delorie.com/archives/browse.cgi   search  
Mail Archives: cygwin-developers/2002/12/13/05:55:59

Mailing-List: contact cygwin-developers-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-developers-subscribe AT cygwin DOT com>
List-Archive: <http://sources.redhat.com/ml/cygwin-developers/>
List-Post: <mailto:cygwin-developers AT cygwin DOT com>
List-Help: <mailto:cygwin-developers-help AT cygwin DOT com>, <http://sources.redhat.com/ml/#faqs>
Sender: cygwin-developers-owner AT cygwin DOT com
Delivered-To: mailing list cygwin-developers AT cygwin DOT com
From: "Hartmut Honisch" <hartmut_honisch AT web DOT de>
To: "Pierre A. Humblet" <Pierre DOT Humblet AT ieee DOT org>
Cc: <cygwin-developers AT cygwin DOT com>
Subject: RE: Subauthentication
Date: Fri, 13 Dec 2002 11:55:46 +0100
Message-ID: <NFBBLLCAILKHOEOHEFMHKEAGCEAA.hartmut_honisch@web.de>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
In-Reply-To: <3DF50D30.AE8FA801@ieee.org>

Hi Pierre,

I think I found a way to make GetUserName return the correct user after
impersonating a token created my NtCreateToken: The token needs a valid
logon session id, one that is associated with the correct user.

As I mentioned, when logging on, Windows creates a new logon session, and
LSA associates the username with that session.

And even though NtCreateToken allows to specify a TokenUser, It seems that
when impersonating a token, Windows replaces the TokenUser by the user
associated with the token's logon session id. And since create_token uses
the active logon session associated with the _impersonating_ user, not the
user to _be_ impersonated, TokenUser will contain the wrong user name after
impersonating it.

So I successfully tried the following approch:
- use subauthentication to create a new logon session for the new user
- if the token is suitable (i.e. verify_token returns TRUE), use it for
impersonation
- if the token is not suitable(because of the setgid issues you explained to
me), call create_token, but reuse the subauthentication token's logon
session id in the new token.

I verified that with a token created by NtCreateToken (with the right logon
session id of course), I'm able to impersonate and GetUserName /
GetTokenInformation(...TokenUser...) will give me the correct user.

Hartmut

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019