Dear All!
How can I access network files from the context of the system process? I’ve got access denied when trying to open such a file. How can I impersonate the logged in user in the system thread to access network files?
Thanx a lot,
Max
When you create the system thread, you need to make sure you create it in a
process context that has network access rights. For example, you can create
the thread from an IOCTL. Rahter than using NULL as the process, use
NtCurrentProcess().
Jamey
StorageCraft
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
Sent: Friday, March 31, 2000 12:35 AM
To: File Systems Developers
Subject: [ntfsd] Accessing network from a system threadDear All!
How can I access network files from the context of the system
process? I’ve got access denied when trying to open such a file.
How can I impersonate the logged in user in the system thread to
access network files?Thanx a lot,
Max
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
This will not work always because the user who created
the system thread may not have access to the file in question.
The right way to do this is impersonating the originating thread. This way
you will
have the same access as original user.
Impersonating functions are documented in latest DDK/IFS.
Inaki.
-----Original Message-----
From: Jamey Kirby
Sent: viernes 31 de marzo de 2000 10:51
To: File Systems Developers
Subject: [ntfsd] RE: Accessing network from a system threadWhen you create the system thread, you need to make sure you create it in
a
process context that has network access rights. For example, you can
create
the thread from an IOCTL. Rahter than using NULL as the process, use
NtCurrentProcess().Jamey
StorageCraft> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> Sent: Friday, March 31, 2000 12:35 AM
> To: File Systems Developers
> Subject: [ntfsd] Accessing network from a system thread
>
>
> Dear All!
>
> How can I access network files from the context of the system
> process? I’ve got access denied when trying to open such a file.
> How can I impersonate the logged in user in the system thread to
> access network files?
>
> Thanx a lot,
> Max
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>
You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
Sorry, I’m thinking here you are filtering any user request.
If the only user you want to impersonate is the one that has done
the interactive login, Jamey solution is right.
Inaki.
-----Original Message-----
From: I?aki Castillo
Sent: viernes 31 de marzo de 2000 11:47
To: File Systems Developers
Subject: [ntfsd] RE: Accessing network from a system threadThis will not work always because the user who created
the system thread may not have access to the file in question.The right way to do this is impersonating the originating thread. This way
you will
have the same access as original user.Impersonating functions are documented in latest DDK/IFS.
Inaki.
> -----Original Message-----
> From: Jamey Kirby
> Sent: viernes 31 de marzo de 2000 10:51
> To: File Systems Developers
> Subject: [ntfsd] RE: Accessing network from a system thread
>
> When you create the system thread, you need to make sure you create it
in
> a
> process context that has network access rights. For example, you can
> create
> the thread from an IOCTL. Rahter than using NULL as the process, use
> NtCurrentProcess().
>
> Jamey
> StorageCraft
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> > Sent: Friday, March 31, 2000 12:35 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Accessing network from a system thread
> >
> >
> > Dear All!
> >
> > How can I access network files from the context of the system
> > process? I’ve got access denied when trying to open such a file.
> > How can I impersonate the logged in user in the system thread to
> > access network files?
> >
> > Thanx a lot,
> > Max
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> >
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
I’d like to impersonate the system thread. How can I do it? Which functions, in which sequence? I used to create threads in the context of a user process and that worked, but now I’d like to impersonate the system thread.
Max Lyadvinsky
??: I?aki Castillo[SMTP:xxxxx@pandasoftware.es]
???: 31 ??? 2000 ?. 15:12
???: File Systems Developers
???: [ntfsd] RE: Accessing network from a system thread
Sorry, I’m thinking here you are filtering any user request.
If the only user you want to impersonate is the one that has done
the interactive login, Jamey solution is right.
Inaki.
-----Original Message-----
From: I?aki Castillo
Sent: viernes 31 de marzo de 2000 11:47
To: File Systems Developers
Subject: [ntfsd] RE: Accessing network from a system threadThis will not work always because the user who created
the system thread may not have access to the file in question.The right way to do this is impersonating the originating thread. This way
you will
have the same access as original user.Impersonating functions are documented in latest DDK/IFS.
Inaki.
> -----Original Message-----
> From: Jamey Kirby
> Sent: viernes 31 de marzo de 2000 10:51
> To: File Systems Developers
> Subject: [ntfsd] RE: Accessing network from a system thread
>
> When you create the system thread, you need to make sure you create it
in
> a
> process context that has network access rights. For example, you can
> create
> the thread from an IOCTL. Rahter than using NULL as the process, use
> NtCurrentProcess().
>
> Jamey
> StorageCraft
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> > Sent: Friday, March 31, 2000 12:35 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Accessing network from a system thread
> >
> >
> > Dear All!
