#StackBounty: #c# #installation #permissions #windows-services #user-accounts How to programatically grant a virtual user permission to…

Bounty: 50

I have a service that I wrote that I need to deploy to a number (about 1100) devices. All of these devices are logged in as a regular user, not an administrator.

I can push out the service with our deployment software, which does run as an admin. Our security team does not want this service to run on the Local System account (for obvious reasons). What I’ve come up with is that the service will install as the Local System, but will then change it’s log in account to a virtual user, which then needs access to a folder in Program Files (x86).

What I’ve found is that if I install the service (using remote admin access) via the command line, I can install the service, but it won’t start.

When I look in the event logs, I get an UnauthorizedAccessException error.

This I suspect is because the service is already running under the virtual user which doesn’t have access to start the service. So how can I get around this?

In the main class for the service, I have this method, which is supposed to give the user access to the necessary folder:

    private void GiveDirectoryAccess(string dir, string user)
    {
        try
        {
            DirectoryInfo directoryInfo = new DirectoryInfo(dir);
            DirectorySecurity ds = directoryInfo.GetAccessControl();
            ds.AddAccessRule(new FileSystemAccessRule(user, FileSystemRights.FullControl,
                InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit, AccessControlType.Allow));
            directoryInfo.SetAccessControl(ds);
        }
        catch (Exception e)
        {
            SimpleLog.Log(e);
            throw;
        }

    }

This is called right after the service is initialized:

    public CheckRALVersionService()
    {
        InitializeComponent();
        // Give directory access
        string alhadminPath = System.IO.Path.Combine(pathToFolder, alhadmin);
        GiveDirectoryAccess(alhadminPath, serviceUser);
        string exeName = System.IO.Path.GetFileName(fullExeNameAndPath);
        string tmppath = System.IO.Path.Combine(localdir, tmp);
        SimpleLog.SetLogFile(logDir: tmppath, prefix: "debout." + exeName + "_", extension: "log");
        watcher = new DirectoryWatcher(pathToFolder, alhadmin);
    }

Then, in the ProjectInstaller class, I am changing the user to the virtual user in the serviceInstaller1_Committed method:

    void serviceInstaller1_Committed(object sender, InstallEventArgs e)
    {
        using (ManagementObject service = new ManagementObject(new ManagementPath("Win32_Service.Name='RalConfigUpdate'")))
        {
            object[] wmiParams = new object[11];
            wmiParams[6] = @"NT ServiceRalConfigUpdate";
            service.InvokeMethod("Change", wmiParams);
        }
    }

Do I need a helper service to give the access? Can what I want to do be done all within this service?

Thanks in advance.


Get this bounty!!!

#StackBounty: #command-line #windows-10 #user-accounts How to initialize new user account from command line

Bounty: 50

I would like to initialize new user account on Windows 10 without login out from admin and login in again to user. Now I create new account with following command:

net user “username” “password” /add

Next I run some program with command that should load user profile:

C:> runas /profile /user:user program.exe

However it is not equivalent to the logging as this user. Environment and some folders structures are not prepared without actual logging in. Is there any way to do this?


Get this bounty!!!

#StackBounty: #macos #mac #user-accounts #instant-messaging iMessage (Mac): how to remove unrecoverable account?

Bounty: 100

What I want to archieve:

  • I want to remove a “dead” (old) account from iMessage, so it stops asking us to login with no longer known credentials – on every boot up of the workstation

Circumstances:

  • The account password is not stored on the machine
  • The password is not known anymore, I forgot it
  • The account cannot be recovered in this case, please consider this as fact.
  • The remove button [ – ] (screenshot: bottom left) in iMessage is disabled.
  • (Thus it seems impossible to remove the account for me? Please help.)

Operating System: macOS High Sierra 10.13.6, update not possible, we sadly need to use 32bit software in our company that is no longer maintained nor updated. Apple does not care much and ditched support on it.

Screenshot


Get this bounty!!!

#StackBounty: #linux #ssh #permissions #user-accounts #centos-7 Bastion server: create users with the ability only to ssh destination s…

Bounty: 50

We have bastion server. We should have some users that need to SSH from local through bastion to C, using proxyCammand and private key.

I want to create users and group that should have access ONLY to ssh from the Bastion host (it happens via proxyCommand). They also don’t need to read files.

How can I do that? Is there a way?

The other alternative, if the above is not possible, is to have only read access for allowed files, except restricted files (defaulted by OS) that have read access only to there groups.


Get this bounty!!!