Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
> From: cvsnt-bounces at cvsnt.org > [mailto:cvsnt-bounces at cvsnt.org] On Behalf Of Rick Martin > Sent: Tuesday, 27 February, 2007 17:09 > > Another interesting bit I found was when I got user information via > python's win32api.GetUserName() function it returned SYSTEM during the > script called from loginfo. I don't know if the user impersonation should > be active at this time or if GetUserName() should return the impersonation > user or the underlying process user. It returns the user name associated with the security token associated with the calling thread. If the calling thread is using an impersonation token, it should return the name of the impersonated user. So the thread that processed that win32api.GetUserName() call was not impersonating. I suspect that when CVSNT executes the script, it's executing it with the process token, not the impersonation token. To execute a process as an impersonated user, I think you have to call DuplicateTokenEx() to get a primary token from the impersonation token, then use CreateProcessAsUser(). (This would also allow the caller to raise the impersonation level to Delegate, providing network authorization.) The usual mechanisms for executing a script from a program (eg CreateProcess(), the _spawn family, etc) won't do. So it might be argued that this is a flaw, or at least an unnecessary limitation, in CVSNT's "run as user" mechanism. But I haven't checked the sources to confirm that, and I suspect any enhancements to run-as-user would be made in (the forthcoming) EVS rather than CVSNT. Unless, of course, someone wants to submit a patch. -- Michael Wojcik Principal Software Systems Developer, Micro Focus