> >
> > How can I access network files from the context of the system
> > process? I’ve got access denied when trying to open such a file.
> > How can I impersonate the logged in user in the system thread to
> > access network files?
> >
> > Thanx a lot,
> > Max
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> >
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntfsd as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
Just a question, before giving an answer:
where are you when you want to impersonate: in the context of a user
thread (local or remote); in the context of a system thread ?
Inaki.
-----Original Message-----
From: xxxxx@paragon.ru
Sent: viernes 31 de marzo de 2000 15:42
To: File Systems Developers
Subject: Re: Accessing network from a system threadI’d like to impersonate the system thread. How can I do it? Which
functions, in which sequence? I used to create threads in the context of a
user process and that worked, but now I’d like to impersonate the system
thread.Max Lyadvinsky
??: I?aki Castillo[SMTP:xxxxx@pandasoftware.es]
???: 31 ??? 2000 ?. 15:12
???: File Systems Developers
???: [ntfsd] RE: Accessing network from a system threadSorry, I’m thinking here you are filtering any user request.
If the only user you want to impersonate is the one that has done
the interactive login, Jamey solution is right.Inaki.
> -----Original Message-----
> From: I?aki Castillo
> Sent: viernes 31 de marzo de 2000 11:47
> To: File Systems Developers
> Subject: [ntfsd] RE: Accessing network from a system thread
>
> This will not work always because the user who created
> the system thread may not have access to the file in question.
>
> The right way to do this is impersonating the originating thread. This
way
> you will
> have the same access as original user.
>
> Impersonating functions are documented in latest DDK/IFS.
>
> Inaki.
>
> > -----Original Message-----
> > From: Jamey Kirby
> > Sent: viernes 31 de marzo de 2000 10:51
> > To: File Systems Developers
> > Subject: [ntfsd] RE: Accessing network from a system thread
> >
> > When you create the system thread, you need to make sure you create it
> in
> > a
> > process context that has network access rights. For example, you can
> > create
> > the thread from an IOCTL. Rahter than using NULL as the process, use
> > NtCurrentProcess().
> >
> > Jamey
> > StorageCraft
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> > > Sent: Friday, March 31, 2000 12:35 AM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Accessing network from a system thread
> > >
> > >
> > > Dear All!
> > >
> > > How can I access network files from the context of the system
> > > process? I’ve got access denied when trying to open such a file.
> > > How can I impersonate the logged in user in the system thread to
> > > access network files?
> > >
> > > Thanx a lot,
> > > Max
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> > >
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntfsd as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
in the context of a system thread
??: I?aki Castillo[SMTP:xxxxx@pandasoftware.es]
???: File Systems Developers
???: 31 ??? 2000 ?. 18:15
???: File Systems Developers
???: [ntfsd] RE: Accessing network from a system thread
Just a question, before giving an answer:
where are you when you want to impersonate: in the context of a user
thread (local or remote); in the context of a system thread ?
Inaki.
-----Original Message-----
From: xxxxx@paragon.ru
Sent: viernes 31 de marzo de 2000 15:42
To: File Systems Developers
Subject: Re: Accessing network from a system threadI’d like to impersonate the system thread. How can I do it? Which
functions, in which sequence? I used to create threads in the context of a
user process and that worked, but now I’d like to impersonate the system
thread.Max Lyadvinsky
??: I?aki Castillo[SMTP:xxxxx@pandasoftware.es]
???: 31 ??? 2000 ?. 15:12
???: File Systems Developers
???: [ntfsd] RE: Accessing network from a system threadSorry, I’m thinking here you are filtering any user request.
If the only user you want to impersonate is the one that has done
the interactive login, Jamey solution is right.Inaki.
> -----Original Message-----
> From: I?aki Castillo
> Sent: viernes 31 de marzo de 2000 11:47
> To: File Systems Developers
> Subject: [ntfsd] RE: Accessing network from a system thread
>
> This will not work always because the user who created
> the system thread may not have access to the file in question.
>
> The right way to do this is impersonating the originating thread. This
way
> you will
> have the same access as original user.
>
> Impersonating functions are documented in latest DDK/IFS.
>
> Inaki.
>
> > -----Original Message-----
> > From: Jamey Kirby
> > Sent: viernes 31 de marzo de 2000 10:51
> > To: File Systems Developers
> > Subject: [ntfsd] RE: Accessing network from a system thread
> >
> > When you create the system thread, you need to make sure you create it
> in
> > a
> > process context that has network access rights. For example, you can
> > create
> > the thread from an IOCTL. Rahter than using NULL as the process, use
> > NtCurrentProcess().
