Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Hello Tony, Wednesday, January 7, 2004, 11:26:31 PM, you wrote: >>The authentication module could just check if the calling process has >>enough priveleges to use NtCreateToken() and impersonate an user via >>the obtained access token - that is, if the process can make use of >>the currently used (in CygWin) "broken" impersonation. If this is the >>case, the authentication module could safely proceed with doing >>whatever is needed for "normal", non-broken impersonation. >> TH> You can't do that with a subauth module - you get no information about TH> the calling process or privileges of said process. There must be a possibility for some kind of communication between a process and the module (for example, a process can create a named pipe and pass its name to the package as a password). Provided that communication is possible, the package can create a named pipe (and thus become the "named pipe server"), instruct the process to open it (which thus becomes the "named pipe client"), impersonate the process' user by calling ImpersonateNamedPipeClient(), and actually try NtCreateToken() (and maybe other calls). Pavel Goran