Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Arthur Barrett wrote: > It may be easier to bypass all this token stuff if we switched from > using setuid.dll to use cyglsa64.dll and modify the calling codein > trysuid() of cvsnt/Windows-NT/win32.cpp: > http://cygwin.com/cgi-bin/cvsweb.cgi/src/winsup/lsaauth/?cvsroot=src > Interesting.. cygwin wrote one eventually then. Looks like sections of it are based on setuid but they've missed out quite a bit for some reason, eg. domain logins are completely absent. I'm not sure what we'd gain by introducing a dependency on cygwin and using a less functional library.. Note that you do not need create token privilege to do any of this. You need 'act as part of the operating system', which is enforced by the Win32 system to even call LogonUserEx and invoke LSA - without that check any random user could instantly become any other user, including administrator. XP SP2 and later have an impersonation privilege too that might need to be granted (aka. the right to actually switch users given an impersonation token). cvsnt does have a legacy API - NTCreateToken - that is redundant unless it's run on NT4. That does need create token rights, but is pretty irrelevant nowadays.. it's gone from evs and should probably be gone from cvsnt by now (unless we still want NT4 compatibility). Tony