Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : A small security problem : Re: A small security problem Server Time
12 Jul 2025 09:01:55 EDT (-0400)
  Re: A small security problem  
From: Orchid XP v8
Date: 8 Dec 2008 15:45:02
Message: <493d874e@news.povray.org>
 
Darren New wrote:

> Thoughts:
> 
> See if the service will run in a different group, or whether it needs to 
> have some sort of admin privs. Then give someone privileges to log in as 
> that group and control the service that way.
> 
> See if there's something in Group Policy that lists a specific 
> stop/start privilege for services. I'm talking under the "user rights 
> assignment" table.
> 
> Third, write a "set uid" program and give it rights to impersonate the 
> administrator to start or stop the service.
> 
> Worse comes to worst, write a kludge program that runs all the time in 
> the administrators group and watches for a "start.txt" or "stop.txt" to 
> be created in a particular directory, then invokes the appropriate "net 
> start" and "net stop" commands. Note this solution takes no particular 
> knowledge of windows APIs and can be regulated just by giving whoever 
> you want the appropriate permissions on the appropriate directory.

Doing some research, apparently it's not just files that can have 
permissions. Registry keys, services, printers (??!) and so forth can 
all have ACLs attached to them.

Not that you'd know that from the UI. :-P

Anyway, apparently Process Explorer has the power to show _and edit_ the 
ACLs associated with a running service. (It's unclear whether it changes 
the security token on the running process, or actually changes the 
service configuration so that it will have the new security *every* time 
it's run.)

Unfortunately, although this appears to work fine on Windows XP... [I'm 
sure you see where I'm going with this.]

There's no huge problem with everybody having administrative rights over 
the local machine, expect... that allows you to forcibly log other 
people off the machine. Which would be "bad".

And now I'm wondering... maybe it's a "right" you can set? (As you may 
remember, permissions apply to resources, rights apply to users.) I 
wonder if I can either assign the "stop service" right to a user group, 
or else create a mini-admins group and somehow revoke the "kick people 
off" right?...

Otherwise, yeah, I'm going to end up writing some horribly hackish 
script to kill and restart this damned service. :-(

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.