At 01:40 PM 7/9/2002, you wrote: >This patch sets the calls to OpenSCManager and OpenService to use the >minimum required privileges.
Cool. Could you cvs up to grab the latest version with Mladen's patch, compare your suggested changes to his latest changes for requested privileges, and provide an updated patch to discuss? Bill >Index: service.c >=================================================================== >RCS file: /home/cvspublic/httpd-2.0/server/mpm/winnt/service.c,v >retrieving revision 1.56 >diff -u -3 -r1.56 service.c >--- service.c 2 Jul 2002 19:03:15 -0000 1.56 >+++ service.c 9 Jul 2002 18:02:38 -0000 >@@ -483,10 +483,10 @@ > if ((osver.dwPlatformId == VER_PLATFORM_WIN32_NT) > && (osver.dwMajorVersion > 4) > && (ChangeServiceConfig2) >- && (schSCManager = OpenSCManager(NULL, NULL, >SC_MANAGER_ALL_ACCESS))) >+ && (schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CONNECT))) > { > SC_HANDLE schService = OpenService(schSCManager, mpm_service_name, >- SERVICE_ALL_ACCESS); >+ SERVICE_CHANGE_CONFIG); > if (schService) { > /* Cast is necessary, ChangeServiceConfig2 handles multiple > * object types, some volatile, some not. >@@ -854,10 +854,9 @@ > { > SC_HANDLE schService; > SC_HANDLE schSCManager; >- >- // TODO: Determine the minimum permissions required for security >+ > schSCManager = OpenSCManager(NULL, NULL, /* local, default > database */ >- SC_MANAGER_ALL_ACCESS); >+ SC_MANAGER_CREATE_SERVICE); > if (!schSCManager) { > rv = apr_get_os_error(); > ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv, NULL, >@@ -870,7 +869,7 @@ > if (reconfig) { > /* ###: utf-ize */ > schService = OpenService(schSCManager, mpm_service_name, >- SERVICE_ALL_ACCESS); >+ SERVICE_CHANGE_CONFIG); > if (!schService) { > ap_log_error(APLOG_MARK, APLOG_ERR|APLOG_ERR, > apr_get_os_error(), NULL, >@@ -1008,9 +1007,8 @@ > > fprintf(stderr,"Removing the %s service\n", mpm_display_name); > >- // TODO: Determine the minimum permissions required for security > schSCManager = OpenSCManager(NULL, NULL, /* local, default > database */ >- SC_MANAGER_ALL_ACCESS); >+ SC_MANAGER_CONNECT); > if (!schSCManager) { > rv = apr_get_os_error(); > ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv, NULL, >@@ -1019,7 +1017,7 @@ > } > > /* ###: utf-ize */ >- schService = OpenService(schSCManager, mpm_service_name, >SERVICE_ALL_ACCESS); >+ schService = OpenService(schSCManager, mpm_service_name, DELETE); > > if (!schService) { > rv = apr_get_os_error(); >@@ -1123,9 +1121,8 @@ > SC_HANDLE schService; > SC_HANDLE schSCManager; > >- // TODO: Determine the minimum permissions required for security > schSCManager = OpenSCManager(NULL, NULL, /* local, default > database */ >- SC_MANAGER_ALL_ACCESS); >+ SC_MANAGER_CONNECT); > if (!schSCManager) { > rv = apr_get_os_error(); > ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, rv, NULL, >@@ -1265,7 +1262,7 @@ > SC_HANDLE schSCManager; > > schSCManager = OpenSCManager(NULL, NULL, // default machine & > database >- SC_MANAGER_ALL_ACCESS); >+ SC_MANAGER_CONNECT); > > if (!schSCManager) { > ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_STARTUP, > apr_get_os_error(), NULL, >@@ -1275,7 +1272,8 @@ > > /* ###: utf-ize */ > schService = OpenService(schSCManager, mpm_service_name, >- SERVICE_ALL_ACCESS); >+ SERVICE_INTERROGATE | >SERVICE_QUERY_STATUS | >+ SERVICE_START | SERVICE_STOP); > > if (schService == NULL) { > /* Could not open the service */