多级使用线程模拟
[英]Multilevel usage of thread impersonation
问题描述
I'm having some issues with some long-ago written classes that do thread-level impersonation and process spawning. 
我在一些很久以前编写的类中遇到了一些问题,这些类会进行线程级模拟和进程生成。 The problem seems to be that my usage of these utility classes is above and beyond what anyone else has tried to do with them. 问题似乎是我对这些实用程序类的使用超出了其他人尝试使用它们的范围。
The first does thread-level impersonation by using OpenThreadToken and DuplicateToken along with ImpersonateLoggedOnUser. 第一个是使用OpenThreadToken和DuplicateToken以及ImpersonateLoggedOnUser进行线程级模拟。
The second attempts to create a process using CreateProcessAsUser with a token obtained with OpenThreadToken / DuplicateToken. 第二种尝试使用CreateProcessAsUser创建一个进程,该进程具有使用OpenThreadToken / DuplicateToken获得的标记。
The issue I'm running into is that I have: 我遇到的问题是我有:
Thread 1 running in IIS with the correct user
Thread 2 that is created by Thread 1 - which is impersonated
Thread 3 that is created by Thread 2 - which is impersonated
Process 1 that is spawned by Thread 3 - which I attempt to impersonate
Spawning Process 1 fails with error code 5 from OpenThreadToken. 产生过程1失败,错误代码为5,来自OpenThreadToken。 If I spawn process 1 from Thread 1, OpenThreadToken doesn't give me any guff. 如果我从线程1生成进程1,OpenThreadToken不会给我任何guff。 I ask for TOKEN_ACCESS_ALL from OpenThreadToken & DuplicateToken and it doesn't fail until I actually do it from Thread 3. Anybody have any insight as to what permissions I may actually need here? 我从OpenThreadToken和DuplicateToken请求TOKEN_ACCESS_ALL,直到我从Thread 3实际执行它才会失败。任何人都对我在这里需要什么权限有任何见解?
Here's the code for spawning the process: 这是产生过程的代码:
(Impersonating the thread just involves taking the thread token handle and calling ImpersonateLoggedOnUser...) (模拟线程只涉及获取线程令牌句柄并调用ImpersonateLoggedOnUser ...)
//process spawn
if (!::OpenThreadToken(::GetCurrentThread(),
TOKEN_ALL_ACCESS,
false,
&hThreadUserToken))
{
Handle hNewProcessUserToken;
if (!DuplicateTokenEx(
hThreadUserToken,
TOKEN_ALL_ACCESS,
NULL,
SecurityDelegation,
TokenPrimary ,
&hNewProcessUserToken))
{
m_dwCreateError = ::GetLastError();
return false;
}
bReturnValue = ::CreateProcessAsUserA(
hNewProcessUserToken,
AppName,
cmdLine,
NULL,
NULL,
TRUE,
0,
m_lpEnvironment,
cwdStr
&m_StartupInfo,
&piProcInfo);
Anything obvious I'm doing wrong here? 有什么明显我在这里做错了吗? I can't really spawn the process from Thread 1 - it just doesn't have the right info it needs, and having a handle back to it from Thread 3 is...not a good solution and not good design. 我不能真正从线程1产生进程 - 它只是没有它需要的正确信息,并且从线程3回到它的句柄是......不是一个好的解决方案而不是好的设计。
1 个解决方案
解决方案1
2 已采纳 2011-01-28 00:41:29
OpenThreadToken fails in the impersonated case because the impersonated user does not have permission to access the thread's token. 在模拟的情况下,OpenThreadToken失败,因为模拟的用户没有访问该线程令牌的权限。 You should pass OpenAsSelf = TRUE. 你应该传递OpenAsSelf = TRUE。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.