Were I to guess, I bet you have to have SeTcbPrivilege to ADD a
privilege to the existing set (remember, we’re talking about security
here, so we don’t want someone just “adding” privileges without being
part of the TCB.) So fork the operation off to a system worker thread
(want to bet the system process has TCB privilege? ) and when done
continue.
Have you gone through the PILE of material in the Platform SDK (on MSDN)
about security, privileges, etc.? A quick search on these issues turned
up quite a bit of content.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: Alon [mailto:xxxxx@yahoo.com]
Sent: Wednesday, November 30, 2005 8:37 AM
To: ntfsd redirect
Subject: Re: Impersonation different behaviours
Hi again,
I got some progress since I replied last mail:
I tried to use this API using “AdjustPrivilege”
function taken from the OSR article you reffered me
to.
I called it with value “SE_IMPERSONATE_PRIVILEGE”
(29L) which exists of course only in w2k3.
Anyway way I got STATUS_NOT_ALL_ASSIGNED from all the
called to
“ZwAdjustPrivilegesToken” except 19,23,25
(SE_SHUTDOWN_PRIVILEGE,SE_CHANGE_NOTIFY_PRIVILEGE,SE_UNDOCK_PRIVILEGE
- Yes I can Shutdown my mahcine!)
Anyway, it doesn’t help me since the TokenFlag field
in Primary token, _TOKEN structure of my process stays
value=0x1 instead 0x81
(TOKEN_HAS_IMPERSONATE_PRIVILEGE) which can help me.
When I run as an admin - this call gets STATUS_SUCCESS
of ocurse…
Any other suggestions to do so? (with API)
Thanks
Alon
“Alon” wrote in message
news:xxxxx@ntfsd…
> Hi Tony,
>
> Thanks for the answer
> Regarding 2003 - I even didn’t started to deal with
> it.
> I’m afraid that ZwAdjustPrivilegesToken won’t solve
my
> problem.
> this function gets a Handle to a token and I’m
dealing
> with PACCESS_TOKEN structure (got it from
> PsReferencePrimaryToken) - are they the same?
> another thing, these flags I’m talking about
> (TOKEN_HAS_IMPERSONATE_PRIVILEGE) are flags that
> exists in Windows 2000 SP4 and Windows XP SP2
(Doen’t
> exists in XP SP1 for example), there is a function
> called “SeTokenCanImpersonate” which exists only in
> these OS’s (XP SP2 and Windows 2000 SP4), and checks
> this field.
> I’m afraid the adjusting previlegs using
> ZwAdjustPrivilegesToken won’t solve my problem and
as
> I mentioned before - It gets and handle - not a
> pointer…
>
> Hope you can put more light on this issue…
>
> Thanks in advnace
>
> Alon
>
> “Tony Mason” wrote in message
> news:xxxxx@ntfsd…
> SeImpersonatePrivilege was added (Server 2003?) and
> apparently
> back-ported (most likely to resolve a security
related
> issue). Thus,
> the requirement to have this privilege is (as you
> noted) “new” and not
> present in all OS versions (that just makes it more
> fun to properly
> code.)
>
> You can use ZwAdjustPrivilegesToken (given a token
> handle) to change the
> privileges for a given process or thread. There’s
an
> article on OSR
> Online about one way to do this (there are no doubt
> other ways to
> achieve the same ends.)
> http://www.osronline.com/article.cfm?id=23
>
> There are a number of other (similar) routines in
the
> IFS Kit:
>
> NtOpenThreadToken, NtOpenThreadTokenEx,
> NtAdjustPrivilegesToken (the
> native function that implements the syscall
> ZwAdjustPrivilegesToken
> invokes, and I suspect it won’t work in this
> instance.)
>
> Regards,
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> Alon
> Sent: Tuesday, November 29, 2005 9:25 AM
> To: ntfsd redirect
> Subject: [ntfsd] Impersonation different behaviours
>
> Hi,
>
> I sent a similiar thread in ntdev list a week ago
but
> got no resposne.
>
> Hi,
>
> I’m using impersonation mechanism, with function
> “SeCreateClientSecurity” on a system thread than I’m
> using “SeImpersonateClientEx” on a thread that is
> running in NonAdmin user in order to perform an
> operation requires administrator rights.
> I used a Windows XP SP1 machine and run my code and
> everything worked fine, than on SAME machine, I
> installed SP2 and got from ZwCreateFile for
requested
> call STATUS_ACCESS_DENIED (c0000022)…
> again - it is same code, same machine, different
> Service Pack.
> I’ve encountered same problem in Windows 2000 SP4
> machine.
>
> I had a deeper look at the code and before
> impersonating I added a call to
> PsReferencePrimaryToken( MyProcess ), than I get a
> token and than calling impersonate.
> I had a look at the token and it’s TokenFlags value
is
> 0x1 - “TOKEN_HAS_TRAVERSE_PRIVILEGE”, Only if I add
> (manualy) the Flag
“TOKEN_HAS_IMPERSONATE_PRIVILEGE”,
> My call success.
> Is there ny API to change the TokenFlags value
(given
> the token and the process?)
>
> Thanks in advance
>
> Alon
>
>
>
>
> Yahoo! Music Unlimited
> Access over 1 million songs. Try it free.
> http://music.yahoo.com/unlimited/
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as:
> xxxxx@osr.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
>
>
> Yahoo! Music Unlimited
> Access over 1 million songs. Try it free.
> http://music.yahoo.com/unlimited/
>
>
__________________________________
Yahoo! Mail - PC Magazine Editors’ Choice 2005
http://mail.yahoo.com