Re: Take ownership of a process
From: Thomas (thomas.ornmarker_at_gamersparadise.se)
Date: 08/20/04
- Next message: Peter: "Is an administrator an authenticated user ?"
- Previous message: mask zero: "Two questions on Loading User profile"
- In reply to: Jeff Hamblin [msft]: "Re: Take ownership of a process"
- Next in thread: Pavel Lebedinsky: "Re: Take ownership of a process"
- Reply: Pavel Lebedinsky: "Re: Take ownership of a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Aug 2004 10:19:07 +0200
Yes you pretty much got the idea of what I'm trying to do.
Let's say we have two users A and B. A has full access and B has restricted
access when it comes to some registry entries and ntfs.
Now user A spawns a process P, which my driver catch and notifies me. Now I
want to restricts process P's access rights. I want the newly created
process to act as it was created under user B's account. You got me?
So from your earlier replies I understand that I can take process P's token
and pass it in to CreateRestrictedToken and thereby restricting the access
rights for process P, am I right? I'v been looking at the documention for
CreateRestrictedToken, I just don't know what SID's I should
disable/restrict.
Thanks
// Thomas
"Jeff Hamblin [msft]" <jhamblin@online.microsoft.com> wrote in message
news:ONFuWfihEHA.632@TK2MSFTNGP12.phx.gbl...
> It sounds like you want to change the process token on some processes with
> your driver, so that those processes will seem to run under a different
> user. You want to make it so that they cannot access some objects, and so
> that taskmgr shows them as running under a different account.
>
> Do I understand that correctly?
>
> You won't be able to make taskmgr think that the process runs as someone
> else. The reason for this is because you cannot replace the SIDs in the
> token. However, you can make it so that some of the SIDs in the token are
> not used to gain access to objects.
>
> So, suppose user A starts a process P. Now there exists a process object
> called P. It has a process token that contains a list of SIDs. This
token
> is another object, call it T. It contains a SID for user A, and it
probably
> has the Users SID, the Authenticated Users SID, the World Sid, and a
> handful of others (you can see all of these with GetTokenInformation).
>
> You can restrict the P's process token to limit the power of process P.
> Check out CreateRestrictedToken in MSDN to get the full story on how
> restricted tokens work.
>
> Each object (e.g. the process P, the token T) has a security descriptor.
> Each security descriptor has an Owner field that states who owns the
object.
> It is this field that you have been changing. Changing the owner isn't
> going to help you here.
>
>
>
>
>
> "Thomas" <thomas.ornmarker@gamersparadise.se> wrote in message
> news:uuY036fhEHA.3664@TK2MSFTNGP12.phx.gbl...
> > Jeff,
> > Thank you for your reply, I'm a beginner when it comes to security. I
> > actually thought the process token just had one owner SID and one group
> SID.
> > Are you saying that I have to change another (or more) SID(s)? I would
> very
> > much appriciate if you could give me some starting directions on
what/how
> I
> > need to change in the token.
> >
> > // Thomas
> >
> >
> > "Jeff Hamblin [msft]" <jhamblin@online.microsoft.com> wrote in message
> > news:u5Xp%23%23ThEHA.3992@TK2MSFTNGP11.phx.gbl...
> > > Thomas -
> > >
> > > Changing the owner field in the security descriptor of the process
> doesn't
> > > change what objects the process can access. The process has a token,
> and
> > > that token has a list of SIDs. One (or more) of those SIDs grants the
> > > process access to the registry. Similarly, taskmgr is querying the
user
> > SID
> > > from the process token. It isn't looking at the owner field in the
> > security
> > > descriptor of the process.
> > > If you want to limit the access of the process then you'll have to
> > restrict
> > > the process token.
> > > You don't need SeRestorePrivilege to do what you've described -
> > > TakeOwnershipPrivilege should be enough.
> > >
> > > Jeff
> > >
> > >
> > > "Thomas" <thomas.ornmarker@gamersparadise.se> wrote in message
> > > news:eC54CgQhEHA.3076@tk2msftngp13.phx.gbl...
> > > > Hi,
> > > > Here's what I'm trying to do:
> > > > I have a kernel driver who signals on process creations, and under
> some
> > > > circumstances I need to change the owner of a newly created process.
> > (It's
> > > > not me who creates the processes) . What I'v done so far is to
enable
> > some
> > > > privileges: SeTakeOwnershipPrivilege and SeRestorePrivilege in my
> > process
> > > > token. Then I open the newly created process with WRITE_OWNER and
> > > > PROCESS_ALL_ACCESS and then thru SetSecurityInfo i write the new
owner
> > > SID.
> > > > When i debug my program everything seems alright, but the process
for
> > > which
> > > > i change the owner wont change it's "User Name" in taskmanager and I
> > have
> > > > set up deny on some registry entries but can still access them.
> > > >
> > > > Am I doing something wrong? Or is what I'm trying to do not
possible?
> > Any
> > > > help and/or feedback would be very much appriciated!
> > > >
> > > > Thanks in advance,
> > > > Thomas Örnmarker
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Peter: "Is an administrator an authenticated user ?"
- Previous message: mask zero: "Two questions on Loading User profile"
- In reply to: Jeff Hamblin [msft]: "Re: Take ownership of a process"
- Next in thread: Pavel Lebedinsky: "Re: Take ownership of a process"
- Reply: Pavel Lebedinsky: "Re: Take ownership of a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
