Warning! Newbie issue - Impersonating a user on Win32

logistix logistix at zworg.com
Sat Jan 18 03:39:57 CET 2003


Doug Glenn <dglenn at charter.net> wrote in message news:<mailman.1042842274.10085.python-list at python.org>...
> On Thursday 16 January 2003 18:40, Roger Upole wrote:
> > What error do you get when you try to adjust SE TCB NAME ?
> 
> I have it working now. As is, it will not grant the SE TCB NAME, it had 
> to be done manually to the local policy.  I get a 1300 error attempting 
> to set it. Once I set the "act as operating system" to the appropriate 
> group it would work.  I do not know if this is set by a default 
> installation or not. I do know we don't have it set, and apparently our 
> policy does not remove it either.  I don't use Win2k at home to verify 
> what the default install would set it to.
> 
> If it is supposed to be able to set that, then that functionality no 
> longer works. At least in the version of ActivePython 2.2.2 from 
> ActiveState with the bundled version of the Pywin stuff. I can't 
> install the seperate version because it blows up Komodo unless I remove 
> it and reinstall the AS version :(
> 
> Obviously I would rather be able to grant the rights via the program. 
> Going through a policy change review at work to get it set is not a 
> workable solution just for this one app. 
> 
> I've sent a note to the author and to ActiveState, but I am doubtful I 
> will hear anything back until later next week. 
> 
> Regards,
> Doug

Just some clarifications on whats going on.  "Priviledge elevation"
occurs on a per-thread basis, and the user needs permissions to
perform elevation.

For example, a "Backup Operator" has the LSA Policy "Backup/Restore
files" which bypasses ACL's on the filesystem.  But if you just make
yourself a backup operator and try to view files you don't have
permission to, you'll still get an error.  First you need to elevate
permissions and then you can look at these files.

It's the same with impersonation.  Granting the LSA Policy just says
"this user is allowed to change idenitities".  Obviously, if any
arbitrary user could just elevate privledges and change their
identity, it'd be a big security hole in W2K; anyone could become an
admin.

The way to properly do what you want to without changing Security
Policies is to create a Service that does what you want to.  It'll run
as LocalSystem (already part of the OS) and can Impersonate as
necessary.  Then some sort of stub program (or embedded web interface)
provides access to the service.

A good example is the RunAs command.  It lets you as a user run
something as another user (even if you don't have privledges).  If you
look at your services, you'll see a runas service that is really doing
all the work.

I haven't done services in python, so I can't help you there.




More information about the Python-list mailing list