Working around UAC for AccessCheck API, how?
- From: Stefan Kuhr <kustt110@xxxxxx>
- Date: Tue, 27 May 2008 19:06:10 +0200
Hello everyone,
I have a client server solution that uses RPC in order to talk from the client to the server. The server protects resources via private object security and impersonates client calls and invokes the AccessCheck API in order to determine if the client s eligible to get access to the protected resources. This works great for all platforms as long as clients and servers are on different machines.
Now if both the client and the server run on the same machine and if that machine is Vista with UAC enabled, UAC gets in my way if. e.g. access to a protected resource of the server is granted to the local administrators group. In this case the interactive user's token is used to determine access and this token is restricted, so access is denied to a local administrator. Nothing fancy so far, this is how restricted tokens and UAC work - and clients have to be elevated in order to access the resources.
The thing is: I don't want these UAC implications for administrators in my server, I simply want the behaviour as if an administrator was logged in on XP. My client typically runs in the background on user's desktops, started with an autorun registry key and it should definitely not require elevation. Is there a way to achieve this on the server side?
If not, is the following workaround correct:
Since I cannot modify the impersonated user token in my server, I temporarily modify the security descriptor of my private object security and the "algorithm" would go as follows:
Step 1: Use the impersonated user's token and call AccessCheck. If AccessCheck grants access then grant access, otherwise continue with Step 2.
Step 2: If the token is unrestricted, deny access, otherwise continue with Step 3
Step 3. Loop over the groups in the token. For each ACE that is used for denying access (attributes are SE_GROUP_USE_FOR_DENY_ONLY), see, if there is an access-allow ACE in the security descriptor of the private object. If so, replace the SID of this access-allow ACE with the "Everyone" group's SID. Now continue with Step 4.
Step 4: Again do an access check with the AccessCheck API. This time use the modified security descriptor from the previous step. If AccessCheck now grants access, grant access, because obviously access was denied in Step 1 only because of a restricted token. If AccessCheck denies access, ultimately deny access.
Did I overlook something? Is this the correct approach to replace a single AccessCheck call if I want to ignore the implications of restricted tokens as they are issued on Vista with UAC enabled?
Any comments appreciated,
--
Stefan
.
- Follow-Ups:
- Re: Working around UAC for AccessCheck API, how?
- From: Garfield Lewis
- Re: Working around UAC for AccessCheck API, how?
- Prev by Date: Re: How to get synchronized efficiently
- Next by Date: XP: query BIOS Info(Name) via API - as in SystemInfo
- Previous by thread: Short question about Interlocked family of functions
- Next by thread: Re: Working around UAC for AccessCheck API, how?
- Index(es):
Relevant Pages
|
