|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Windows security contextI would like to change the Windows security context of a thread, using this code: IntPtr pJeton; if (LogonUser("myuser","europe","password2,0,out pJeton)) { myWindowsIdentity = new WindowsIdentity (pJeton); myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); Thread.CurrentPrincipal = myWindowsPrincipal; System.IO.StreamReader sr = new System.IO.StreamReader(@"C:\myFile.txt"); MessageBox.Show(sr.ReadToEnd()); sr.Close(); I would expect that if the logon succeeds, and if "myuser" has not the NTFS read permission on he file "myFile", a security exception would be thrown. But this is not the behaviour of this code, as if the underlying Windows security contexte hasn't change and the read access is still check with my Windows principal. What have I miss ? Orianre Hello Oriane,
You have to call WindowsIdentity.Impersonate --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi, > > I would like to change the Windows security context of a thread, using > this code: > > IntPtr pJeton; > if (LogonUser("myuser","europe","password2,0,out pJeton)) { > myWindowsIdentity = new WindowsIdentity (pJeton); > > myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); > > Thread.CurrentPrincipal = myWindowsPrincipal; > > System.IO.StreamReader sr = new > System.IO.StreamReader(@"C:\myFile.txt"); > > MessageBox.Show(sr.ReadToEnd()); > > sr.Close(); > > I would expect that if the logon succeeds, and if "myuser" has not the > NTFS read permission on he file "myFile", a security exception would > be thrown. > > But this is not the behaviour of this code, as if the underlying > Windows security contexte hasn't change and the read access is still > check with my Windows principal. > > What have I miss ? > > Orianre > Thanks
Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:286126632496211369152352@news.microsoft.com... > Hello Oriane, > > You have to call WindowsIdentity.Impersonate > > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > Hi, > > > > I would like to change the Windows security context of a thread, using > > this code: > > > > IntPtr pJeton; > > if (LogonUser("myuser","europe","password2,0,out pJeton)) { > > myWindowsIdentity = new WindowsIdentity (pJeton); > > > > myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); > > > > Thread.CurrentPrincipal = myWindowsPrincipal; > > > > System.IO.StreamReader sr = new > > System.IO.StreamReader(@"C:\myFile.txt"); > > > > MessageBox.Show(sr.ReadToEnd()); > > > > sr.Close(); > > > > I would expect that if the logon succeeds, and if "myuser" has not the > > NTFS read permission on he file "myFile", a security exception would > > be thrown. > > > > But this is not the behaviour of this code, as if the underlying > > Windows security contexte hasn't change and the read access is still > > check with my Windows principal. > > > > What have I miss ? > > > > Orianre > > > > > But if just needing CAS, then you don't need Impersonate. Is this correct?
Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:286126632496211369152352@news.microsoft.com... > Hello Oriane, > > You have to call WindowsIdentity.Impersonate > > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> Hi, >> >> I would like to change the Windows security context of a thread, using >> this code: >> >> IntPtr pJeton; >> if (LogonUser("myuser","europe","password2,0,out pJeton)) { >> myWindowsIdentity = new WindowsIdentity (pJeton); >> >> myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); >> >> Thread.CurrentPrincipal = myWindowsPrincipal; >> >> System.IO.StreamReader sr = new >> System.IO.StreamReader(@"C:\myFile.txt"); >> >> MessageBox.Show(sr.ReadToEnd()); >> >> sr.Close(); >> >> I would expect that if the logon succeeds, and if "myuser" has not the >> NTFS read permission on he file "myFile", a security exception would >> be thrown. >> >> But this is not the behaviour of this code, as if the underlying >> Windows security contexte hasn't change and the read access is still >> check with my Windows principal. >> >> What have I miss ? >> >> Orianre >> > > > Hello William Stacey [MVP],
what do you mean? --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > But if just needing CAS, then you don't need Impersonate. Is this > correct? > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:286126632496211369152352@news.microsoft.com... > >> Hello Oriane, >> >> You have to call WindowsIdentity.Impersonate >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> Hi, >>> >>> I would like to change the Windows security context of a thread, >>> using this code: >>> >>> IntPtr pJeton; >>> if (LogonUser("myuser","europe","password2,0,out pJeton)) { >>> myWindowsIdentity = new WindowsIdentity (pJeton); >>> myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); >>> >>> Thread.CurrentPrincipal = myWindowsPrincipal; >>> >>> System.IO.StreamReader sr = new >>> System.IO.StreamReader(@"C:\myFile.txt"); >>> MessageBox.Show(sr.ReadToEnd()); >>> >>> sr.Close(); >>> >>> I would expect that if the logon succeeds, and if "myuser" has not >>> the NTFS read permission on he file "myFile", a security exception >>> would be thrown. >>> >>> But this is not the behaviour of this code, as if the underlying >>> Windows security contexte hasn't change and the read access is still >>> check with my Windows principal. >>> >>> What have I miss ? >>> >>> Orianre >>> I mean if your just creating the identity for code access security, you
