Using the code sample below on NT4 SP6 as follows:
MyImpersonate (UserThread)
{
…
qos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
…
SeCreateClientSecurity (UserThread, …)
…
SeImpersonateClient(…)
}
…
while (lots){
MyImpersonate (SomeThread);
…[Network file activity]
PsRevertSelf ();
}
Gives me a huge memory leak. Changing ContextTrackingMode to
SECURITY_DYNAMIC_TRACKING, I now get a small memory leak, but still
significant over a 24 hour period.
Clues would be useful!
On 03/31/00, “=?iso-8859-1?Q?I=F1aki_Castillo?=
” wrote:
> Okay,=20
>
> This can be done as follows:
>
> SECURITY_QUALITY_OF_SERVICE qos;
> PETHREAD thread;
> SECURITY_CLIENT_CONTEXT securityContext;
>
> //Get the target thread:
> //If you want to impersonate current thread, use…
> thread =3D PsGetCurrentThread();
> //if not, select the apropriate thread, the thread you want to =
> impersonate
> (I mean, the one that has the security context you want)
>
> //Fill qos fields, the most important here is ImpersonationLevel:
>
> qos.Length =3D sizeof(SECURITY_QUALITY_OF_SERVICE);
> qos.ImpersonationLevel =3D SecurityImpersonation;
> qos.ContextTrackingMode =3D SECURITY_STATIC_TRACKING;
> qos.EffectiveOnly =3D FALSE;
>
> //Create security context:
> if( STATUS_SUCCESS =3D=3D SeCreateClientSecurity( thread, &qos, =
> FALSE,
> &securityContext ))
> {
> //Then when you want to impersonate the thread: =09
> SeImpersonateClient(&securityContext, NULL);
>
> Now under impersonated thread, do your work here…
> =09
> //When you don’t need anymore impersonation, revert to self
> (cancel impersonation)
> PsRevertToSelf();=09
> }
> =09
>
> That’s all.
>
> Inaki.
>
> > -----Original Message-----
> > From: xxxxx@paragon.ru=20
> > Sent: viernes 31 de marzo de 2000 19:01
> > To: File Systems Developers
> > Subject: Re: Accessing network from a system thread
> >=20
> > in the context of a system thread
> >=20
> > ----------
> > =EF=D4: I=D3aki Castillo[SMTP:xxxxx@pandasoftware.es]
> > =EF=D4=D7=C5=D4: File Systems Developers
> > =EF=D4=D0=D2=C1=D7=CC=C5=CE=CF: 31 =CD=C1=D2=D4=C1 2000 =C7. 18:15
> > =EB=CF=CD=D5: File Systems Developers
> > =F4=C5=CD=C1: [ntfsd] RE: Accessing network from a system thread
> >=20
> >=20
> > Just a question, before giving an answer:
> >=20
> > where are you when you want to impersonate: in the context of a user
> > thread (local or remote); in the context of a system thread ?
> >=20
> >=20
> > Inaki.
> >=20
> > > -----Original Message-----
> > > From: xxxxx@paragon.ru=20
> > > Sent: viernes 31 de marzo de 2000 15:42
> > > To: File Systems Developers
> > > Subject: Re: Accessing network from a system thread
> > >=20
> > > I’d like to impersonate the system thread. How can I do it? Which
> > > functions, in which sequence? I used to create threads in the =
> context of
> > a
> > > user process and that worked, but now I’d like to impersonate the =
> system
> > > thread.
> > >=20
> > > Max Lyadvinsky
> > >=20
> > > ----------
> > > =EF=D4: I=D3aki Castillo[SMTP:xxxxx@pandasoftware.es]
> > > =EF=D4=D0=D2=C1=D7=CC=C5=CE=CF: 31 =CD=C1=D2=D4=C1 2000 =C7. 15:12
> > > =EB=CF=CD=D5: File Systems Developers
> > > =F4=C5=CD=C1: [ntfsd] RE: Accessing network from a system thread
> > >=20
> > > Sorry, I’m thinking here you are filtering any user request.
