Re: restricting permissions for services in Win2K
From: Robert Collins (robert.collins@itdomain.com.au)Date: 02/20/02
- Previous message: Ken Hoover: "RE: quick question..."
- In reply to: KJK::Hyperion: "Re: restricting permissions for services in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Robert Collins" <robert.collins@itdomain.com.au> To: <kevin@kbrownfox.net>, "KJK::Hyperion" <noog@libero.it> Date: Thu, 21 Feb 2002 07:27:58 +1100
===
----- Original Message -----
From: "KJK::Hyperion" <noog@libero.it>
> This is the way I did it, and Apache has worked for months on this
machine
>
> [1] just for fun: SeTcbPrivilege is needed to log on a user, that is
> connecting to the LSASS, sending an username and password
(unfortunately,
> no privilege grants password-less access: this is an important
difference
> with Unix, and a serious limitation. It's the reason why Apache on
Unix
> doesn't need the password for the httpd account to spawn unprivileged
> children, while IIS on Windows does, even if both run as super-user),
and
> receiving a token that can be impersonated;
SeAssignprimarytokenPrivilege
> is needed to create a new process with a different primary token than
self
> (usually, to create a process as a different user). Related Win32
calls:
> LogonUser() and CreateProcessAsUser()
Also see SubAuthentication filters. Cygwin has a passwordless fork()
capability with the subauth dll - although it still requires
SeTcbPrivilege.
Rob
- Previous message: Ken Hoover: "RE: quick question..."
- In reply to: KJK::Hyperion: "Re: restricting permissions for services in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