don't need to do an os level impersonation (unless you need to impersonate for OS level resources such as files, etc.) Did I miss the point? TIA Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:291693632497618561627920@news.microsoft.com... > Hello William Stacey [MVP], > > what do you mean? > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > >> But if just needing CAS, then you don't need Impersonate. Is this >> correct? >> >> "Dominick Baier [DevelopMentor]" >> <dbaier@pleasepleasenospamdevelop.com> wrote in message >> news:286126632496211369152352@news.microsoft.com... >> >>> Hello Oriane, >>> >>> You have to call WindowsIdentity.Impersonate >>> >>> --------------------------------------- >>> Dominick Baier - DevelopMentor >>> http://www.leastprivilege.com >>>> Hi, >>>> >>>> I would like to change the Windows security context of a thread, >>>> using this code: >>>> >>>> IntPtr pJeton; >>>> if (LogonUser("myuser","europe","password2,0,out pJeton)) { >>>> myWindowsIdentity = new WindowsIdentity (pJeton); >>>> myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); >>>> >>>> Thread.CurrentPrincipal = myWindowsPrincipal; >>>> >>>> System.IO.StreamReader sr = new >>>> System.IO.StreamReader(@"C:\myFile.txt"); >>>> MessageBox.Show(sr.ReadToEnd()); >>>> >>>> sr.Close(); >>>> >>>> I would expect that if the logon succeeds, and if "myuser" has not >>>> the NTFS read permission on he file "myFile", a security exception >>>> would be thrown. >>>> >>>> But this is not the behaviour of this code, as if the underlying >>>> Windows security contexte hasn't change and the read access is still >>>> check with my Windows principal. >>>> >>>> What have I miss ? >>>> >>>> Orianre >>>> > > > Hello William Stacey [MVP],
CAS is based on the identity of the code - not the identity of the user running the code... maybe i am missing the point... --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > I mean if your just creating the identity for code access security, > you don't need to do an os level impersonation (unless you need to > impersonate for OS level resources such as files, etc.) Did I miss > the point? TIA > > "Dominick Baier [DevelopMentor]" > <dbaier@pleasepleasenospamdevelop.com> wrote in message > news:291693632497618561627920@news.microsoft.com... > >> Hello William Stacey [MVP], >> >> what do you mean? >> >> --------------------------------------- >> Dominick Baier - DevelopMentor >> http://www.leastprivilege.com >>> But if just needing CAS, then you don't need Impersonate. Is this >>> correct? >>> >>> "Dominick Baier [DevelopMentor]" >>> <dbaier@pleasepleasenospamdevelop.com> wrote in message >>> news:286126632496211369152352@news.microsoft.com... >>> >>>> Hello Oriane, >>>> >>>> You have to call WindowsIdentity.Impersonate >>>> >>>> --------------------------------------- >>>> Dominick Baier - DevelopMentor >>>> http://www.leastprivilege.com >>>>> Hi, >>>>> >>>>> I would like to change the Windows security context of a thread, >>>>> using this code: >>>>> >>>>> IntPtr pJeton; >>>>> if (LogonUser("myuser","europe","password2,0,out pJeton)) { >>>>> myWindowsIdentity = new WindowsIdentity (pJeton); >>>>> myWindowsPrincipal = new WindowsPrincipal (myWindowsIdentity); >>>>> Thread.CurrentPrincipal = myWindowsPrincipal; >>>>> >>>>> System.IO.StreamReader sr = new >>>>> System.IO.StreamReader(@"C:\myFile.txt"); >>>>> MessageBox.Show(sr.ReadToEnd()); >>>>> sr.Close(); >>>>> >>>>> I would expect that if the logon succeeds, and if "myuser" has not >>>>> the NTFS read permission on he file "myFile", a security >>>>> exception would be thrown. >>>>> >>>>> But this is not the behaviour of this code, as if the underlying >>>>> Windows security contexte hasn't change and the read access is >>>>> still check with my Windows principal. >>>>> >>>>> What have I miss ? >>>>> >>>>> Orianre >>>>> 
Other interesting topics
UIPermission Clipboard
IsAuthenticated property on IIdentity interface Logon user from service Using HttpContext from a web server? running dll from a network share ISO/IEC 9797-1 MAC Algorithm 3 how to? RSACryptoServiceProvider usage question How do I filter an Active Directory search to an OU (organizational unit)? code level / db security over network Help needed with TSL problem. |
|||||||||||||||||||||||
