stackoom
  简体   繁体   中英

Multilevel usage of thread impersonation

 原文  2011-01-27 15:19:56       c++/ windows/ security/ winapi/ impersonation

Question

I'm having some issues with some long-ago written classes that do thread-level impersonation and process spawning. The problem seems to be that my usage of these utility classes is above and beyond what anyone else has tried to do with them.

The first does thread-level impersonation by using OpenThreadToken and DuplicateToken along with ImpersonateLoggedOnUser.

The second attempts to create a process using CreateProcessAsUser with a token obtained with OpenThreadToken / DuplicateToken.

The issue I'm running into is that I have: 

Thread 1 running in IIS with the correct user
Thread 2 that is created by Thread 1 - which is impersonated
Thread 3 that is created by Thread 2 - which is impersonated
Process 1 that is spawned by Thread 3 - which I attempt to impersonate

Spawning Process 1 fails with error code 5 from OpenThreadToken. If I spawn process 1 from Thread 1, OpenThreadToken doesn't give me any guff. I ask for TOKEN_ACCESS_ALL from OpenThreadToken & DuplicateToken and it doesn't fail until I actually do it from Thread 3. Anybody have any insight as to what permissions I may actually need here?

Here's the code for spawning the process:

(Impersonating the thread just involves taking the thread token handle and calling ImpersonateLoggedOnUser...) 

//process spawn
    if (!::OpenThreadToken(::GetCurrentThread(), 
        TOKEN_ALL_ACCESS,
     false,
      &hThreadUserToken))
    {

    Handle hNewProcessUserToken;
    if (!DuplicateTokenEx(
       hThreadUserToken,          
       TOKEN_ALL_ACCESS,   
       NULL,  
       SecurityDelegation, 
       TokenPrimary ,  
       &hNewProcessUserToken))
     {
     m_dwCreateError = ::GetLastError();
     return false;
    }

      bReturnValue = ::CreateProcessAsUserA(
          hNewProcessUserToken, 
          AppName,
          cmdLine,
          NULL,
          NULL,
          TRUE,
          0, 
          m_lpEnvironment,
          cwdStr
          &m_StartupInfo,
          &piProcInfo);

Anything obvious I'm doing wrong here? I can't really spawn the process from Thread 1 - it just doesn't have the right info it needs, and having a handle back to it from Thread 3 is...not a good solution and not good design.

1 answers

solution1
 2 ACCPTED  2011-01-28 00:41:29

OpenThreadToken fails in the impersonated case because the impersonated user does not have permission to access the thread's token. You should pass OpenAsSelf = TRUE.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to determine a thread impersonation level Thread usage counter C++ can not understand std::thread usage Reducing the CPU usage of a thread or process pthread_exit usage during stopping the thread Is this usage of test_and_set thread safe? thread-safe usage of std::map Amateur can't understand std::thread usage Is this C++ pointer usage thread safe? c++ std::thread constructor usage
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM