SYSKEY, TNG freeze, 2.0.x->TNG merge and other thoughts
Todd Sabin
tas at webspan.net
Wed Feb 9 13:30:39 GMT 2000
Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> On 8 Feb 2000, Todd Sabin wrote:
>
> > Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> >
> > >
> > > basically, MSRPC is a remote function call mechanism. if the caller is
> > > root, the remote function call is root. if the caller is a threaded
> > > applcication, the remote function call is a threaded implementation. if
> > > the caller is user-foo, the remote function call is user-foo.
> > >
> > > that's the way MSRPC is designed, that's its job, and to expect it to do
> > > anything else (e.g run remotely as root) is, in my opinion, asking for
> > > trouble.
> > >
> >
> > No, that's not how MSRPC is designed.
>
> you sure about that?
>
Well, I don't know what was in the mind of the people when they wrote
it, but the stuff below is how it works in practice.
> > The server runs in whatever
> > security context it starts up in. If the call is authenticated, and
> > if the client has permitted it, and if the server decides to do it,
> > the server can impersonate the client for some part of the duration of
> > the call.
> >
> > On NT, lsass (the thing that implements samr and lsarpc) runs in the
> > SYSTEM context, and does so most of the time, even when servicing an
> > RPC. It impersonates the client only briefly to validate that the
> > client has the proper permissions to do what it's asking.
>
> i am curious. what happens inside LsaOpenPolicy(). the connection is
> anonymous, yes. the server is running as SYSTEM context. is it the job
> of the _lsaopenpolicy call_ to switch to the context of the cient
> (impersonatenamedpipeclient), or is it the job of the _msrpc hanlder_ to
> call impersonatenamedpipeclient?
>
It's the job of every call that wants to impersonate. The msrpc part
of it handles marshalling and making sure that there's a token there
to impersonate, should the server want to. It's entirely up to the
server to call RpcImpersonateClient(), and then RpcRevertToSelf() when
it's done.
> logically, i would expect the msrpc handling code to switch the context to
> that of the client, whereup the function call decides to switch it back
> again because they need SYSTEM privileges.
Nope, it's the exact opposite. :)
Todd
p.s. Sorry about sending from the old address. Should have it fixed
now. (This should be from tas at webspan.net)
More information about the samba-ntdom
mailing list