rob-murawski-afscreds-scm-patch-20031121

Reduce the requested list of permissions to the minimum necessary to
access the service manager and service for the requested task.

src/WINNT/client_creds/advtab.cpp

@@ -177,44 +177,67 @@ void Advanced_OnChangeService (HWND hDlg, WORD wCmd)
 {
    BOOL fSuccess = FALSE;
    ULONG error = 0;
-
-   SC_HANDLE hManager;
-   if ((hManager = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS)) != NULL)
-      {
-      SC_HANDLE hService;
-      if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), SERVICE_ALL_ACCESS)) != NULL)
-         {
-         switch (wCmd)
+   SC_HANDLE hManager, hService;
+   
+    switch (wCmd)
+    {
+    case IDC_SERVICE_AUTO:
+        DWORD StartType;
+        if ((hManager = OpenSCManager (NULL, NULL, SC_MANAGER_CONNECT |
+                                        SC_MANAGER_ENUMERATE_SERVICE |
+                                        SC_MANAGER_QUERY_LOCK_STATUS)) != NULL)
+        {
+            if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), 
+                                         SERVICE_CHANGE_CONFIG | SERVICE_QUERY_CONFIG | 
+                                         SERVICE_QUERY_STATUS)) != NULL)
             {
-            case IDC_SERVICE_AUTO:
-               DWORD StartType;
-               StartType = (IsDlgButtonChecked (hDlg, wCmd)) ? SERVICE_AUTO_START : SERVICE_DEMAND_START;
-
-               if (ChangeServiceConfig (hService, SERVICE_NO_CHANGE, StartType, SERVICE_NO_CHANGE, 0, 0, 0, 0, 0, 0, 0))
-                  fSuccess = TRUE;
-               break;
-
-            case IDC_SERVICE_START:
-               if (StartService (hService, 0, 0))
-			   {
-				  TestAndDoMapShare(SERVICE_START_PENDING);
-                  fSuccess = TRUE;
-			   }
-               break;
-
-            case IDC_SERVICE_STOP:
-               SERVICE_STATUS Status;
-			   TestAndDoUnMapShare();
-               ControlService (hService, SERVICE_CONTROL_STOP, &Status);
-               fSuccess = TRUE;
-               break;
+                StartType = (IsDlgButtonChecked (hDlg, wCmd)) ? SERVICE_AUTO_START : SERVICE_DEMAND_START;
+                if (ChangeServiceConfig (hService, SERVICE_NO_CHANGE, StartType, 
+                                         SERVICE_NO_CHANGE, 0, 0, 0, 0, 0, 0, 0))
+                    fSuccess = TRUE;
+                CloseServiceHandle (hService);
             }
+            CloseServiceHandle (hManager);
+        }
+        break;
 
-         CloseServiceHandle (hService);
-         }
+    case IDC_SERVICE_START:
+        if ((hManager = OpenSCManager (NULL, NULL, SC_MANAGER_CONNECT |
+                                        SC_MANAGER_ENUMERATE_SERVICE |
+                                        SC_MANAGER_QUERY_LOCK_STATUS )) != NULL)
+        {
+            if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), 
+                                         SERVICE_QUERY_STATUS | SERVICE_START)) != NULL)
+            {
+                if (StartService (hService, 0, 0))
+                {
+                    TestAndDoMapShare(SERVICE_START_PENDING);
+                    fSuccess = TRUE;
+                }
+                CloseServiceHandle (hService);
+            }
+            CloseServiceHandle (hManager);
+        }
+        break;
 
-      CloseServiceHandle (hManager);
-      }
+    case IDC_SERVICE_STOP:
+        if ((hManager = OpenSCManager (NULL, NULL, SC_MANAGER_CONNECT |
+                                        SC_MANAGER_ENUMERATE_SERVICE |
+                                        SC_MANAGER_QUERY_LOCK_STATUS )) != NULL)
+        {            
+            if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), 
+                                         SERVICE_QUERY_STATUS | SERVICE_STOP)) != NULL)
+            {
+                SERVICE_STATUS Status;
+                TestAndDoUnMapShare();
+                ControlService (hService, SERVICE_CONTROL_STOP, &Status);
+                fSuccess = TRUE;
+            }
+            CloseServiceHandle (hService);
+        }
+        CloseServiceHandle (hManager);
+        break;
+    }
 
    if (fSuccess)
       {

src/WINNT/client_creds/afswiz.cpp

@@ -221,10 +221,14 @@ void WizStarting_OnInitDialog (HWND hDlg)
    ShowWindow (GetDlgItem (hDlg, IDC_START_TRY), SW_SHOW);
 
    SC_HANDLE hManager;
-   if ((hManager = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS)) != NULL)
+    if ((hManager = OpenSCManager (NULL, NULL, 
+                                   SC_MANAGER_CONNECT |
+                                   SC_MANAGER_ENUMERATE_SERVICE |
+                                   SC_MANAGER_QUERY_LOCK_STATUS)) != NULL)
       {
       SC_HANDLE hService;
-      if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), SERVICE_ALL_ACCESS)) != NULL)
+          if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), 
+                                       SERVICE_QUERY_STATUS | SERVICE_START)) != NULL)
          {
          if (StartService (hService, 0, 0))
 			TestAndDoMapShare(SERVICE_START_PENDING);

src/WINNT/client_creds/window.cpp

@@ -640,10 +640,14 @@ void Terminate_OnOK (HWND hDlg)
       if (IsDlgButtonChecked (hDlg, IDC_STOP))
          {
          SC_HANDLE hManager;
-         if ((hManager = OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS)) != NULL)
+             if ((hManager = OpenSCManager (NULL, NULL, 
+                                            SC_MANAGER_CONNECT |
+                                            SC_MANAGER_ENUMERATE_SERVICE |
+                                            SC_MANAGER_QUERY_LOCK_STATUS)) != NULL)
             {
             SC_HANDLE hService;
-            if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), SERVICE_ALL_ACCESS)) != NULL)
+            if ((hService = OpenService (hManager, TEXT("TransarcAFSDaemon"), 
+                                         SERVICE_QUERY_STATUS | SERVICE_START)) != NULL)
                {
                SERVICE_STATUS Status;
                ControlService (hService, SERVICE_CONTROL_STOP, &Status);