Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : A small security problem : Re: A small security problem Server Time
1 Jul 2025 01:38:27 EDT (-0400)
  Re: A small security problem  
From: Darren New
Date: 8 Dec 2008 16:15:41
Message: <493d8e7d@news.povray.org>
 
Orchid XP v8 wrote:
> Doing some research, apparently it's not just files that can have 
> permissions. Registry keys, services, printers (??!) and so forth can 
> all have ACLs attached to them.

Um, sure. I hadn't heard of it with services, but the registry editor and 
the printers both have property pages for security just like files do. You 
might need to invoke regedt32 instead of regedit to get the version that has 
the security stuff, IIRC.

And yes, everything has ACLs attached, including all your devices, 
processes, connections, etc etc etc. Everything you can name in the kernel 
has ACLs on it.

> Not that you'd know that from the UI. :-P
> 
> Anyway, apparently Process Explorer has the power to show _and edit_ the 
> ACLs associated with a running service. (It's unclear whether it changes 
> the security token on the running process, or actually changes the 
> service configuration so that it will have the new security *every* time 
> it's run.)

It changes it next time it runs, if you change it from the service 
configuration screens. (You know, the same set of tabs that shows you what 
other services and stuff it depends on, not the "task manager"-like stuff. I 
don't know which PE you're using there.)

I never tried setting up a service running as Fred and then had Fred try to 
stop just that one. If that works, that would seem to be the way to go, if 
you can.

> Unfortunately, although this appears to work fine on Windows XP... [I'm 
> sure you see where I'm going with this.]
> 
> There's no huge problem with everybody having administrative rights over 
> the local machine, expect... that allows you to forcibly log other 
> people off the machine. Which would be "bad".
> 
> And now I'm wondering... maybe it's a "right" you can set? 

That was my second suggestion. It'll likely be in the "user rights 
assignment" list if it is. Maybe domain controllers have more of this sort 
of thing than the individuals?

> Otherwise, yeah, I'm going to end up writing some horribly hackish 
> script to kill and restart this damned service. :-(

It's that, or learning some deep Windows juju to invoke the LoginUser API to 
change your own ownership when the program runs. Maybe you could have a "run 
as" script?

Does this help?
http://www.codeguru.com/cpp/w-p/system/article.php/c5755
At least someone else wrote the hacky script for you. :-)


-- 
   Darren New, San Diego CA, USA (PST)
   The NFL should go international. I'd pay to
   see the Detroit Lions vs the Roman Catholics.


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.