> > >=20
> > > If the only user you want to impersonate is the one that has done
> > > the interactive login, Jamey solution is right.
> > >=20
> > > Inaki.
> > >=20
> > > > -----Original Message-----
> > > > From: I=D3aki Castillo=20
> > > > Sent: viernes 31 de marzo de 2000 11:47
> > > > To: File Systems Developers
> > > > Subject: [ntfsd] RE: Accessing network from a system thread
> > > >=20
> > > > This will not work always because the user who created
> > > > the system thread may not have access to the file in question.=20
> > > >=20
> > > > The right way to do this is impersonating the originating thread. =
> This
> > > way
> > > > you will
> > > > have the same access as original user.=20
> > > >=20
> > > > Impersonating functions are documented in latest DDK/IFS.
> > > >=20
> > > > Inaki.
> > > >=20
> > > > > -----Original Message-----
> > > > > From: Jamey Kirby=20
> > > > > Sent: viernes 31 de marzo de 2000 10:51
> > > > > To: File Systems Developers
> > > > > Subject: [ntfsd] RE: Accessing network from a system thread
> > > > >=20
> > > > > When you create the system thread, you need to make sure you =
> create
> > it
> > > > in
> > > > > a
> > > > > process context that has network access rights. For example, =
> you can
> > > > > create
> > > > > the thread from an IOCTL. Rahter than using NULL as the =
> process, use
> > > > > NtCurrentProcess().
> > > > >=20
> > > > > Jamey
> > > > > StorageCraft
> > > > >=20
> > > > > > -----Original Message-----
> > > > > > From: xxxxx@lists.osr.com
> > > > > > [mailto:xxxxx@lists.osr.com]On Behalf Of Max
> > Lyadvinsky
> > > > > > Sent: Friday, March 31, 2000 12:35 AM
> > > > > > To: File Systems Developers
> > > > > > Subject: [ntfsd] Accessing network from a system thread
> > > > > >
> > > > > >
> > > > > > Dear All!
> > > > > >
> > > > > > How can I access network files from the context of the system
> > > > > > process? I’ve got access denied when trying to open such a =
> file.
> > > > > > How can I impersonate the logged in user in the system thread =
> to
> > > > > > access network files?
> > > > > >
> > > > > > Thanx a lot,
> > > > > > Max
> > > > > >
> > > > > >
> > > > > > —
> > > > > > You are currently subscribed to ntfsd as: =
> xxxxx@storagecraft.com
> > > > > > To unsubscribe send a blank email to
> > $subst(‘Email.Unsub’)
> > > > > >
> > > > > >
> > > > >=20
> > > > >=20
> > > > > —
> > > > > You are currently subscribed to ntfsd as: =
> xxxxx@pandasoftware.es
> > > > > To unsubscribe send a blank email to =
> $subst(‘Email.Unsub’)
> > > >=20
> > > > —
> > > > You are currently subscribed to ntfsd as: =
> xxxxx@pandasoftware.es
> > > > To unsubscribe send a blank email to =
> $subst(‘Email.Unsub’)
> > >=20
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> > > To unsubscribe send a blank email to =
> $subst(‘Email.Unsub’)
> > >=20
> > >=20
> >=20
> > —
> > You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >=20
I see a macro in NTIFS.H called SeDeleteClientSecurity(). Are you calling
this?
-----Original Message-----
From: xxxxx@netlexis.com [mailto:xxxxx@netlexis.com]
Sent: Tuesday, June 13, 2000 7:00 PM
To: File Systems Developers
Subject: [ntfsd] RE: Accessing network from a system thread
Using the code sample below on NT4 SP6 as follows:
MyImpersonate (UserThread)
{
…
qos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
…
SeCreateClientSecurity (UserThread, …)
…
SeImpersonateClient(…)
}
…
while (lots){
MyImpersonate (SomeThread);
…[Network file activity]
PsRevertSelf ();
}
Gives me a huge memory leak. Changing ContextTrackingMode to
SECURITY_DYNAMIC_TRACKING, I now get a small memory leak, but still
significant over a 24 hour period.
