问题
I am looking forward to install a service on Windows (Windows 7 / Windows 8).
Though the service would be initially installed by "administrator", but it should be installed in such a fashion that any user account on that local machine can Start / Stop / Restart it.
Tried changing "Log On As" to Network Services, but did not help.
Tried Subinacl.exe, but that is not feasible due to architecture design of installer (which does not allow installing any external applications).
Issue is simple -> Service A to be installed by administrator, but should have FULL permissions for all user account on that machine.
Also while installation it is not known in advance as to how many and what all user accounts would be available on that machine.
回答1:
Kevin van Zonneveld describes in his blog how to do this. The example he presents is to allow all authenticated users to restart Apache Tomcat service:
sc GetKeyName "Apache Tomcat"
# returns Tomcat5
sc sdset Tomcat5 "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LCRPWP;;;AU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
回答2:
You can use SetSecurityInfo or SetServiceObjectSecurity to change the service ACL. This code creates a service and then sets the ACL to allow any interactively logged on user to start the service:
wchar_t sddl[] = L"D:"
L"(A;;CCLCSWRPWPDTLOCRRC;;;SY)"
// default permissions for local system
L"(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)"
// default permissions for administrators
L"(A;;CCLCSWLOCRRC;;;AU)"
// default permissions for authenticated users
L"(A;;CCLCSWRPWPDTLOCRRC;;;PU)"
// default permissions for power users
L"(A;;RP;;;IU)"
// added permission: start service for interactive users
;
DWORD InstallService()
{
SC_HANDLE manager, service;
PSECURITY_DESCRIPTOR sd;
DWORD err;
wchar_t apppath[MAX_PATH + 2];
// Note: because this is only called from main() which exits
// immediately afterwards, no attempt is made to close the
// handles generated.
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl,
SDDL_REVISION_1, &sd, NULL))
{
err = GetLastError();
printf("Error %u creating security descriptor.\n", err);
return err;
}
if (!GetModuleFileName(0, apppath, MAX_PATH + 1))
{
err = GetLastError();
printf("Error %u fetching module name.\n", err);
return err;
}
if (_wcsicmp(apppath + wcslen(apppath) - wcslen(exename), exename) != 0)
{
printf("Application name mismatch: %ls\n",
apppath + wcslen(apppath) - wcslen(exename));
return ERROR_INVALID_FUNCTION;
}
manager = OpenSCManager(0, 0, SC_MANAGER_CREATE_SERVICE);
if (!manager)
{
err = GetLastError();
printf("Error %u connecting to service manager.\n", err);
return err;
}
service = CreateService(manager,
servicename,
displayname,
WRITE_DAC,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
apppath,
0,
0,
NULL,
NULL,
NULL);
if (!service)
{
err = GetLastError();
printf("Error %u installing service.\n", err);
return err;
}
if (!SetServiceObjectSecurity(service, DACL_SECURITY_INFORMATION, sd))
{
err = GetLastError();
printf("Error %u setting service security.\n", err);
return err;
}
printf("Service successfully installed.\n");
return 0;
}
来源:https://stackoverflow.com/questions/15901049/how-to-install-a-service-on-windows-to-be-managed-by-any-user