Add Ansible.ModuleUtils.PrivilegeUtil and converted code to use it (#43179)

* Add Ansible.ModuleUtils.PrivilegeUtil and converted code to use it * Changed namespace and class to be a better standard and fixed some typos * Changes from review * changes to avoid out of bound mem of server 2008 * changes to detect failure when setting a privileged not allowed
2025-04-23 10:51:24 -07:00 · 2018-07-31 07:48:54 +10:00 · 2018-07-31 07:48:54 +10:00 · 9259f31fee
commit 9259f31fee
parent d79027b77f
18 changed files with 708 additions and 298 deletions
--- a/lib/ansible/module_utils/powershell/Ansible.ModuleUtils.LinkUtil.psm1
+++ b/lib/ansible/module_utils/powershell/Ansible.ModuleUtils.LinkUtil.psm1
@ -1,6 +1,8 @@
 # Copyright (c) 2017 Ansible Project
 # Simplified BSD License (see licenses/simplified_bsd.txt or https://opensource.org/licenses/BSD-2-Clause)

+#Requires -Module Ansible.ModuleUtils.PrivilegeUtil
+
 Function Load-LinkUtils() {
    $link_util = @'
 using Microsoft.Win32.SafeHandles;
@ -44,21 +46,6 @@ namespace Ansible
        public string[] HardTargets { get; internal set; }
    }

-    [StructLayout(LayoutKind.Sequential)]
-    public struct LUID
-    {
-        public UInt32 LowPart;
-        public Int32 HighPart;
-    }
-
-    [StructLayout(LayoutKind.Sequential)]
-    public struct TOKEN_PRIVILEGES
-    {
-        public UInt32 PrivilegeCount;
-        public LUID Luid;
-        public UInt32 Attributes;
-    }
-
    [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
    public struct REPARSE_DATA_BUFFER
    {
@ -78,10 +65,6 @@ namespace Ansible
    {
        public const int MAXIMUM_REPARSE_DATA_BUFFER_SIZE = 1024 * 16;

-        private const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
-        private const int TOKEN_QUERY = 0x00000008;
-        private const int SE_PRIVILEGE_ENABLED = 0x00000002;
-
        private const UInt32 FILE_FLAG_BACKUP_SEMANTICS = 0x02000000;
        private const UInt32 FILE_FLAG_OPEN_REPARSE_POINT = 0x00200000;

@ -101,34 +84,6 @@ namespace Ansible
        private const UInt32 SYMBOLIC_LINK_FLAG_FILE = 0x00000000;
        private const UInt32 SYMBOLIC_LINK_FLAG_DIRECTORY = 0x00000001;

-        [DllImport("kernel32.dll")]
-        private static extern IntPtr GetCurrentProcess();
-
-        [DllImport("kernel32.dll")]
-        private static extern bool CloseHandle(
-            IntPtr hObject);
-
-        [DllImport("advapi32.dll")]
-        private static extern bool OpenProcessToken(
-            IntPtr ProcessHandle,
-            UInt32 DesiredAccess,
-            out IntPtr TokenHandle);
-
-        [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
-        private static extern bool LookupPrivilegeValue(
-            string lpSystemName,
-            string lpName,
-            [MarshalAs(UnmanagedType.Struct)] out LUID lpLuid);
-
-        [DllImport("advapi32.dll")]
-        private static extern bool AdjustTokenPrivileges(
-            IntPtr TokenHandle,
-            [MarshalAs(UnmanagedType.Bool)] bool DisableAllPrivileges,
-            ref TOKEN_PRIVILEGES NewState,
-            UInt32 BufferLength,
-            IntPtr PreviousState,
-            IntPtr ReturnLength);
-
        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        private static extern SafeFileHandle CreateFile(
            string lpFileName,
@ -206,33 +161,6 @@ namespace Ansible
            string lpExistingFileName,
            IntPtr lpSecurityAttributes);

-        public static void EnablePrivilege(string privilege)
-        {
-            TOKEN_PRIVILEGES tkpPrivileges;
-
-            IntPtr hToken;
-            if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, out hToken))
-                throw new LinkUtilWin32Exception("OpenProcessToken failed");
-
-            try
-            {
-                LUID luid;
-                if (!LookupPrivilegeValue(null, privilege, out luid))
-                    throw new LinkUtilWin32Exception(String.Format("LookupPrivilegeValue({0}) failed", privilege));
-
-                tkpPrivileges.PrivilegeCount = 1;
-                tkpPrivileges.Luid = luid;
-                tkpPrivileges.Attributes = SE_PRIVILEGE_ENABLED;
-
-                if (!AdjustTokenPrivileges(hToken, false, ref tkpPrivileges, 0, IntPtr.Zero, IntPtr.Zero))
-                    throw new LinkUtilWin32Exception(String.Format("AdjustTokenPrivileges({0}) failed", privilege));
-            }
-            finally
-            {
-                CloseHandle(hToken);
-            }
-        }
-
        public static LinkInfo GetLinkInfo(string linkPath)
        {
            FileAttributes attr = File.GetAttributes(linkPath);
@ -466,7 +394,6 @@ namespace Ansible

    # FUTURE: find a better way to get the _ansible_remote_tmp variable
    $original_tmp = $env:TMP
-    $original_temp = $env:TEMP

    $remote_tmp = $original_tmp
    $module_params = Get-Variable -Name complex_args -ErrorAction SilentlyContinue
@ -478,12 +405,15 @@ namespace Ansible
    }

    $env:TMP = $remote_tmp
-    $env:TEMP = $remote_tmp
    Add-Type -TypeDefinition $link_util
    $env:TMP = $original_tmp
-    $env:TEMP = $original_temp

-    [Ansible.LinkUtil]::EnablePrivilege("SeBackupPrivilege")
+    Import-PrivilegeUtil
+    # enable the SeBackupPrivilege if it is disabled
+    $state = Get-AnsiblePrivilege -Name SeBackupPrivilege
+    if ($state -eq $false) {
+        Set-AnsiblePrivilege -Name SeBackupPrivilege -Value $true
+    }
 }

 Function Get-Link($link_path) {