3

I'm having some issues with some long-ago written classes that do thread-level impersonation and process spawning. The problem seems to be that my usage of these utility classes is above and beyond what anyone else has tried to do with them.

The first does thread-level impersonation by using OpenThreadToken and DuplicateToken along with ImpersonateLoggedOnUser.

The second attempts to create a process using CreateProcessAsUser with a token obtained with OpenThreadToken / DuplicateToken.

The issue I'm running into is that I have:

Thread 1 running in IIS with the correct user
Thread 2 that is created by Thread 1 - which is impersonated
Thread 3 that is created by Thread 2 - which is impersonated
Process 1 that is spawned by Thread 3 - which I attempt to impersonate

Spawning Process 1 fails with error code 5 from OpenThreadToken. If I spawn process 1 from Thread 1, OpenThreadToken doesn't give me any guff. I ask for TOKEN_ACCESS_ALL from OpenThreadToken & DuplicateToken and it doesn't fail until I actually do it from Thread 3. Anybody have any insight as to what permissions I may actually need here?

Here's the code for spawning the process:

(Impersonating the thread just involves taking the thread token handle and calling ImpersonateLoggedOnUser...)

//process spawn
    if (!::OpenThreadToken(::GetCurrentThread(), 
        TOKEN_ALL_ACCESS,
     false,
      &hThreadUserToken))
    {

    Handle hNewProcessUserToken;
    if (!DuplicateTokenEx(
       hThreadUserToken,          
       TOKEN_ALL_ACCESS,   
       NULL,  
       SecurityDelegation, 
       TokenPrimary ,  
       &hNewProcessUserToken))
     {
     m_dwCreateError = ::GetLastError();
     return false;
    }

      bReturnValue = ::CreateProcessAsUserA(
          hNewProcessUserToken, 
          AppName,
          cmdLine,
          NULL,
          NULL,
          TRUE,
          0, 
          m_lpEnvironment,
          cwdStr
          &m_StartupInfo,
          &piProcInfo);

Anything obvious I'm doing wrong here? I can't really spawn the process from Thread 1 - it just doesn't have the right info it needs, and having a handle back to it from Thread 3 is...not a good solution and not good design.

bdonlan
  • 224,562
  • 31
  • 268
  • 324
phyllis diller
  • 795
  • 2
  • 9
  • 21
  • 1
    I don't know how IIS works in regards to impersonation (maybe it does something strange for security purposes), but you could try opening the token in the context of the process (by passing TRUE to OpenThreadToken) or only requesting the access rights you actually need (instead of TOKEN_ALL_ACCESS). – Luke Jan 27 '11 at 17:30
  • I was attempting to use TOKEN_ALL_ACCESS in case there are permissions that are required that aren't well documented. It actually succeeds until the third thread. Can't open it in the context of the process, either - it doesn't have the rights required to use the process I am attempting to spawn (for security reasons). – phyllis diller Jan 27 '11 at 20:10

1 Answers1

3

OpenThreadToken fails in the impersonated case because the impersonated user does not have permission to access the thread's token. You should pass OpenAsSelf = TRUE.

John
  • 5,561
  • 1
  • 23
  • 39
  • Can't do this - the process user does not have the required permissions, and I can't change that. The impersonated user is the same as the one I opened the first thread and the second thread with - why would it fail the third time? – phyllis diller Jan 28 '11 at 01:13
  • OpenAsSelf does not mean give me the primary token. It means when evaluating access to the token, check agains the primary instead of the impersonated. – John Jan 28 '11 at 01:57
  • I realize this. The primary token does not have the rights to access the impersonation token - it is a limited rights default IIS user. – phyllis diller Jan 28 '11 at 17:22
  • This works - though I really wish I understood better why. It doesn't make much sense to me. – phyllis diller Feb 01 '11 at 17:07
  • 1
    It makes sense; the process created the token in question, so it has the access rights to it. – Harry Johnston Aug 06 '14 at 05:31