Clues would be useful!
On 03/31/00, “=?iso-8859-1?Q?I=F1aki_Castillo?=
” wrote:
> > Okay,=20
> >
> > This can be done as follows:
> >
> > SECURITY_QUALITY_OF_SERVICE qos;
> > PETHREAD thread;
> > SECURITY_CLIENT_CONTEXT securityContext;
> >
> > //Get the target thread:
> > //If you want to impersonate current thread, use…
> > thread =3D PsGetCurrentThread();
> > //if not, select the apropriate thread, the thread you want to =
> > impersonate
> > (I mean, the one that has the security context you want)
> >
> > //Fill qos fields, the most important here is ImpersonationLevel:
> >
> > qos.Length =3D sizeof(SECURITY_QUALITY_OF_SERVICE);
> > qos.ImpersonationLevel =3D SecurityImpersonation;
> > qos.ContextTrackingMode =3D SECURITY_STATIC_TRACKING;
> > qos.EffectiveOnly =3D FALSE;
> >
> > //Create security context:
> > if( STATUS_SUCCESS =3D=3D SeCreateClientSecurity( thread, &qos, =
> > FALSE,
> > &securityContext ))
> > {
> > //Then when you want to impersonate the thread: =09
> > SeImpersonateClient(&securityContext, NULL);
> >
> > Now under impersonated thread, do your
> work here…
> > =09
> > //When you don’t need anymore impersonation,
> revert to self
> > (cancel impersonation)
> > PsRevertToSelf();=09
> > }
> > =09
> >
> > That’s all.
> >
> > Inaki.
> >
> > > -----Original Message-----
> > > From: xxxxx@paragon.ru=20
> > > Sent: viernes 31 de marzo de 2000 19:01
> > > To: File Systems Developers
> > > Subject: Re: Accessing network from a system thread
> > >=20
> > > in the context of a system thread
> > >=20
> > > ----------
> > > =EF=D4: I=D3aki Castillo[SMTP:xxxxx@pandasoftware.es]
> > > =EF=D4=D7=C5=D4: File Systems Developers
> > > =EF=D4=D0=D2=C1=D7=CC=C5=CE=CF: 31 =CD=C1=D2=D4=C1 2000
> =C7. 18:15
> > > =EB=CF=CD=D5: File Systems Developers
> > > =F4=C5=CD=C1: [ntfsd] RE: Accessing network from a
> system thread
> > >=20
> > >=20
> > > Just a question, before giving an answer:
> > >=20
> > > where are you when you want to impersonate: in the
> context of a user
> > > thread (local or remote); in the context of a system thread ?
> > >=20
> > >=20
> > > Inaki.
> > >=20
> > > > -----Original Message-----
> > > > From: xxxxx@paragon.ru=20
> > > > Sent: viernes 31 de marzo de 2000 15:42
> > > > To: File Systems Developers
> > > > Subject: Re: Accessing network from a system thread
> > > >=20
> > > > I’d like to impersonate the system thread. How can I do
> it? Which
> > > > functions, in which sequence? I used to create threads in the =
> > context of
> > > a
> > > > user process and that worked, but now I’d like to
> impersonate the =
> > system
> > > > thread.
> > > >=20
> > > > Max Lyadvinsky
> > > >=20
> > > > ----------
> > > > =EF=D4: I=D3aki
> Castillo[SMTP:xxxxx@pandasoftware.es]
> > > > =EF=D4=D0=D2=C1=D7=CC=C5=CE=CF: 31
> =CD=C1=D2=D4=C1 2000 =C7. 15:12
> > > > =EB=CF=CD=D5: File Systems Developers
> > > > =F4=C5=CD=C1: [ntfsd] RE: Accessing network from a
> system thread
> > > >=20
> > > > Sorry, I’m thinking here you are filtering any user request.
> > > >=20
> > > > If the only user you want to impersonate is the one
> that has done
> > > > the interactive login, Jamey solution is right.
> > > >=20
> > > > Inaki.
> > > >=20
> > > > > -----Original Message-----
> > > > > From: I=D3aki Castillo=20
> > > > > Sent: viernes 31 de marzo de 2000 11:47
> > > > > To: File Systems Developers
> > > > > Subject: [ntfsd] RE: Accessing network from a
> system thread
> > > > >=20
> > > > > This will not work always because the user who created
> > > > > the system thread may not have access to the file in
> question.=20
> > > > >=20
> > > > > The right way to do this is impersonating the
> originating thread. =
> > This
> > > > way
> > > > > you will
> > > > > have the same access as original user.=20
> > > > >=20
> > > > > Impersonating functions are documented in latest DDK/IFS.
> > > > >=20
> > > > > Inaki.
> > > > >=20
> > > > > > -----Original Message-----
> > > > > > From: Jamey Kirby=20
> > > > > > Sent: viernes 31 de marzo de 2000 10:51
> > > > > > To: File Systems Developers
> > > > > > Subject: [ntfsd] RE: Accessing network from a
> system thread
> > > > > >=20
> > > > > > When you create the system thread, you need to make
> sure you =
> > create
> > > it
> > > > > in
> > > > > > a
> > > > > > process context that has network access rights. For
> example, =
> > you can
> > > > > > create
> > > > > > the thread from an IOCTL. Rahter than using NULL as the =
> > process, use
> > > > > > NtCurrentProcess().
> > > > > >=20
> > > > > > Jamey
> > > > > > StorageCraft
> > > > > >=20
> > > > > > > -----Original Message-----
> > > > > > > From: xxxxx@lists.osr.com
> > > > > > > [mailto:xxxxx@lists.osr.com]On Behalf Of Max
> > > Lyadvinsky
> > > > > > > Sent: Friday, March 31, 2000 12:35 AM
> > > > > > > To: File Systems Developers
> > > > > > > Subject: [ntfsd] Accessing network from a system thread
> > > > > > >
> > > > > > >
> > > > > > > Dear All!
> > > > > > >
> > > > > > > How can I access network files from the context
> of the system
> > > > > > > process? I’ve got access denied when trying to
> open such a =
> > file.
> > > > > > > How can I impersonate the logged in user in the
> system thread =
> > to
> > > > > > > access network files?
> > > > > > >
> > > > > > > Thanx a lot,
> > > > > > > Max
> > > > > > >
> > > > > > >
> > > > > > > —
> > > > > > > You are currently subscribed to ntfsd as: =
> > xxxxx@storagecraft.com
> > > > > > > To unsubscribe send a blank email to
> > > $subst(‘Email.Unsub’)
> > > > > > >
> > > > > > >
> > > > > >=20
> > > > > >=20
> > > > > > —
> > > > > > You are currently subscribed to ntfsd as: =
> > xxxxx@pandasoftware.es
> > > > > > To unsubscribe send a blank email to =
> > $subst(‘Email.Unsub’)
> > > > >=20
> > > > > —
> > > > > You are currently subscribed to ntfsd as: =
> > xxxxx@pandasoftware.es
> > > > > To unsubscribe send a blank email to =
> > $subst(‘Email.Unsub’)
> > > >=20
> > > > —
> > > > You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> > > > To unsubscribe send a blank email to =
> > $subst(‘Email.Unsub’)
> > > >=20
> > > >=20
> > >=20
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> > > To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
> > >=20
>
> —
> You are currently subscribed to ntfsd as: xxxxx@nsisw.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
what difference between security static and dynamic tracking?
??: xxxxx@netlexis.com[SMTP:xxxxx@netlexis.com]
???: File Systems Developers
???: 14 ??? 2000 ?. 4:00
???: File Systems Developers
???: [ntfsd] RE: Accessing network from a system thread
Using the code sample below on NT4 SP6 as follows:
MyImpersonate (UserThread)
{
…
qos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
…
SeCreateClientSecurity (UserThread, …)
…
SeImpersonateClient(…)
}
…
while (lots){
MyImpersonate (SomeThread);
…[Network file activity]
PsRevertSelf ();
}
Gives me a huge memory leak. Changing ContextTrackingMode to
SECURITY_DYNAMIC_TRACKING, I now get a small memory leak, but still
significant over a 24 hour period.
Clues would be useful!
On 03/31/00, “=?iso-8859-1?Q?I=F1aki_Castillo?=
” wrote:
> Okay,=20
>
> This can be done as follows:
>
> SECURITY_QUALITY_OF_SERVICE qos;
> PETHREAD thread;
> SECURITY_CLIENT_CONTEXT securityContext;
>
> //Get the target thread:
> //If you want to impersonate current thread, use…
> thread =3D PsGetCurrentThread();
> //if not, select the apropriate thread, the thread you want to =
> impersonate
> (I mean, the one that has the security context you want)
>
> //Fill qos fields, the most important here is ImpersonationLevel:
>
> qos.Length =3D sizeof(SECURITY_QUALITY_OF_SERVICE);
> qos.ImpersonationLevel =3D SecurityImpersonation;
> qos.ContextTrackingMode =3D SECURITY_STATIC_TRACKING;
> qos.EffectiveOnly =3D FALSE;
>
> //Create security context:
> if( STATUS_SUCCESS =3D=3D SeCreateClientSecurity( thread, &qos, =
> FALSE,
> &securityContext ))
> {
> //Then when you want to impersonate the thread: =09
> SeImpersonateClient(&securityContext, NULL);
>
> Now under impersonated thread, do your work here…
> =09
> //When you don’t need anymore impersonation, revert to self
> (cancel impersonation)
> PsRevertToSelf();=09
> }
> =09
>
> That’s all.
>
> Inaki.
>
> > -----Original Message-----
> > From: xxxxx@paragon.ru=20
> > Sent: viernes 31 de marzo de 2000 19:01
> > To: File Systems Developers
> > Subject: Re: Accessing network from a system thread
> >=20
> > in the context of a system thread
> >=20
> > ----------
> > =EF=D4: I=D3aki Castillo[SMTP:xxxxx@pandasoftware.es]
> > =EF=D4=D7=C5=D4: File Systems Developers
> > =EF=D4=D0=D2=C1=D7=CC=C5=CE=CF: 31 =CD=C1=D2=D4=C1 2000 =C7. 18:15
> > =EB=CF=CD=D5: File Systems Developers
> > =F4=C5=CD=C1: [ntfsd] RE: Accessing network from a system thread
> >=20
> >=20
> > Just a question, before giving an answer:
> >=20
> > where are you when you want to impersonate: in the context of a user
> > thread (local or remote); in the context of a system thread ?
> >=20
> >=20
> > Inaki.
> >=20
> > > -----Original Message-----
> > > From: xxxxx@paragon.ru=20
> > > Sent: viernes 31 de marzo de 2000 15:42
> > > To: File Systems Developers
> > > Subject: Re: Accessing network from a system thread
> > >=20
> > > I’d like to impersonate the system thread. How can I do it? Which
> > > functions, in which sequence? I used to create threads in the =
> context of
> > a
> > > user process and that worked, but now I’d like to impersonate the =
> system
> > > thread.
> > >=20
> > > Max Lyadvinsky
> > >=20
> > > ----------
> > > =EF=D4: I=D3aki Castillo[SMTP:xxxxx@pandasoftware.es]
> > > =EF=D4=D0=D2=C1=D7=CC=C5=CE=CF: 31 =CD=C1=D2=D4=C1 2000 =C7. 15:12
> > > =EB=CF=CD=D5: File Systems Developers
> > > =F4=C5=CD=C1: [ntfsd] RE: Accessing network from a system thread
> > >=20
> > > Sorry, I’m thinking here you are filtering any user request.
> > >=20
> > > If the only user you want to impersonate is the one that has done
> > > the interactive login, Jamey solution is right.
> > >=20
> > > Inaki.
> > >=20
> > > > -----Original Message-----
> > > > From: I=D3aki Castillo=20
> > > > Sent: viernes 31 de marzo de 2000 11:47
> > > > To: File Systems Developers
> > > > Subject: [ntfsd] RE: Accessing network from a system thread
> > > >=20
> > > > This will not work always because the user who created
> > > > the system thread may not have access to the file in question.=20
> > > >=20
> > > > The right way to do this is impersonating the originating thread. =
> This
> > > way
> > > > you will
> > > > have the same access as original user.=20
> > > >=20
> > > > Impersonating functions are documented in latest DDK/IFS.
> > > >=20
> > > > Inaki.
> > > >=20
> > > > > -----Original Message-----
> > > > > From: Jamey Kirby=20
> > > > > Sent: viernes 31 de marzo de 2000 10:51
> > > > > To: File Systems Developers
> > > > > Subject: [ntfsd] RE: Accessing network from a system thread
> > > > >=20
> > > > > When you create the system thread, you need to make sure you =
> create
> > it
> > > > in
> > > > > a
> > > > > process context that has network access rights. For example, =
> you can
> > > > > create
> > > > > the thread from an IOCTL. Rahter than using NULL as the =
> process, use
> > > > > NtCurrentProcess().
> > > > >=20
> > > > > Jamey
> > > > > StorageCraft
> > > > >=20
> > > > > > -----Original Message-----
> > > > > > From: xxxxx@lists.osr.com
> > > > > > [mailto:xxxxx@lists.osr.com]On Behalf Of Max
> > Lyadvinsky
> > > > > > Sent: Friday, March 31, 2000 12:35 AM
> > > > > > To: File Systems Developers
> > > > > > Subject: [ntfsd] Accessing network from a system thread
> > > > > >
> > > > > >
> > > > > > Dear All!
> > > > > >
> > > > > > How can I access network files from the context of the system
> > > > > > process? I’ve got access denied when trying to open such a =
> file.
> > > > > > How can I impersonate the logged in user in the system thread =
> to
> > > > > > access network files?
> > > > > >
> > > > > > Thanx a lot,
> > > > > > Max
> > > > > >
> > > > > >
> > > > > > —
> > > > > > You are currently subscribed to ntfsd as: =
> xxxxx@storagecraft.com
> > > > > > To unsubscribe send a blank email to
> > $subst(‘Email.Unsub’)
> > > > > >
> > > > > >
> > > > >=20
> > > > >=20
> > > > > —
> > > > > You are currently subscribed to ntfsd as: =
> xxxxx@pandasoftware.es
> > > > > To unsubscribe send a blank email to =
> $subst(‘Email.Unsub’)
> > > >=20
> > > > —
> > > > You are currently subscribed to ntfsd as: =
> xxxxx@pandasoftware.es
> > > > To unsubscribe send a blank email to =
> $subst(‘Email.Unsub’)
> > >=20
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> > > To unsubscribe send a blank email to =
> $subst(‘Email.Unsub’)
> > >=20
> > >=20
> >=20
> > —
> > You are currently subscribed to ntfsd as: xxxxx@paragon.ru
> > To unsubscribe send a blank email to $subst(‘Email.Unsub’)
> >=20
—
You are currently subscribed to ntfsd as: xxxxx@paragon.ru
To unsubscribe send a blank email to $subst(‘Email.Unsub’)