RE: using CreateProcessAsUser API

Thank you sir for your explaination.....i understood the entire thing...thank
you very much....Now there is something
else that i wud like to ask.....now if my created process(running under xyz
account) uses shared memory....n if i want
some other process also to share the same memory then which rites r to be
included into xyz....for eg, consider process run under xyz account as proc1
and outside process as proc2....now proc1 writes into the memory using
CreateFileMapping() and MapViewOfFile().....n now when proc2 try to access
the same memory using OpenFileMapping(), the api fails with error code as
access denied.....how do i solve this problem

kunal

"Eric Perlin [MSFT]" wrote:

Standard users can create directories at the root of the system drive, and
files and more sub-directories in them.
Just create a standard user, logon as that user, and create a directory at
the root of the system drive.

Here's why:
The SDDL of %systemdrive%\ is
"D:(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICIIO;GA;;;CO)(A;OICI;0x1200a9;;;BU)(A;CI;LC;;;BU)(A;CIIO;DC;;;BU)(A;;0x1200a9;;;WD)"
The ACEs of interest are (A;CI;LC;;;BU)(A;CIIO;DC;;;BU)
LC corresponds to FILE_ADD_SUBDIRECTORY, so the first ACE allows members of
the builtin users group (BU) to create directories, and it's inheritable so
they can also create directories further down.
DC corresponds to FILE_ADD_FILE, allowing creation of files the same way,
but with a twist (since it's a inherit only ACE, it doesn't apply on the root
itself, so standard users can't create files at the root).
Of course, this doesn't apply to the other builtin top level directorirs,
which have their own protected DACL...

If you were to disable the BU when creating your process, it may not even
get to start (won't be able to read its own executable), so that's a non
starter.
ReACL the root of the system drive (and files and directories inheriting
their DACL from there) would be another solution but it's unlikely to be
popular, especially if you removed rights...

So you may be left with one last option, which is a yet undocumented flag of
CreateRestrictedToken called WRITE_RESTRICTED. With that additional flag,
instead of doing the double accesscheck with the restricted sids list all the
time, that second list of sids is only used for write attempts.
It makes it possible to build a token that can't write anywhere (when all
the user's sids are on the restricted list of a write restricted token).
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Eric Perlin [MSFT]


"kunal s patel" wrote:

Hi,

Thanx for the help...i cud solve the problem(and yes it was my typo
service runs under local system account) but now i m facing some other
problem.....
Now my process starts properly under the account i want it to(xyz).....but i
cannot
understand one thing now....i created the account xyz but didnt add ny
privileges to it
(i double checked it by enumerating privileges)......now when my exe
file(fired from
service under xyz account security context) tries to create a directory, it
is able to do so...i dont understand
how is it possible?? Also wat the way of disabling it....exe shud not be
able create ny file or directory
in the system...n if it tries to do it...it shud fail

kunal

"kunal s patel" wrote:

y Hi

I am creating a dummy account in a service and then run the process under
that account using the above api. Now something very wierd
happens......process is created properly...i get proper process id but it
doesnt run the executable.....here r the privileges i included into account
SE_ASSIGNPRIMARYTOKEN_NAME,SE_INCREASE_QUOTA,SE_CREATE_PERMANENT_NAME,SE_CREATE_TOKEN_NAME

and i m using API as

if(!CreateProcessAsUser(newtoken,NULL,"C:\\sim0.exe",0,0,FALSE,CREATE_NEW_CONSOLE
,NULL,NULL,&startupinfo,&procinfo))

kunal


.

Relevant Pages

  • RE: using CreateProcessAsUser API
    ... consider process run under xyz account as proc1 ... Just create a standard user, logon as that user, and create a directory at ... the root of the system drive. ...
    (microsoft.public.platformsdk.security)
  • Re: user privledges
    ... > redhat 7.2 i created a user account for myself to use on a daily basis. ... > fare i have just been su - and entering the root pass. ... it started but would not install because i did ... sofware to /opt/musicmatch as a normal user. ...
    (comp.security.unix)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)
  • Re: hi all..
    ... And with sudo, I certainly wouldn't because they already have root. ... If you somehow had access to my account right now, ... install an effective key logger without root. ...
    (Fedora)
  • Re: cant login as root
    ... > The only reason they don't have a local account is they were too lazy to ... If you're root you create and maintain a user account. ... local root accounts are themselves a hazard. ...
    (comp.os.linux.setup)