===
----- Original Message -----
From: "KJK::Hyperion" <nooglibero.it>
> This is the way I did it, and Apache has worked for months on this
machine
>
> [1] just for fun: SeTcbPrivilege is needed to log on a user, that is
> connecting to the LSASS, sending an username and password
(unfortunately,
> no privilege grants password-less access: this is an important
difference
> with Unix, and a serious limitation. It's the reason why Apache on
Unix
> doesn't need the password for the httpd account to spawn unprivileged
> children, while IIS on Windows does, even if both run as super-user),
and
> receiving a token that can be impersonated;
SeAssignprimarytokenPrivilege
> is needed to create a new process with a different primary token than
self
> (usually, to create a process as a different user). Related Win32
calls:
> LogonUser() and CreateProcessAsUser()

Also see SubAuthentication filters. Cygwin has a passwordless fork()
capability with the subauth dll - although it still requires
SeTcbPrivilege.

Rob

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]