Windows Vista Forums
Vista Forums Home Join Vista Forums Tech Publications Windows 7 Forum Vista Tutorials Webcasts Tags

Welcome to Vista Forums we are your forum for Windows Vista help and discussion. Whether you need help or just want to post an idea you have on Vista, this is the forum for you.
Register at Vista forums...the world biggest Windows Vista resource Join Vista Forums Now

Go Back   Vista Forums > Vista Newsgroups > Vista security

Vista: Impersonation across Intergrity Levels

Update your Vista Drivers
Reply
 
Thread Tools Display Modes
Old 01-22-2007   #1 (permalink)
Alex Chmut
Guest


 

Vista: Impersonation across Intergrity Levels

Hello all,

I have an app that runs elevated that talks to an unelevated app via COM.
I want the COM servers in the unelevated app to be able to impersonate the
elevated client to perform certain file operations with full admin rights.

Whatever CoInitializeSecurity() parameters I have been trying to apply on
the client does not give the server appropriate rights ending with
ERROR_BAD_IMPERSONATION_LEVEL error when it tries to work with a file after
CoImpersonateClient().

I can foresee that something like a Mandatory Label SACL needs to be applied
to the client, but I cannot find any documentation in that regard.

Anyone has any ideas?

Thanx in advance,
AlexC



My System SpecsSystem Spec
Old 01-23-2007   #2 (permalink)
David Hearn
Guest


 

Re: Vista: Impersonation across Intergrity Levels

Alex Chmut wrote:
> Hello all,
>
> I have an app that runs elevated that talks to an unelevated app via COM.
> I want the COM servers in the unelevated app to be able to impersonate the
> elevated client to perform certain file operations with full admin rights.
>
> Whatever CoInitializeSecurity() parameters I have been trying to apply on
> the client does not give the server appropriate rights ending with
> ERROR_BAD_IMPERSONATION_LEVEL error when it tries to work with a file after
> CoImpersonateClient().
>
> I can foresee that something like a Mandatory Label SACL needs to be applied
> to the client, but I cannot find any documentation in that regard.
>
> Anyone has any ideas?
>
> Thanx in advance,
> AlexC


I could be wrong, but I understand that you cannot alter the security
level of a process once it has been started - it's by design. The only
way you'll get it to work is to:

a.) get the unelevated process to launch an elevated process and perform
those file operations in that process and then exit to the original
unelevated process
b.) elevate the currently unelevated process

Basically, as I understand it, you're not going to get an unelevated
process to be elevated once it's started.

D
My System SpecsSystem Spec
Old 01-23-2007   #3 (permalink)
Alex Chmut
Guest


 

Re: Vista: Impersonation across Intergrity Levels


"David Hearn" <david.hearn@newsgroup.nospam> wrote in message
news:OA5neDtPHHA.4376@TK2MSFTNGP02.phx.gbl...
>
> a.) get the unelevated process to launch an elevated process and perform
> those file operations in that process and then exit to the original
> unelevated process
> b.) elevate the currently unelevated process
>


These are not relavent to my question. I'm not talking here about how to
design apps for Vista.
I'm talking about a piece of functionality of the normal NT/COM security -
impersonation, which should work as long as the client gives such right to
the server.


My System SpecsSystem Spec
Old 01-23-2007   #4 (permalink)
David Hearn
Guest


 

Re: Vista: Impersonation across Intergrity Levels

Alex Chmut wrote:
> "David Hearn" <david.hearn@newsgroup.nospam> wrote in message
> news:OA5neDtPHHA.4376@TK2MSFTNGP02.phx.gbl...
>> a.) get the unelevated process to launch an elevated process and perform
>> those file operations in that process and then exit to the original
>> unelevated process
>> b.) elevate the currently unelevated process
>>

>
> These are not relavent to my question. I'm not talking here about how to
> design apps for Vista.
> I'm talking about a piece of functionality of the normal NT/COM security -
> impersonation, which should work as long as the client gives such right to
> the server.


Sorry, I was under the impression this app was running on Vista and
therefore constrained by Vista's more strict security policies.

David
My System SpecsSystem Spec
Old 01-26-2007   #5 (permalink)
Alex Chmut
Guest


 

Re: Vista: Impersonation across Intergrity Levels

The reply to this has been given on MSFT forum:
http://forums.microsoft.com/MSDN/Sho...43217&SiteID=1
My System SpecsSystem Spec
Reply
Update your Vista Drivers

Thread Tools
Display Modes



Similar Threads
Thread Thread Starter Forum Replies Last Post
Microphone levels in Windows Vista Home Premium Dasaecor Vista music pictures video 5 05-17-2008 08:02 AM
Duplicate levels of 'Application Data' folders in Vista? JoanB Vista General 4 10-04-2007 06:10 AM
HP Photosmart D7160 does not give Ink levels in Vista Ultimate TomKo Vista hardware & devices 7 05-30-2007 06:14 PM
HP Photosmart D7160 does not give Ink levels in Vista Ultimate TomKo Vista hardware & devices 0 05-28-2007 06:09 PM


Complimentary Industry Resources

Vista Forums has joined forces with TradePub.com to offer you a new, exciting, and entirely free professional resource. Visit http://vistax64.tradepub.com today to browse our selection of complimentary Industry magazines, white papers, webinars, podcasts, and more across 34 industry sectors. No credit cards, coupons, or promo codes required. Try it today!




Vista Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows Vista", the Start Orb, and related materials are trademarks of Microsoft Corp.
© Designer Media 2005-2008

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51