Re: Security Context in Threads
From: Carl Daniel [VC++ MVP] (cpdaniel_remove_this_and_nospam_at_mvps.org.nospam)
Date: 10/01/04
- Next message: Shawn Farkas [MS]: "RE: MD5 Hash processes"
- Previous message: Nicole Calinoiu: "Re: Windows XP SP2 - File Permissions on Web Server"
- In reply to: Sparky: "Security Context in Threads"
- Next in thread: Sparky: "Re: Security Context in Threads"
- Reply: Sparky: "Re: Security Context in Threads"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Oct 2004 07:03:04 -0700
Sparky wrote:
> Hi
>
> I have an vb.net winforms application that needs to launch a thread,
> and within that thread change the security context of the current
> user to a new one using impersonation. For clarity, the main thread
> that the application is running under is Thread A, and the new thread
> in which i perform the impersonation under is thread B.
>
> This works fine, but i now need to launch another thread (Thread C)
> from within Thread B. This is all good, but i need thread C to run
> under the same security context as Thread B. What is happening is
> that when thread C is launched, it runs under the security context of
> thread A (the main thread), and hence causing problems.
>
> Is there some way that I can force a thread to run under the security
> context of the thread it was launched from (ie, thread C runs under
> the same security context as Thread B), or do i have to invoke
> imperonation again under thread C to fix this?
Actually, what you should do is stop impersonating, create thread C, resume
your impersonation, and arrange for thread C to impersonate as well.
The notes for CreateThread (which is eventually called by the .NET
framework) say:
<quote>
Do not create a thread while impersonating another user. The call will
succeed, however the newly created thread will have reduced access rights to
itself when calling GetCurrentThread. The access rights granted are derived
from the access rights that the impersonated user has to the process. Some
access rights including THREAD_SET_THREAD_TOKEN and THREAD_GET_CONTEXT may
not be present, leading to unexpected failures.
</quote>
In other words, if you don't stop impersonating in thread B, thread C
probably won't have sufficient access to itself to begin impersonation!
-cd
- Next message: Shawn Farkas [MS]: "RE: MD5 Hash processes"
- Previous message: Nicole Calinoiu: "Re: Windows XP SP2 - File Permissions on Web Server"
- In reply to: Sparky: "Security Context in Threads"
- Next in thread: Sparky: "Re: Security Context in Threads"
- Reply: Sparky: "Re: Security Context in Threads"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
