Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : A small security problem : Re: A small security problem Server Time
6 Sep 2024 21:23:32 EDT (-0400)
  Re: A small security problem  
From: Orchid XP v8
Date: 8 Dec 2008 17:37:34
Message: <493da1ae@news.povray.org>
 
Darren New wrote:

> And yes, everything has ACLs attached, including all your devices, 
> processes, connections, etc etc etc. Everything you can name in the 
> kernel has ACLs on it.

I wonder... what do the ACLs on a process do? (Not to be confused with 
the security tokens the process has. These presumably control what the 
*process* is allowed to do, whereas the ACLs control what *you* can do 
to that process.)

>> Anyway, apparently Process Explorer has the power to show _and edit_ 
>> the ACLs associated with a running service. (It's unclear whether it 
>> changes the security token on the running process, or actually changes 
>> the service configuration so that it will have the new security 
>> *every* time it's run.)
> 
> It changes it next time it runs, if you change it from the service 
> configuration screens. (You know, the same set of tabs that shows you 
> what other services and stuff it depends on, not the "task manager"-like 
> stuff. I don't know which PE you're using there.)

I hunted around for ages in there. I found the controls to change the 
account the service runs under, but nothing to change the ACLs on the 
service.

>> And now I'm wondering... maybe it's a "right" you can set? 
> 
> That was my second suggestion. It'll likely be in the "user rights 
> assignment" list if it is. Maybe domain controllers have more of this 
> sort of thing than the individuals?

Even in NT, the User Manager thingy has a panel hidden away somewhere 
for controlling password expiration times and such, and another next to 
it for controlling... well, I forget exactly. But maybe I'll find 
something useful in there? I'll take a look tomorrow.

>> Otherwise, yeah, I'm going to end up writing some horribly hackish 
>> script to kill and restart this damned service. :-(
> 
> It's that, or learning some deep Windows juju to invoke the LoginUser 
> API to change your own ownership when the program runs. Maybe you could 
> have a "run as" script?

Well, since I know how to program in C++ now, that should be easy! :-D

(I jest. Obviously.)

> Does this help?
> http://www.codeguru.com/cpp/w-p/system/article.php/c5755
> At least someone else wrote the hacky script for you. :-)

Well, that looks like my backup plan...

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.