diff --git a/jobs/ccg-plugin/templates/pre-start.ps1.erb b/jobs/ccg-plugin/templates/pre-start.ps1.erb index e6ec5060..4985211c 100644 --- a/jobs/ccg-plugin/templates/pre-start.ps1.erb +++ b/jobs/ccg-plugin/templates/pre-start.ps1.erb @@ -19,8 +19,8 @@ reg.exe import $ccgPackagePath\EventLog.reg Write-Output "Register the plugin's GUID with CCG" | timestamp & "$ccgPackagePath\RegisterPluginWithCCG.ps1" -Write-Output "Change permissions to grant everyone access to dll" | timestamp -cmd.exe /C "icacls $ccgPackagePath\CfCcgPlugin.dll /grant Everyone:(F)" +Write-Output "Change permissions to grant LocalService and NetworkService access to dll" | timestamp +cmd.exe /C "icacls $ccgPackagePath\CfCcgPlugin.dll /grant `"NT AUTHORITY\LocalService`":(RX) /grant `"NT AUTHORITY\NETWORK SERVICE`":(RX)" Write-Output "Register plugin with the .net framework" | timestamp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe /codebase /tlb $ccgPackagePath\CfCcgPlugin.dll diff --git a/src/CfCcgPlugin/CfCcgCredProvider.cs b/src/CfCcgPlugin/CfCcgCredProvider.cs index b90565db..b5706ea2 100644 --- a/src/CfCcgPlugin/CfCcgCredProvider.cs +++ b/src/CfCcgPlugin/CfCcgCredProvider.cs @@ -20,6 +20,8 @@ void GetPasswordCredentials( [Guid("8019A64C-3F4E-4DE3-AD2B-9A544290E2C3")] [ProgId("CfCcgCredProvider")] [ComVisible(true)] + [SecurityRole("SYSTEM")] + [SecurityRole("CCG")] public class CfCcgCredProvider : ServicedComponent, ICcgDomainAuthCredentials { public CfCcgCredProvider() diff --git a/src/CfCcgPlugin/ChangePluginIdentity.ps1 b/src/CfCcgPlugin/ChangePluginIdentity.ps1 index fbb8ac42..c589aed9 100644 --- a/src/CfCcgPlugin/ChangePluginIdentity.ps1 +++ b/src/CfCcgPlugin/ChangePluginIdentity.ps1 @@ -7,3 +7,28 @@ $apps.Populate() $appExistCheckApp = $apps | Where-Object {$_.Name -eq $newComPackageName} $appExistCheckApp.Value("Identity") = "NT AUTHORITY\LocalService" $apps.SaveChanges() + +$roles = $apps.GetCollection("Roles", $appExistCheckApp.Key) +$roles.Populate() + +$systemRole = $roles | Where-Object {$_.Name -eq "SYSTEM"} +if ($systemRole) { + $users = $roles.GetCollection("UsersInRole", $systemRole.Key) + $users.Populate() + $newUser = $users.Add() + $newUser.Value("User") = "NT AUTHORITY\SYSTEM" + $users.SaveChanges() +} + +$ccgRole = $roles | Where-Object {$_.Name -eq "CCG"} +if ($ccgRole) { + $users = $roles.GetCollection("UsersInRole", $ccgRole.Key) + $users.Populate() + try { + $newUser = $users.Add() + $newUser.Value("User") = "NT SERVICE\ccg" + $users.SaveChanges() + } catch { + Write-Warning "Failed to add NT SERVICE\ccg to CCG role: $_" + } +} diff --git a/src/CfCcgPlugin/Properties/AssemblyInfo.cs b/src/CfCcgPlugin/Properties/AssemblyInfo.cs index 4d4681f0..01509d46 100644 --- a/src/CfCcgPlugin/Properties/AssemblyInfo.cs +++ b/src/CfCcgPlugin/Properties/AssemblyInfo.cs @@ -16,9 +16,11 @@ [assembly: ApplicationActivation(ActivationOption.Server)] [assembly: ApplicationAccessControl( - AccessChecksLevel = AccessChecksLevelOption.Application, - Authentication = AuthenticationOption.None, - Value = false)] + true, + AccessChecksLevel = AccessChecksLevelOption.ApplicationComponent, + Authentication = AuthenticationOption.Packet)] +[assembly: SecurityRole("SYSTEM")] +[assembly: SecurityRole("CCG")] // Setting ComVisible to false makes the types in this assembly not visible // to COM components. If you need to access a type in this assembly from diff --git a/src/CfCcgPlugin/README.md b/src/CfCcgPlugin/README.md index 0eccf15e..6281e47d 100644 --- a/src/CfCcgPlugin/README.md +++ b/src/CfCcgPlugin/README.md @@ -20,7 +20,7 @@ Note - to verify the plugin you don't need to set up any Active Directory stuff ``` - Set broad permissions on the plugin dll ```powershell - cmd.exe /C "icacls c:\\CfCcgPlugin.dll /grant Everyone:(F)" + cmd.exe /C "icacls c:\\CfCcgPlugin.dll /grant `"NT AUTHORITY\LocalService`":(RX) /grant `"NT AUTHORITY\NETWORK SERVICE`":(RX)" ``` - Register the plugin as a com object with the .net framework