You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apr.apache.org by Luke Kenneth Casson Leighton <lk...@samba-tng.org> on 2001/08/29 16:32:40 UTC

[Nicolas.Williams@ubsw.com: Re: Interposing LSA functions (was: RE: [pamldap] PAM for Windows NT/2000)]

----- Forwarded message from Nicolas Williams <Ni...@ubsw.com> -----

Delivered-To: lkcl@angua.rince.de
Date: Wed, 29 Aug 2001 10:26:47 -0400
From: Nicolas Williams <Ni...@ubsw.com>
To: Luke Kenneth Casson Leighton <lk...@samba-tng.org>,
	Luke Howard <lu...@padl.com>
Cc: jalbertop@aranea.com.mx, norbert.klasen@daasi.de,
	pamldap@padl.com
Subject: Re: Interposing LSA functions (was: RE: [pamldap] PAM for Windows NT/2000)
X-Mailer: Mutt 0.93.2i
In-Reply-To: <20...@angua.rince.de>; from Luke Kenneth Casson Leighton on Wed, Aug 29, 2001 at 04:10:34PM +0200
X-WDR-Disclaimer: Version $Revision: 1.13 $

On Wed, Aug 29, 2001 at 04:10:34PM +0200, Luke Kenneth Casson Leighton wrote:
> On Wed, Aug 29, 2001 at 08:45:39PM +1000, Luke Howard wrote:
> > 
> > The URL:
> > 
> > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/hh/secpack/customsecfunctions_9js1.asp
> > 
> > is worth a look as it describes the API used to retrieve the
> > authorization data for a user and create an LSA security token
> > from that data. 
> > 
> 
> interesting.  so it might be possible to write
> a setuid() for nt and for cygwin, after all.

It exists, in a way, you just have to have the client's AP-REQ!

Actually, here's how it works:

 - if you're a system service (a daemon running as root) you can become
   (impersonate) any local user

 - if you're any kind of service, even non-priviledged, you can become
   (impersonate) any domain user who authenticates to you using GSS-API
   (SSPI). This works because:

    - a) the service passes the GSS tokens to the LSA,

    which

    - b) validates the tokens (and produces tokens) using any secret
         keys (which the service need not have access to)

   and

    - c) obtains the client's profile which the LSA then uses to provide
         a handle to the service which the service can then use to
	 *locally* impersonate the client

You can't adapt that to the setuid() model -- that's because the setuid
model sucks. Firstly because the UIDs are a flat namespace (so no domain
users) and secondly because the above model does not fit.

I'd rather adapt the win2k model to Unix.

> i'm cc'ing this to apr dev: someone there might
> be interested in investigating and completing the
> apr user-related functions.
>
> luke


Cheers,

Nico
--
. 

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

----- End forwarded message -----