Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Hartmut Honisch wrote: > I had once implemented an alpha release of such a package for cygwin, but > they thought cygwin's way of handling impersonation was sufficient, the use > of a subauthentication package would raise too many issues to justify its > benefits. The whole security thing for example... If you allow users to login without passwords in that way, once that package is on the system it's a potential wide open security hole... *any* user that can execute LogonUser/LsaLogonUser with the correct parameters (and with an opensource package that wouldn't be too hard to work out - I could probably do it with a closed source one in a couple of hours) will be able to become administrator. I looked at it for a bit myself and realised quickly that there's no way to stop a process raising its privilege level that way, so it wasn't worth the risk. Tony