Mail Archives: cygwin-developers/2002/12/13/06:50:12
On Fri, Dec 13, 2002 at 11:55:46AM +0100, Hartmut Honisch wrote:
> Hi Pierre,
>
> I think I found a way to make GetUserName return the correct user after
> impersonating a token created my NtCreateToken: The token needs a valid
> logon session id, one that is associated with the correct user.
>
> As I mentioned, when logging on, Windows creates a new logon session, and
> LSA associates the username with that session.
>
> And even though NtCreateToken allows to specify a TokenUser, It seems that
> when impersonating a token, Windows replaces the TokenUser by the user
> associated with the token's logon session id. And since create_token uses
> the active logon session associated with the _impersonating_ user, not the
> user to _be_ impersonated, TokenUser will contain the wrong user name after
> impersonating it.
>
> So I successfully tried the following approch:
> - use subauthentication to create a new logon session for the new user
> - if the token is suitable (i.e. verify_token returns TRUE), use it for
> impersonation
> - if the token is not suitable(because of the setgid issues you explained to
> me), call create_token, but reuse the subauthentication token's logon
> session id in the new token.
>
> I verified that with a token created by NtCreateToken (with the right logon
> session id of course), I'm able to impersonate and GetUserName /
> GetTokenInformation(...TokenUser...) will give me the correct user.
That sounds really interesting. If we turn around the order in
seteuid again (first call subauth, if that fails create_token) we
could use that extra step as explained above to create a correct
logon token. It's just important, that the current NTCreateToken
stuff still works as today if subauth is not installed.
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Developer mailto:cygwin AT cygwin DOT com
Red Hat, Inc.
- Raw text -