What choices do I have on MS Windows platforms for the equivalent of SUID from Unix-based platforms?
Asked Answered
S

2

6

To understand what I'm asking, it's important to distinguish from among the several uses of SUID in Unix.

I have a project that uses an executable in the user's PATH which is owned by the project and which has the SUID bit set. In this way, when it runs, it runs in the context of the file's owner, not the calling user. This way, it has access to things that the user does not, and thereby these things are protected from the user by normal file system protections. This works reasonably well. Plans are to move the project to a client-server architecture but that's going to take some time. In the mean time, how can I replicate this type of behavior on Windows systems?

Note that the project's executables do not call the SETUID library call though, frankly, that would be a great feature to add, in my opinion, given what the project does. The project does not need system root privileges. It's first security concern is that it needs to protect its own files from the user (which is simply any user other than the file owner) and it would be very nice if it had the ability to switch to "user context" to access the file system as if it were the calling user. (In this way, it could more easily determine what is OK for the project to touch and what is not.)

The project is written in a combination of C and Java - a C program with SUID set calls the Java code...

I am keen to know all such mechanisms, and am especially focused on those which are:

  1. Suitable for C and Java, and;
  2. Easy to implement for non-Windows programmers, and;
  3. Require minimal coding unique to Windows.

If some solutions are superior, please share your thoughts on whatever you are aware of in this regard.

NOTES:

  1. LogonUser: Requires a password in plain text. How can that be an answer?
  2. RunAs: Requires password be entered at PROMPT! ...As with LogonUser only worse; I don't see how this is an answer.
Sigh answered 16/3, 2009 at 19:20 Comment(1)
The proper solution is to install a service.Sporogony
M
5

Cygwin has an excellent discussion on how they do this without requiring the user password here: Using Windows security in Cygwin

Basically they install a custom LSA authentication package that provides security tokens without requiring a password. As a fallback, when the authentication package is not installed, they use the undocumented NtCreateToken API.

An application wanting to impersonate could make a cygwin setuid call before calling java.

Mettle answered 12/7, 2012 at 0:16 Comment(2)
Yes, it turns out that's EXACTLY what we've been doing since the mid-naughts. But, it requires the user to install Cygwin - a bonus in my mind, but users aren't delighted to have to install too many packages, especially when they don't understand / perceive the value to them. It does appear, though, (given the lack of other replies) that this is the only other way.Sigh
Ouch. What a nightmare from a security standpoint. One more reason to steer clear of Cygwin, IMO!Sporogony
C
4

I don't think there's an equivilent of SETUID in Windows, but you can launch a process as another user. If you are using C, there are really only two major Windows Specific functions you'll need to look into:

LogonUser

CreateProcessAsUser

The docs for those functions are pretty good, so it shouldn't be that huge of a challenge. Basicly, you'll use LogonUser to impersonate the user, then CreateProcessAsUser to launch the JVM as that user.

You could also look at the RUNAS command, but I'm not sure if that would meet your needs or not.

Candiscandle answered 16/3, 2009 at 19:40 Comment(1)
Thanks, looking into them... RTSigh

© 2022 - 2024 — McMap. All rights reserved.