OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Vimal Kumar (vimalnCSWL.COM)
Date: Fri Aug 03 2001 - 18:25:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thanks Rob!

    Problem solved. I need to read about security - but sometimes you get into a
    situation "do or die - now!". I knew I can't understand the whole security
    in a day or two - so it was a better to ask someone who knows and read about
    it in my free time.

    Thanks again for your help.

    Sincerely
    Vimal
    ----- Original Message -----
    From: "Robert Szasz" <Robert.SzaszEPF.COM>
    To: <DCOMDISCUSS.MICROSOFT.COM>
    Sent: Friday, August 03, 2001 4:12 PM
    Subject: Re: Security Context of a thread.

    > The new thread will run with the credentials of the account that was used
    to
    > start the process.
    >
    > To propagate the impersonation you will need to use OpenThreadToken to
    grab
    > the impersonation token and pass it to your new thread. The new thread can
    > then use ImpersonateLoggedOnUser or SetThreadToken to begin impersonating
    > the client again.
    >
    > OpenThreadToken will need to open the token for TOKEN_IMPERSONATE access
    and
    > may also need the openAsSelf param set to TRUE.
    >
    > Also be careful if you need to access off-host resources as depending on
    how
    > the impersonation token was come by it may not have network credentials.
    >
    > For further info on this sort of thing check Keith Brown's security book,
    it
    > is excellent, he also has some useful bits and pieces on his website:
    > http://www.developmentor.com/kbrown
    >
    > R O B !
    >
    > -----Original Message-----
    > From: Vimal Kumar
    > To: DCOMDISCUSS.MICROSOFT.COM
    > Sent: 03/08/2001 22:11
    > Subject: Security Context of a thread.
    >
    > Hi All,
    >
    > I have a free threaded component created from ASP. Our IIS is set to
    > accept anonymous connections. From one of the interface methods, we try
    > to access some files from the file system. We made sure that
    > IUSR_MACHINENAME has read privileges to that particular folder and
    > objects in that folder. We can read the file successfully.
    >
    > Now we modified the code in the interface method so that it spawns a new
    > thread and reads the file in the newly spawned thread. The new thread
    > was created using _beginthreadex() with the first parameter ( security )
    > as NULL. The same code is not able to open the file from the newly
    > created thread.
    >
    > I want the newly created to have the same impersonation and security
    > context as that of the thread used by IIS to execute my method in the
    > component.
    >
    > I tried the following code in my interface method before spawning the
    > thread. But the call to GetSecurityInfo() fails with "Access Denied"
    > error. Don't know what's going wrong.
    >
    > SECURITY_ATTRIBUTES obAttr;
    > obAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
    > obAttr.bInheritHandle = FALSE;
    > GetSecurityInfo(GetCurrentThread(), SE_KERNEL_OBJECT,
    > DACL_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|OWNER_SECURITY_INFO
    > RMATION|SACL_SECURITY_INFORMATION,
    > NULL, NULL, NULL, NULL, &(obAttr.lpSecurityDescriptor));
    > _beginthreadex(obAttr.lpSecurityDescriptor, 0, SendMailThread,
    > (LPVOID)pMailData, 0, &nThreadID);
    >
    >
    > Thanks for your help.
    >
    > Sincerely
    > Vimal
    >
    > ----------------------------------------------------------------
    > Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
    > contains important info. Save time, search the archives at
    > http://discuss.microsoft.com/archives/index.html .
    > To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM
    >
    > _____________________________________________________________________
    > This message has been checked for all known viruses by UUNET delivered
    > through the MessageLabs Virus Control Centre. For further information
    > visit
    > http://www.uk.uu.net/products/security/virus/
    >
    >
    ****************************************************************************
    > This e-mail message and any files transmitted with it are confidential and
    for the use of the addressee only. If you have received this communication
    in error, please notify us immediately by replying to it, and then delete it
    from your computer
    >
    ****************************************************************************
    > This message has been checked for all known viruses by UUNET delivered
    > through the MessageLabs Virus Control Centre.
    >
    ___________________________________________________________________________
    >
    > ----------------------------------------------------------------
    > Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
    > contains important info. Save time, search the archives at
    > http://discuss.microsoft.com/archives/index.html .
    > To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM

    ----------------------------------------------------------------
    Users Guide http://discuss.microsoft.com/archives/mailfaq.asp
    contains important info. Save time, search the archives at
    http://discuss.microsoft.com/archives/index.html .
    To unsubscribe, mailto:DCOM-signoff-requestDISCUSS.MICROSOFT.COM