Re: HOWTO Validate security privileges
- From: "Alex Fedotov" <me@xxxxxxxxxxxxxxx>
- Date: Fri, 16 Dec 2005 22:36:03 -0800
ATS wrote:
We are writing an installer that installs a service, where the security of
the person running the installer and the security that the service will run
both must have the following privileges:
- Act as part of the operating system - Create a token object - Create global objects - Create permanent shared objects - Impersonate a client after authentication - Log on as a batch job - Log on as a service - Log on locally - Take ownership of files or other objects
- Possibly more over time.
What we want to do, is examine the user's account that is running the installer and determine if they have these privileges themselves. Then, we want to do the same thing to determine if the account to be used for the service has those privileges as well.
Any ideas on how this can be done?
To find out the privileges of a user:
1) open LSA policy with LsaOpenPolicy;
2) translate the user name to the corresponding SID, if you don't know the SID already. You do it with LookupAccountName;
3) use LsaEnumerateAccountRights.
Note, however, that not all of the privileges listed may be available to a process running in the security context of this user. The process might have been stated using a so-called restricted token with certain privileges filtered out.
To find out which exactly privileges are associated with the currently running process, you need to open the user token with OpenProcessToken and query the list of privileges using GetTokenInformation with the TokenPrivileges flag. If you do this, keep in mind that some privileges (or, rather, "account rights" as they are called in the MSDN) translate to group SIDs rather than to privileges in the token. For example, "Log on locally" right, SE_INTERACTIVE_LOGON_NAME, controls whether the user can log on interactively. When the user does log on interactively, the well-known INTERACTIVE SID (S-1-5-4) is added to the group list in the token.
I suggest you take some time to read through access control documentation on MSDN, it has improved greatly over past few years and should answer most of your questions:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_control.asp
-- Alex Fedotov
.
- Follow-Ups:
- Re: HOWTO Validate security privileges
- From: ATS
- Re: HOWTO Validate security privileges
- Prev by Date: Re: Getting the SHA1 Hask of a certificate public key
- Next by Date: Re: Getting the SHA1 Hask of a certificate public key
- Previous by thread: Getting the SHA1 Hask of a certificate public key
- Next by thread: Re: HOWTO Validate security privileges
- Index(es):
Relevant Pages
|
