Re: Impersonate user (seteuid/setegid)

Tech-Archive recommends: Fix windows errors by optimizing your registry

Thank you for the suggestions thus far and to be fair, you're right, I'll
fill you in more on what I'm hoping to get done in order to see if other
options might be beter.

Here's the situation:

1) I'm basically using Java as the front-end to my application. The
back-end is some services that run on remote machines, namely Windows 2000
machines in this case, that do some system-level stuff as a response a remote
request from a client. Java front-ends these services on the remote machines
and RMI is being used for the client/server activity over TCP/IP.

2) In my application, DFS is being used, as well as other file specific
activity. I need to have that all coded up in Visual C++ (which is done).
Now, via JNI, I have the remote Java services able to communiate to the C++
to do this and that.

3) The remote services are running the Java services under a specific
high-level user account. So, when it asks to do something on the file system
via JNI, the ultimate C++ process is run as if the high-level user account
had requested it.

4) This leaves me a bit vulnerable if a low-level user asks to do something
on a file system that they'd normally not have access to do. So, for
example, if a user wants a list of files on a remote file system via my
tool... I wanted to be able to "become that user" on the remote file system
and programatically request the list of files. This way, it will adhere to
any permissions set-up. Same goes if the user wanting to delete or create a
file.

5) In Linux/Unix, you can use seteuid/setegid to "become the effective user"
in the C++ on the remote machine and then do a stat or whatever and see if it
works as that user. In Windows, I'm not so sure how to go about doing that
without a password yet.

6) This is where the password issue can get funky. Now in theory, I guess I
can ask the user when they start my GUI for their password and store it
somewhere and pass it over when a remote request is needed. But that gets a
bit crazy when users wanna use the command-line to rapid fire requests.

Does this help at all? Are there other ways to "check" access of a user for
things like delete, create and list files without having to be that user?

Thanks for anything and everything.

"Eugene Gershnik" wrote:

> tanis wrote:
> > So I looked things over and these methods do provide a lot of what I'm
> > looking for. The one issue I had with them is that they require the
> > user's password. In the seteuid functions in Linux, you just need to
> > specify the logon alone... and since you are root... it trusts you
> > and switches to emulate future commands as that user. With a
> > privileged account in Windows, is there a way to get around having to
> > express the user's password using the examples you gave?
>
> Yes and no. Officially Win32 API doesn't support this and you have either to
> know the password or impersonate like William suggested. However, internally
> NT is capable of doing this and some people had tried to access this
> functionality. I beleive Cygwin does something like that but I may be wrong.
> See
> http://www.cygwin.com/cygwin-ug-net/ntsec.html#ntsec-setuid
> http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Token/NtCreateToken.html
> http://sources.redhat.com/ml/cygwin/2001-10/msg01011.html
>
> Note that this is advanced hackery and I doubt you really need to or can go
> this way.
>
> Perhaps if you explain why exactly you need to call setuid it would be
> possible to suggest a clean alternative. If total Unix compatibility is an
> absolute requirement for you I suggest you use Cygwin or SFU.
>
>
> --
> Eugene
> http://www.gershnik.com
>
>
>
.

Relevant Pages

  • Getting seteuid/setegid functionality out of Windows
    ... that do some system-level stuff as a response a remote ... Java front-ends these services on the remote machines ... on a file system that they'd normally not have access to do. ... and programatically request the list of files. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Getting seteuid/setegid functionality out of Windows
    ... The way to do this sort of thing in Windows is via impersonation. ... > back-end is some services that run on remote machines, ... > and programatically request the list of files. ...
    (microsoft.public.win32.programmer.kernel)
  • RE: How to access the current EventSource through Remoting
    ... my remote application) to check if the tracing is enabled ... Maybe I could pass a parameter from the client ... >The name of the request event source (i.e. ...
    (microsoft.public.vsnet.enterprise.tools)
  • Re: Cant "DidTheyReadIt" be stopped?
    ... but I think that ZA Pro is able to block by remote IP address. ... and the server will log the IP address of the source of the request. ... except by either firewall blocking the site hosting the ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Cant "DidTheyReadIt" be stopped?
    ... but I think that ZA Pro is able to block by remote IP address. ... and the server will log the IP address of the source of the request. ... except by either firewall blocking the site hosting the ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)