> >
> > Jamey
> > StorageCraft
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com]On Behalf Of Max Lyadvinsky
> > > Sent: Friday, March 31, 2000 12:35 AM
> > > To: File Systems Developers
> > > Subject: [ntfsd] Accessing network from a system thread
> > >
> > >
> > > Dear All!
> > >
> > > How can I access network files from the context of the system
> > > process? I’ve got access denied when trying to open such a file.
> > > How can I impersonate the logged in user in the system thread to
> > > access network files?
> > >
> > > Thanx a lot,
> > > Max
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> > >
> > >
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntfsd as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
You are currently subscribed to ntfsd as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)
Okay,
This can be done as follows:
SECURITY_QUALITY_OF_SERVICE qos;
PETHREAD thread;
SECURITY_CLIENT_CONTEXT securityContext;
//Get the target thread:
//If you want to impersonate current thread, use…
thread = PsGetCurrentThread();
//if not, select the apropriate thread, the thread you want to impersonate
(I mean, the one that has the security context you want)
//Fill qos fields, the most important here is ImpersonationLevel:
qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
qos.ImpersonationLevel = SecurityImpersonation;
qos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
qos.EffectiveOnly = FALSE;
//Create security context:
if( STATUS_SUCCESS == SeCreateClientSecurity( thread, &qos, FALSE,
&securityContext ))
{
//Then when you want to impersonate the thread:
SeImpersonateClient(&securityContext, NULL);
Now under impersonated thread, do your work here…
//When you don’t need anymore impersonation, revert to self
(cancel impersonation)
PsRevertToSelf();
}
That’s all.
Inaki.
-----Original Message-----
From: xxxxx@paragon.ru
Sent: viernes 31 de marzo de 2000 19:01
To: File Systems Developers
Subject: Re: Accessing network from a system threadin the context of a system thread
??: I?aki Castillo[SMTP:xxxxx@pandasoftware.es]
???: File Systems Developers
???: 31 ??? 2000 ?. 18:15
???: File Systems Developers
???: [ntfsd] RE: Accessing network from a system threadJust a question, before giving an answer:
where are you when you want to impersonate: in the context of a user
thread (local or remote); in the context of a system thread ?Inaki.
> -----Original Message-----
> From: xxxxx@paragon.ru
> Sent: viernes 31 de marzo de 2000 15:42
> To: File Systems Developers
> Subject: Re: Accessing network from a system thread
>
> I’d like to impersonate the system thread. How can I do it? Which
> functions, in which sequence? I used to create threads in the context of
a
> user process and that worked, but now I’d like to impersonate the system
> thread.
>
> Max Lyadvinsky
>
> ----------
> ??: I?aki Castillo[SMTP:xxxxx@pandasoftware.es]
> ???: 31 ??? 2000 ?. 15:12
> ???: File Systems Developers
> ???: [ntfsd] RE: Accessing network from a system thread
>
> Sorry, I’m thinking here you are filtering any user request.
>
> If the only user you want to impersonate is the one that has done
> the interactive login, Jamey solution is right.
>
> Inaki.
>
> > -----Original Message-----
> > From: I?aki Castillo
> > Sent: viernes 31 de marzo de 2000 11:47
> > To: File Systems Developers
> > Subject: [ntfsd] RE: Accessing network from a system thread
> >
> > This will not work always because the user who created
> > the system thread may not have access to the file in question.
> >
> > The right way to do this is impersonating the originating thread. This
> way
> > you will
> > have the same access as original user.
> >
> > Impersonating functions are documented in latest DDK/IFS.
> >
> > Inaki.
> >
> > > -----Original Message-----
> > > From: Jamey Kirby
> > > Sent: viernes 31 de marzo de 2000 10:51
> > > To: File Systems Developers
> > > Subject: [ntfsd] RE: Accessing network from a system thread
> > >
> > > When you create the system thread, you need to make sure you create
it
> > in
> > > a
> > > process context that has network access rights. For example, you can
> > > create
> > > the thread from an IOCTL. Rahter than using NULL as the process, use
> > > NtCurrentProcess().
> > >
> > > Jamey
> > > StorageCraft
> > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com]On Behalf Of Max
Lyadvinsky
> > > > Sent: Friday, March 31, 2000 12:35 AM
> > > > To: File Systems Developers
> > > > Subject: [ntfsd] Accessing network from a system thread
> > > >
> > > >
> > > > Dear All!
> > > >
> > > > How can I access network files from the context of the system
> > > > process? I’ve got access denied when trying to open such a file.
> > > > How can I impersonate the logged in user in the system thread to
> > > > access network files?
> > > >
> > > > Thanx a lot,
> > > > Max
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> > > > To unsubscribe send a blank email to
$subst(‘Email.Unsub’)
> > > >
> > > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> > > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@pandasoftware.es
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>
You are currently subscribed to ntfsd as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)