From 23c22024063b89652ce2a6a0725cc92b1e464941 Mon Sep 17 00:00:00 2001 From: NextTurn <45985406+NextTurn@users.noreply.github.com> Date: Mon, 2 Mar 2020 00:00:00 +0800 Subject: [PATCH] Support security descriptor string --- doc/xmlConfigFile.md | 11 +++++++++++ examples/sample-allOptions.xml | 8 ++++++++ src/Core/ServiceWrapper/Main.cs | 9 +++++++++ src/Core/WinSWCore/Native/Advapi32.cs | 4 ++++ src/Core/WinSWCore/ServiceDescriptor.cs | 2 ++ src/Core/WinSWCore/WinSWCore.csproj | 1 + 6 files changed, 35 insertions(+) diff --git a/doc/xmlConfigFile.md b/doc/xmlConfigFile.md index 01fe5a1..3d755e0 100644 --- a/doc/xmlConfigFile.md +++ b/doc/xmlConfigFile.md @@ -230,6 +230,17 @@ This affects the behaviour of the failure actions (see `` above). In other words, this is the duration in which you consider the service has been running successfully. Defaults to 1 day. + +### Security descriptor + +The security descriptor string for the service in SDDL form. + +For more information, see [Security Descriptor Definition Language](https://docs.microsoft.com/windows/win32/secauthz/security-descriptor-definition-language). + +```xml + +``` + ### Service account It is possible to specify the useraccount (and password) that the service will run as. To do this, specify a `` element like this: diff --git a/examples/sample-allOptions.xml b/examples/sample-allOptions.xml index a46ff02..47ac8a5 100644 --- a/examples/sample-allOptions.xml +++ b/examples/sample-allOptions.xml @@ -80,6 +80,14 @@ Their modification will not take affect without the service re-installation. 1 hour --> + + + + diff --git a/src/Core/ServiceWrapper/Main.cs b/src/Core/ServiceWrapper/Main.cs index 1aa2476..4bcf9af 100644 --- a/src/Core/ServiceWrapper/Main.cs +++ b/src/Core/ServiceWrapper/Main.cs @@ -5,6 +5,7 @@ using System.Diagnostics.CodeAnalysis; using System.IO; using System.Reflection; using System.Runtime.InteropServices; +using System.Security.AccessControl; using System.ServiceProcess; using System.Text; using System.Threading; @@ -677,6 +678,14 @@ namespace winsw } } + if (descriptor.SecurityDescriptor != null) + { + RawSecurityDescriptor rawSecurityDescriptor = new RawSecurityDescriptor(descriptor.SecurityDescriptor); + byte[] securityDescriptorBytes = new byte[rawSecurityDescriptor.BinaryLength]; + rawSecurityDescriptor.GetBinaryForm(securityDescriptorBytes, 0); + Advapi32.SetServiceObjectSecurity(/*TODO*/default, SecurityInfos.DiscretionaryAcl, securityDescriptorBytes); + } + return; } diff --git a/src/Core/WinSWCore/Native/Advapi32.cs b/src/Core/WinSWCore/Native/Advapi32.cs index 10d3c34..df0bb69 100755 --- a/src/Core/WinSWCore/Native/Advapi32.cs +++ b/src/Core/WinSWCore/Native/Advapi32.cs @@ -2,6 +2,7 @@ using System.Collections.Generic; using System.ComponentModel; using System.Runtime.InteropServices; +using System.Security.AccessControl; using System.Text; // ReSharper disable InconsistentNaming @@ -278,6 +279,9 @@ namespace winsw.Native [DllImport(Advapi32LibraryName)] public static extern bool SetServiceStatus(IntPtr hServiceStatus, in SERVICE_STATUS lpServiceStatus); + [DllImport(Advapi32LibraryName)] + public static extern bool SetServiceObjectSecurity(IntPtr hService, SecurityInfos dwSecurityInformation, byte[] lpSecurityDescriptor); + [DllImport(Advapi32LibraryName)] internal static extern uint LsaOpenPolicy( in LSA_UNICODE_STRING SystemName, diff --git a/src/Core/WinSWCore/ServiceDescriptor.cs b/src/Core/WinSWCore/ServiceDescriptor.cs index 23e6b07..97a68fc 100755 --- a/src/Core/WinSWCore/ServiceDescriptor.cs +++ b/src/Core/WinSWCore/ServiceDescriptor.cs @@ -698,5 +698,7 @@ namespace winsw return (ProcessPriorityClass)Enum.Parse(typeof(ProcessPriorityClass), p, true); } } + + public string? SecurityDescriptor => SingleElement("securityDescriptor", true); } } diff --git a/src/Core/WinSWCore/WinSWCore.csproj b/src/Core/WinSWCore/WinSWCore.csproj index 7d87b0a..f36eb56 100644 --- a/src/Core/WinSWCore/WinSWCore.csproj +++ b/src/Core/WinSWCore/WinSWCore.csproj @@ -18,6 +18,7 @@ +