// der erste ist der SD den der Dienst normalerweise hat wenn man ihn nicht anpasst.
//ACL (SDDL )
SECURITY_DESCRIPTOR_STANDARD = '
D:' +
'
(A;;CCLCSWRPWPDTLOCRRC;;;SY)' +
// default permissions for local system
'
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)' +
// default permissions for administrators
'
(A;;CCLCSWLOCRRC;;;AU)' +
// default permissions for authenticated users
'
(A;;CCLCSWRPWPDTLOCRRC;;;PU)' +
// default permissions for power users
'
(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)'+
// Built IN Users
'
(A;;RP;;;IU)';
// added permission: start service for interactive users
SECURITY_DESCRIPTOR_ALLOW_START_BY_USER = '
D:' +
'
(A;;CCLCSWRPWPDTLOCRRC;;;SY)' +
// default permissions for local system
'
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)' +
// default permissions for built-in administrators
'
(A;;CCLCSWRPLOCRRC;;;IU)'+
// permissions for interactively logged-on user von MozillaMaintainance und ChromeElevation
'
(A;;CCLCSWRPLOCRRC;;;SU)'+
// permissions for service logon user von MozillaMaintainance und ChromeElevation
'
(A;;CCDCLCSWRPWPDTLOCRSDRC;;;BU)'+
// permissions for built-in users
'
(A;;CCLCSWRPLOCRRC;;;AU)' +
// default permissions for authenticated users
'
(A;;CCLCSWRPWPDTLOCRRCRP;;;PU)';
// default permissions for power users
const
advapi32 = '
advapi32.dll';
{$IFDEF UNICODE}
AWSuffix = '
W';
{$ELSE}
AWSuffix = '
A';
{$ENDIF UNICODE}
function ConvertStringSecurityDescriptorToSecurityDescriptorA;
external advapi32
name '
ConvertStringSecurityDescriptorToSecurityDescriptorA';
function ConvertStringSecurityDescriptorToSecurityDescriptorW;
external advapi32
name '
ConvertStringSecurityDescriptorToSecurityDescriptorW';
function ConvertStringSecurityDescriptorToSecurityDescriptor;
external advapi32
name '
ConvertStringSecurityDescriptorToSecurityDescriptor' + AWSuffix;
Procedure SetServiceSecurityDescriptor(ServiceName,Permission:
String);
// in ServiceAfterInstall ausführen da hat man immer Admin Rechte.
var
SA: TSecurityAttributes;
SvcMgr,SvcHandle: SC_HANDLE;
Begin
SA.nLength := SizeOf(SA);
SA.bInheritHandle := True;
if not ConvertStringSecurityDescriptorToSecurityDescriptor(PWideChar(Permission),
1,
SA.lpSecurityDescriptor,
nil
)
then RaiseLastOSError;
{$IF DEFINED(CLR)} //A.R. CLR = Common Language Runtime = .NET
SvcMgr := OpenSCManager('
',
nil, SC_MANAGER_ALL_ACCESS);
{$ELSE}
SvcMgr := OpenSCManager(
nil,
nil, SC_MANAGER_ALL_ACCESS);
{$ENDIF}
if SvcMgr = 0
then RaiseLastOSError;
try
SvcHandle := OpenService(SvcMgr, PWidechar(ServiceName) , SERVICE_ALL_ACCESS);
if SvcHandle = 0
then RaiseLastOSError;
try
SetServiceObjectSecurity(SVCHandle,DACL_SECURITY_INFORMATION,SA.lpSecurityDescriptor);
finally
CloseServiceHandle(SvcHandle);
end;
finally
CloseServiceHandle(SvcMgr);
end;
LocalFree(HLOCAL(SA.lpSecurityDescriptor));
end;