diff options
| author | nimesh-msys <nimesh.patni@msystechnologies.com> | 2018-07-10 17:52:53 +0530 |
|---|---|---|
| committer | nimesh-msys <nimesh.patni@msystechnologies.com> | 2018-07-10 17:52:53 +0530 |
| commit | f6962f86e20ce4a5dcc5a860b31d58b161f80e6e (patch) | |
| tree | 9a28a0e74d61f45fd578faaab058c5213fff9076 /lib | |
| parent | d57a36eb9996697ebaf3240edafa801bb7664cdd (diff) | |
| download | chef-f6962f86e20ce4a5dcc5a860b31d58b161f80e6e.tar.gz | |
[MSYS-843] -
- Added functionality 'remove_account_right' to remove the type of logon that a user account can perform.
- Added rspec
Signed-off-by: nimesh-msys <nimesh.patni@msystechnologies.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/chef/win32/api/security.rb | 1 | ||||
| -rw-r--r-- | lib/chef/win32/security.rb | 13 |
2 files changed, 14 insertions, 0 deletions
diff --git a/lib/chef/win32/api/security.rb b/lib/chef/win32/api/security.rb index 6620f321aa..277e85a26b 100644 --- a/lib/chef/win32/api/security.rb +++ b/lib/chef/win32/api/security.rb @@ -446,6 +446,7 @@ class Chef safe_attach_function :LookupPrivilegeDisplayNameW, [ :LPCWSTR, :LPCWSTR, :LPWSTR, :LPDWORD, :LPDWORD ], :BOOL safe_attach_function :LookupPrivilegeValueW, [ :LPCWSTR, :LPCWSTR, :PLUID ], :BOOL safe_attach_function :LsaAddAccountRights, [ :pointer, :pointer, :pointer, :ULONG ], :NTSTATUS + safe_attach_function :LsaRemoveAccountRights, [ :pointer, :pointer, :BOOL, :pointer, :ULONG ], :NTSTATUS safe_attach_function :LsaClose, [ :LSA_HANDLE ], :NTSTATUS safe_attach_function :LsaEnumerateAccountRights, [ :LSA_HANDLE, :PSID, :PLSA_UNICODE_STRING, :PULONG ], :NTSTATUS safe_attach_function :LsaFreeMemory, [ :PVOID ], :NTSTATUS diff --git a/lib/chef/win32/security.rb b/lib/chef/win32/security.rb index 58f47e885b..879aba7f2b 100644 --- a/lib/chef/win32/security.rb +++ b/lib/chef/win32/security.rb @@ -117,6 +117,19 @@ class Chef end end + def self.remove_account_right(name, privilege) + privilege_pointer = FFI::MemoryPointer.new LSA_UNICODE_STRING, 1 + privilege_lsa_string = LSA_UNICODE_STRING.new(privilege_pointer) + privilege_lsa_string[:Buffer] = FFI::MemoryPointer.from_string(privilege.to_wstring) + privilege_lsa_string[:Length] = privilege.length * 2 + privilege_lsa_string[:MaximumLength] = (privilege.length + 1) * 2 + + with_lsa_policy(name) do |policy_handle, sid| + result = LsaRemoveAccountRights(policy_handle.read_pointer, sid, false, privilege_pointer, 1) + test_and_raise_lsa_nt_status(result) + end + end + def self.adjust_token_privileges(token, privileges) token = token.handle if token.respond_to?(:handle) old_privileges_size = FFI::Buffer.new(:long).write_long(privileges.size_with_privileges) |