| delorie.com/archives/browse.cgi | search |
Terris wrote: > I don't understand why creating a token > as SYSTEM doesn't work. I read the email > you pointed me to and I still don't get it. > If sshd uses NtCreateToken, it should work. > > The CVS server CVSNT calls NtCreateToken > as the SYSTEM user. The CVSNT service > runs under the local SYSTEM account. It works. > Yes this should work. cvsnt uses NtCreateToken, followed by ImpersonateUser(). This works as far as it goes. However impersonation does not work over network shares (this is part of NT security - Win2k has a way around it but it isn't well documented) so the account isn't precisely the same as the original. You have to be careful that when you create the token you duplicate the correct access token as exactly as possible (so you don't give joe-random-user Administrator access). The code in cvsnt does this, and I believe cygwin does the same or similar. Creating a shell from this impersonated account should work exactly the same as if LogonUser had been used. cvsnt creates processes as part of its commit procedure, and it's important that these run as the user, for security reasons (Whilst working on the code for cvsnt I tested by creating a token, then using LogonUser and comparing them. They are identical tokens in all cases I checked). Tony -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |