c# - How can I get elevated permissions (UAC) via impersonation under a non-interactive login? -

-

i have class library keeps system-wide configuration data in registry (hklm\software\xxx). library used in various applications (services, windows forms, web apps, console apps) on various versions of windows (xp, 2003, 7, 2008 r2). because of this, identity of app not consistent , may not member of machine's administrators group. i've created ad domain admin user , impersonation gain write access registry. works in xp/2003, not in uac-enabled systems (7/2008r2). understanding interactive logins split tokens imply non-interactive logins (service identities, app pool identities, etc.) not. can't find confirm that, working assumption, impersonation i'm doing should work.

i wrote wrapper class impersonation using native logonuser (network logontype, default provider) , duplicatetokenex (impersonation, primary token) windowsidentity.impersonate(). reference root key:

using (ecr.impersonator imp = new ecr.impersonator("xxx", "xxx", "xxx")) {     _root = registry.localmachine.createsubkey("software\\xxx", registrykeypermissioncheck.readwritesubtree); }

according msdn, using readwritesubtree, should time security check done. can write values key, create sub-keys (also using readwritesubtree) , writing values sub-keys without ever needing security check. thought need costly impersonation 1 time - getting reference root key.

i can write values root key fine:

_root.setvalue("cacheddate", value.tobinary(), registryvaluekind.qword); }

but when create/open sub-key readwritesubtree:

registrykey key = _root.createsubkey("xxx", registrykeypermissioncheck.readwritesubtree);

it bombs access registry key 'hkey_local_machine\software\xxx\xxx' denied.

while i'm curious why security check done when msdn says shouldn't, question how can elevated permissions via impersonation applications may not running under interactive login?

it brought logonuser() returns restricted token. searching confirmation, impression got logonuser() returned restricted token interative sessions. created couple of tests find out.

the first console application:

using (ecr.impersonator imp = new ecr.impersonator("xxx", "xxx", "xxx")) {     windowsidentity ident = windowsidentity.getcurrent();     windowsprincipal princ = new windowsprincipal(ident);     console.writeline("{0}, {1}", ident.name, princ.isinrole(windowsbuiltinrole.administrator));     registrykey root = registry.localmachine.createsubkey("software\\connection strings", registrykeypermissioncheck.readwritesubtree);     registrykey key = root.createsubkey("abacbill", registrykeypermissioncheck.readwritesubtree); }

when run in elevated console, isinrole() returned true , no error opening subkey. when run in non-elevated console, isinrole() returned true , errored opening subkey:

unhandled exception: system.io.ioexception: unknown error "1346".    @ microsoft.win32.registrykey.win32error(int32 errorcode, string str)    @ microsoft.win32.registrykey.createsubkey(string subkey, registrykeypermissioncheck permissioncheck, registrysecurity registrysecurity)    @ test.program.test14()    @ test.program.main(string[] args)

so appears in non-elevated interactive session, logonuser() indeed return restricted token. it's interesting normal test of doing isinrole() unexpectedly returned true.

the second test website. put same code in (replaced console.write literal1.text = string.format): isinrole() returned true, no error opening subkey, iis7.5: anonymous authentication, app pool: classic pipeline, applicationpoolidentity, 2.0 framework, web.config: authentication mode = none, no impersonation.

so seems confirm impression logonuser() returns restricted token interactive sessions, non-interactive sessions full token.

doing these tests helped me answer own question. class library used in web applications, , consistently bomb when applying config updates (access denied opening subkey). changed test more accurately reflect i'm doing (impersonating reference root key):

protected void page_load(object sender, eventargs e) {     registrykey root = null;      using (ecr.impersonator imp = new ecr.impersonator("xxx", "xxx", "xxx"))     {         windowsidentity ident = windowsidentity.getcurrent();         windowsprincipal princ = new windowsprincipal(ident);         lit.text = string.format("{0}, {1}", ident.name, princ.isinrole(windowsbuiltinrole.administrator));         root = registry.localmachine.createsubkey("software\\xxx", registrykeypermissioncheck.readwritesubtree);     }      root.setvalue("test", "test");     registrykey key = root.createsubkey("xxx", registrykeypermissioncheck.readwritesubtree); }

and errors:

[unauthorizedaccessexception: access registry key 'hkey_local_machine\software\xxx\xxx' denied.]    microsoft.win32.registrykey.win32error(int32 errorcode, string str) +3803431    microsoft.win32.registrykey.createsubkey(string subkey, registrykeypermissioncheck permissioncheck, registrysecurity registrysecurity) +743    webtest.imptest.page_load(object sender, eventargs e) in d:\vs 2008 projects\test\webtest\imptest.aspx.cs:28    system.web.util.callihelper.eventargfunctioncaller(intptr fp, object o, object t, eventargs e) +25    system.web.util.callieventhandlerdelegateproxy.callback(object sender, eventargs e) +42    system.web.ui.control.onload(eventargs e) +132    system.web.ui.control.loadrecursive() +66    system.web.ui.page.processrequestmain(boolean includestagesbeforeasyncpoint, boolean includestagesafterasyncpoint) +2428

again, no problems writing values root key, opening subkeys. appears using registrykeypermissioncheck.readwritesubtree indeed not further security checks when writing key, doing security check when opening subkey, registrykeypermissioncheck.readwritesubtree (though docs doesn't).

the answer question appropriately give elevated permissions via impersonation under non-interactive login. problem had assumed registrykeypermissioncheck.readwritesubtree wouldn't further security checks (like docs say) on reference after impersonation ends.

i guess i'm going have impersonation every time need write registry. :(


Comments

Post a Comment

Popular posts from this blog

linux - Mailx and Gmail nss config dir -

-
i trying send mail linux command line using mailx command. can send local domain no problem want set mail send gmail account receive mail sent gmail account. after configuring mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore } i error: resolving host smtp.gmail.com . . . done. connecting 74.125.25.109 . . . connected. missing "nss-config-dir" variable. "/home/username/dead.letter" 11/354 . . . message not sent. after looking "nss-config-dir" here , located certn.db , keyn.db files , added mail.rc so: account gmail { set smtp=smtps://smtp.gmail.com:587 set smtp-auth=login set smtp-auth-user=username@gmail.com set smtp-auth-password=password set ssl-verify=ignore set nss-config-dir=/home/user/.mozilla/firefox/location.default } now when try send mail using command: echo "sent gmail account" | mailx -v -a
Read more

c# - Is it possible to remove an existing registration from Autofac container builder? -

-
something along lines: builder.registertype<mytype>().as<itype>(); builder.registertype<mytype2>().as<itype>(); builder.deregistertype<mytype>().as<itype>() var container = builder.build(); var types = container.resolve<ienumerable<itype>>(); assert.istrue(types.count == 1); assert.istrue(types[0].gettype == typeof(mytype2)); scenario: go through bunch of assemblies , go register types want make sure have 1 implementation of given type. need before create container. track on own nice if autofac me bit. this cannot done directly using containerbuilder , unless start on new one. mind you, having first built container should able construct new container filtering away unwanted types , reusing registrations first container. this: ... var container = builder.build(); builder = new containerbuilder(); var components = container.componentregistry.registrations .where(cr => cr.activator.limittype != typ
Read more

php - Mysql PK and FK char(36) vs int(10) -

-
i have read mysql can handle indexes , searches better if tables keys integers rather char(36) uuid's. is worth converting int(10)? note: use 1 server , have have plans use multiple databases concurrently therefore removing 1 of big reasons using uuid. our tables innodb if makes difference. thanks in advance. usually rdbms can handle integer keys pk more efficient, other datatypes. reason how build index column, yes: long dont require string (or other typed) keys, should use integers. however: char(36) , int(10) far away being equal, because int(10) much smaller, char(36). dont know, if require many different keys, should keep in mind. update, complete last paragraph: int(10) 32-bit, char(36) 36 - ^byte^ (= 288-bit). not mean, int consumes less space, means, char(36) has 4 times more different keys.
Read more