Re: Logging, Login API and SSPI

"James V" <jamesv123@xxxxxxxxxxx> wrote in message
news:u%23csy5$PHHA.3960@xxxxxxxxxxxxxxxxxxxxxxx
I am trying to add logging capabilities to a Windows(2000/XP/2003)
application that can run under any user context(not neceseraly a member of
admin).

The problem is that every time a diffrent user will run the application,
the log files would be created/written under his credentials.

Some users can have limited permissions and not allowed to access various
parts of the file system. Further more, if a limited user created/written
a/to file he has permissions to view and change it and I do not want
limited users to be able to view modify the log files.

The standard way to deal with a set of requirements such as yours would be
to split the application into two pieces. One, a service installed and run
under the local system account. Two, an interactive aplication which runs
under the current logged on user. Then what you do is use an impersonable
mechanism (a pipe works nicely) to communicate requests from the interactive
application to the service. When required, the service can use
ImpersonateNamedPipeClient() to "do stuff" as the user making a request, and
when not impersonating it "does stuff" under the local system acccount which
has free reign over local resources such as the log you speak of.

I could create a logging service that uses IPC to connect to the server
application and manage the loging for it, but it seems like an overkill.

Not at all.

I considered using a special user account that would be impersonated by
our application(using login API and SSPI ) and would do the actual log
file manipulation, but the problem is that login API and SSPI can require
certain privilged user permissions (SE_TCB_NAME ) for the impersonation to
work properly (The impersonation level does not allow resource access).

FWIW: SSPI doesn't require elevated privileges. LogonUser() requires
SE_TCB_NAME privilege on platforms older than XP.

Regards,
Will

www.ivrforbeginners.com



.

Relevant Pages

  • Re: CreateProcessAsUser "loses" privileges, why?
    ... impersonation that happens via SSPI does not strip privilegs (since it ... while impersonation that happens by the kernel trusting itself, ... (since it does not require authentication). ... The rationale being that across a network authentication hop privileges may ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Logging, Login API and SSPI
    ... Regarding your answer to SSPI. ... Apparently SSPI will allow you to impersonate for credentials validation but ... The requested impersonation level of the token is less than ... such as SecurityIdentification or SecurityAnonymous. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Administrator elevation via RPC fails on Vista, why?
    ... any privileges that are in the token but not enabled get stripped away ... across impersonation boundaries, so - you might try turning on all ... These two label SIDs can ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... It seems like the process started via CPAU has only ... privileges are non-existent in the token of this process. ... conversation the PID of the client process to the server. ... the token from impersonation as before, ...
    (microsoft.public.win32.programmer.kernel)
  • Re: CreateProcessAsUser "loses" privileges, why?
    ... You can google for "non enabled privileges are stripped" in the `groups` ... > conversation the PID of the client process to the server. ... > the token from impersonation as before, ... > with the access token that I got from opening the process token via PID. ...
    (microsoft.public.win32.programmer.kernel)