[cvsnt] CVSNT service user and impersonation

Michael Wojcik Michael.Wojcik at microfocus.com
Tue Feb 27 23:30:48 GMT 2007


> From: cvsnt-bounces at cvsnt.org 
> [mailto:cvsnt-bounces at cvsnt.org] On Behalf Of Rick Martin
> Sent: Tuesday, 27 February, 2007 17:09
> 
> Another interesting bit I found was when I got user information via
> python's win32api.GetUserName() function it returned SYSTEM during the
> script called from loginfo. I don't know if the user impersonation
should
> be active at this time or if GetUserName() should return the
impersonation
> user or the underlying process user.

It returns the user name associated with the security token associated
with the calling thread.  If the calling thread is using an
impersonation token, it should return the name of the impersonated user.

So the thread that processed that win32api.GetUserName() call was not
impersonating.  I suspect that when CVSNT executes the script, it's
executing it with the process token, not the impersonation token.

To execute a process as an impersonated user, I think you have to call
DuplicateTokenEx() to get a primary token from the impersonation token,
then use CreateProcessAsUser().  (This would also allow the caller to
raise the impersonation level to Delegate, providing network
authorization.)  The usual mechanisms for executing a script from a
program (eg CreateProcess(), the _spawn family, etc) won't do.

So it might be argued that this is a flaw, or at least an unnecessary
limitation, in CVSNT's "run as user" mechanism.  But I haven't checked
the sources to confirm that, and I suspect any enhancements to
run-as-user would be made in (the forthcoming) EVS rather than CVSNT.

Unless, of course, someone wants to submit a patch.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


More information about the cvsnt mailing list