Vista: Impersonation across Intergrity Levels

01-22-2007

Hello all,

I have an app that runs elevated that talks to an unelevated app via COM.
I want the COM servers in the unelevated app to be able to impersonate the
elevated client to perform certain file operations with full admin rights.

Whatever CoInitializeSecurity() parameters I have been trying to apply on
the client does not give the server appropriate rights ending with
ERROR_BAD_IMPERSONATION_LEVEL error when it tries to work with a file after
CoImpersonateClient().

I can foresee that something like a Mandatory Label SACL needs to be applied
to the client, but I cannot find any documentation in that regard.

Anyone has any ideas?

Thanx in advance,
AlexC

01-23-2007

Alex Chmut wrote:
> Hello all,
>
> I have an app that runs elevated that talks to an unelevated app via COM.
> I want the COM servers in the unelevated app to be able to impersonate the
> elevated client to perform certain file operations with full admin rights.
>
> Whatever CoInitializeSecurity() parameters I have been trying to apply on
> the client does not give the server appropriate rights ending with
> ERROR_BAD_IMPERSONATION_LEVEL error when it tries to work with a file after
> CoImpersonateClient().
>
> I can foresee that something like a Mandatory Label SACL needs to be applied
> to the client, but I cannot find any documentation in that regard.
>
> Anyone has any ideas?
>
> Thanx in advance,
> AlexC

I could be wrong, but I understand that you cannot alter the security
level of a process once it has been started - it's by design. The only
way you'll get it to work is to:

a.) get the unelevated process to launch an elevated process and perform
those file operations in that process and then exit to the original
unelevated process
b.) elevate the currently unelevated process

Basically, as I understand it, you're not going to get an unelevated
process to be elevated once it's started.

D

01-23-2007

"David Hearn" <david.hearn@newsgroup.nospam> wrote in message
news:OA5neDtPHHA.4376@TK2MSFTNGP02.phx.gbl...
>
> a.) get the unelevated process to launch an elevated process and perform
> those file operations in that process and then exit to the original
> unelevated process
> b.) elevate the currently unelevated process
>

These are not relavent to my question. I'm not talking here about how to
design apps for Vista.
I'm talking about a piece of functionality of the normal NT/COM security -
impersonation, which should work as long as the client gives such right to
the server.

01-23-2007

Alex Chmut wrote:
> "David Hearn" <david.hearn@newsgroup.nospam> wrote in message
> news:OA5neDtPHHA.4376@TK2MSFTNGP02.phx.gbl...
>> a.) get the unelevated process to launch an elevated process and perform
>> those file operations in that process and then exit to the original
>> unelevated process
>> b.) elevate the currently unelevated process
>>
>
> These are not relavent to my question. I'm not talking here about how to
> design apps for Vista.
> I'm talking about a piece of functionality of the normal NT/COM security -
> impersonation, which should work as long as the client gives such right to
> the server.

Sorry, I was under the impression this app was running on Vista and
therefore constrained by Vista's more strict security policies.

David

01-26-2007

The reply to this has been given on MSFT forum:
http://forums.microsoft.com/MSDN/Sho...43217&SiteID=1

01-22-2007	#1 (permalink)
Alex Chmut Guest n/a posts	Vista: Impersonation across Intergrity Levels Hello all, I have an app that runs elevated that talks to an unelevated app via COM. I want the COM servers in the unelevated app to be able to impersonate the elevated client to perform certain file operations with full admin rights. Whatever CoInitializeSecurity() parameters I have been trying to apply on the client does not give the server appropriate rights ending with ERROR_BAD_IMPERSONATION_LEVEL error when it tries to work with a file after CoImpersonateClient(). I can foresee that something like a Mandatory Label SACL needs to be applied to the client, but I cannot find any documentation in that regard. Anyone has any ideas? Thanx in advance, AlexC
My System Specs

01-23-2007	#2 (permalink)
David Hearn Guest n/a posts	Re: Vista: Impersonation across Intergrity Levels Alex Chmut wrote: > Hello all, > > I have an app that runs elevated that talks to an unelevated app via COM. > I want the COM servers in the unelevated app to be able to impersonate the > elevated client to perform certain file operations with full admin rights. > > Whatever CoInitializeSecurity() parameters I have been trying to apply on > the client does not give the server appropriate rights ending with > ERROR_BAD_IMPERSONATION_LEVEL error when it tries to work with a file after > CoImpersonateClient(). > > I can foresee that something like a Mandatory Label SACL needs to be applied > to the client, but I cannot find any documentation in that regard. > > Anyone has any ideas? > > Thanx in advance, > AlexC I could be wrong, but I understand that you cannot alter the security level of a process once it has been started - it's by design. The only way you'll get it to work is to: a.) get the unelevated process to launch an elevated process and perform those file operations in that process and then exit to the original unelevated process b.) elevate the currently unelevated process Basically, as I understand it, you're not going to get an unelevated process to be elevated once it's started. D
My System Specs

01-23-2007	#3 (permalink)
Alex Chmut Guest n/a posts	Re: Vista: Impersonation across Intergrity Levels "David Hearn" <david.hearn@newsgroup.nospam> wrote in message news:OA5neDtPHHA.4376@TK2MSFTNGP02.phx.gbl... > > a.) get the unelevated process to launch an elevated process and perform > those file operations in that process and then exit to the original > unelevated process > b.) elevate the currently unelevated process > These are not relavent to my question. I'm not talking here about how to design apps for Vista. I'm talking about a piece of functionality of the normal NT/COM security - impersonation, which should work as long as the client gives such right to the server.
My System Specs

01-23-2007	#4 (permalink)
David Hearn Guest n/a posts	Re: Vista: Impersonation across Intergrity Levels Alex Chmut wrote: > "David Hearn" <david.hearn@newsgroup.nospam> wrote in message > news:OA5neDtPHHA.4376@TK2MSFTNGP02.phx.gbl... >> a.) get the unelevated process to launch an elevated process and perform >> those file operations in that process and then exit to the original >> unelevated process >> b.) elevate the currently unelevated process >> > > These are not relavent to my question. I'm not talking here about how to > design apps for Vista. > I'm talking about a piece of functionality of the normal NT/COM security - > impersonation, which should work as long as the client gives such right to > the server. Sorry, I was under the impression this app was running on Vista and therefore constrained by Vista's more strict security policies. David
My System Specs

01-26-2007	#5 (permalink)
Alex Chmut Guest n/a posts	Re: Vista: Impersonation across Intergrity Levels The reply to this has been given on MSFT forum: http://forums.microsoft.com/MSDN/Sho...43217&SiteID=1
My System Specs

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Microphone levels in Windows Vista Home Premium	Dasaecor	Vista music pictures video	5	05-17-2008 08:02 AM
Duplicate levels of 'Application Data' folders in Vista?	JoanB	Vista General	4	10-04-2007 06:10 AM
HP Photosmart D7160 does not give Ink levels in Vista Ultimate	TomKo	Vista hardware & devices	7	05-30-2007 06:14 PM
HP Photosmart D7160 does not give Ink levels in Vista Ultimate	TomKo	Vista hardware & devices	0	05-28-2007 06:09 PM