[python-win32] Re: setting access to Windows services

Roger Upole rwupole at msn.com
Mon Jul 24 22:36:10 CEST 2006 

Les Schaffer" wrote:
>I am having a hard time setting up non-Administrator access to MySQL
> service START|STOP capabilities. been reading MSDN and python-win32 and
> ActiveState docs for a couple days, and am stuck. can anyone see a
> problem here?
> 
> with the SetNamedSecurityInfo call, i get a Error 1069: The service did
> not start due to a logon failure.
> 
> i know i am getting somehwere, before i changed from 
> SetServiceObjectSecurity  to SetNamedSecurityInfo  i was getting "access
> denied" for non-Admins. but i am not quite there yet.
> 
> many thanks
> 
> les schaffer
> 
> 
> 
> =============
> 
> import win32api
> from win32service import *
> import win32security, pywintypes
> from win32security import *
> import win32con
> 
> hnd = OpenSCManager(None, None, SC_MANAGER_ALL_ACCESS)
> svcH = OpenService(hnd, "MySQL", SC_MANAGER_ALL_ACCESS)

The access here should be SERVICE_ALL_ACCESS instead of
SC_MANAGER_ALL_ACCESS. Usually it's a good idea to just
specify the types of access required for the current operation, though.
READ_CONTROL|WRITE_DAC should be sufficient for getting
and setting the permissions.


> sd  = QueryServiceObjectSecurity(svcH, DACL_SECURITY_INFORMATION)
> 
> grp = sd.GetSecurityDescriptorGroup()
> dacl = sd.GetSecurityDescriptorDacl()
> bcs_sid = win32security.LookupAccountName('','BCS')[0]
> 
> start_stop = SERVICE_START | SERVICE_STOP | SERVICE_QUERY_STATUS
> dacl.AddAccessAllowedAce(dacl.GetAclRevision(),start_stop,bcs_sid)
> sd.SetSecurityDescriptorDacl(1,dacl,0)
> sd.SetSecurityDescriptorGroup(bcs_sid,0)
> 
> result = SetServiceObjectSecurity(svcH, DACL_SECURITY_INFORMATION, sd)
> 
> if not result:
>    print 'SetServiceObjectSecurity returned error: ',
> win32api.GetLastError()
>   # GetLastError prints Error code 122
> 
> result = SetNamedSecurityInfo("MySQL", SE_SERVICE,
> DACL_SECURITY_INFORMATION, None, bcs_sid, dacl, None)
> 
> if not result:
>    print 'SetNamedSecurityInfo returned error: ', win32api.GetLastError()
>    # GetLastError prints 0 --- ERROR_SUCCESS even though result is None???

Both SetNamedSecurityInfo and SetServiceObjectSecurity return None on
success, and throw an exception if they fail.  Checking "not result" will cause
it to print an error anytime they succeed.  You can wrap them in a try/except
if you need to trap errors.

Here's a thought:  It should be possible to use the win32com.authorization
module to create a custom permissions editor for services.

     Roger

More information about the Python-win32 mailing list