if SE_SERVICE_LOGON_RIGHT in privileges: print("Account {}({}) has granted {} privilege.".format( accountName, sid, SE_SERVICE_LOGON_RIGHT)) else: print("error: Account {}({}) does not have {} privilege.".format( accountName, sid, SE_SERVICE_LOGON_RIGHT))
def user_rights_policy(self, policy, val): granted = val["granted"] deleted = val["deleted"] for user in granted: try: win32security.LsaRemoveAccountRights( win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], 0, [policy["right_type"]]) except Exception as e: continue for user in deleted: try: win32security.LsaAddAccountRights( win32security.LsaOpenPolicy("", 25), win32security.LookupAccountName(None, user)[0], [policy["right_type"]]) except Exception as e: continue return {"status": 0, "msg": "Success"}
win32con.SE_PRIVILEGE_ENABLED) ##doesn't seem to be in ntsecuritycon.py ? ) ph = win32api.GetCurrentProcess() th = win32security.OpenProcessToken( ph, win32security.TOKEN_ALL_ACCESS) ##win32con.TOKEN_ADJUST_PRIVILEGES) win32security.AdjustTokenPrivileges(th, 0, new_privs) policy_handle = win32security.GetPolicyHandle('', win32security.POLICY_ALL_ACCESS) tmp_sid = win32security.LookupAccountName('', 'tmp')[0] privs = [ ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME, ntsecuritycon.SE_RESTORE_NAME, ntsecuritycon.SE_REMOTE_SHUTDOWN_NAME ] win32security.LsaAddAccountRights(policy_handle, tmp_sid, privs) privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid) for priv in privlist: print(priv) privs = [ntsecuritycon.SE_DEBUG_NAME, ntsecuritycon.SE_TCB_NAME] win32security.LsaRemoveAccountRights(policy_handle, tmp_sid, 0, privs) privlist = win32security.LsaEnumerateAccountRights(policy_handle, tmp_sid) for priv in privlist: print(priv) win32security.LsaClose(policy_handle)
def startasync(self, args, config): """ First checks for a valid installation, then checks the grid, then registers the action: "node HOST start" """ self.check_access(config=config) self.checkice() self.check_node(args) if self._isWindows(): self.checkwindows(args) if 0 == self.status(args, node_only=True): self.ctx.die(876, "Server already running") self._initDir() # Do a check to see if we've started before. self._regdata() self.check([]) user = args.user pasw = args.password descript = self._descript(args) if self._isWindows(): svc_name = "OMERO.%s" % args.node output = self._query_service(svc_name) # Now check if the server exists if 0 <= output.find("DOESNOTEXIST"): binpath = """icegridnode.exe "%s" --deploy "%s" --service\ %s""" % (self._icecfg(), descript, svc_name) # By default: "NT Authority\Local System" if not user: try: user = config.as_map()["omero.windows.user"] except KeyError: user = None if user is not None and len(user) > 0: if not "\\" in user: computername = win32api.GetComputerName() user = "******".join([computername, user]) try: # See #9967, code based on http://mail.python.org/\ # pipermail/python-win32/2010-October/010791.html self.ctx.out("Granting SeServiceLogonRight to service" " user \"%s\"" % user) policy_handle = win32security.LsaOpenPolicy( None, win32security.POLICY_ALL_ACCESS) sid_obj, domain, tmp = \ win32security.LookupAccountName(None, user) win32security.LsaAddAccountRights( policy_handle, sid_obj, ('SeServiceLogonRight', )) win32security.LsaClose(policy_handle) except pywintypes.error, details: self.ctx.die( 200, "Error during service user set up:" " (%s) %s" % (details[0], details[2])) if not pasw: try: pasw = config.as_map()["omero.windows.pass"] except KeyError: pasw = self._ask_for_password( " for service user \"%s\"" % user) else: pasw = None hscm = win32service.OpenSCManager( None, None, win32service.SC_MANAGER_ALL_ACCESS) try: self.ctx.out("Installing %s Windows service." % svc_name) hs = win32service.CreateService( hscm, svc_name, svc_name, win32service.SERVICE_ALL_ACCESS, win32service.SERVICE_WIN32_OWN_PROCESS, win32service.SERVICE_AUTO_START, win32service.SERVICE_ERROR_NORMAL, binpath, None, 0, None, user, pasw) self.ctx.out("Successfully installed %s Windows service." % svc_name) win32service.CloseServiceHandle(hs) finally: win32service.CloseServiceHandle(hscm) # Then check if the server is already running if 0 <= output.find("RUNNING"): self.ctx.die( 201, "%s is already running. Use stop first" % svc_name) # Finally, try to start the service - delete if startup fails hscm = win32service.OpenSCManager( None, None, win32service.SC_MANAGER_ALL_ACCESS) try: try: hs = win32service.OpenService( hscm, svc_name, win32service.SC_MANAGER_ALL_ACCESS) win32service.StartService(hs, None) self.ctx.out("Starting %s Windows service." % svc_name) except pywintypes.error, details: self.ctx.out("%s service startup failed: (%s) %s" % (svc_name, details[0], details[2])) win32service.DeleteService(hs) self.ctx.die(202, "%s service deleted." % svc_name) finally: win32service.CloseServiceHandle(hs) win32service.CloseServiceHandle(hscm)