J
James V
Hi,
I am trying to add logging capabilities to a Windows(2000/XP/2003)
application that can run under any user context(not neceseraly a member of
admin).
The problem is that every time a diffrent user will run the application, the
log files would be created/written under his credentials.
Some users can have limited permissions and not allowed to access various
parts of the file system.
Further more, if a limited user created/written a/to file he has permissions
to view and change it and
I do not want limited users to be able to view modify the log files.
If I create the files with admin privilages, limited users will not be able
to write/modify them.
I could create a logging service that uses IPC to connect to the server
application and manage the loging for it, but it seems like an overkill.
I considered using a special user account that would be impersonated by our
application(using login API and SSPI ) and would do the actual log file
manipulation, but the problem is that login API and SSPI can require
certain privilged user permissions (SE_TCB_NAME ) for the impersonation to
work properly (The impersonation level does not allow resource access).
Is there any way around the login API and SSPI limitations?
Is there any way to set application level(not user level) permissions ->
allow only a certain application to write to a file?
Any ideas comments would be appreciated.
Thank you,
James
I am trying to add logging capabilities to a Windows(2000/XP/2003)
application that can run under any user context(not neceseraly a member of
admin).
The problem is that every time a diffrent user will run the application, the
log files would be created/written under his credentials.
Some users can have limited permissions and not allowed to access various
parts of the file system.
Further more, if a limited user created/written a/to file he has permissions
to view and change it and
I do not want limited users to be able to view modify the log files.
If I create the files with admin privilages, limited users will not be able
to write/modify them.
I could create a logging service that uses IPC to connect to the server
application and manage the loging for it, but it seems like an overkill.
I considered using a special user account that would be impersonated by our
application(using login API and SSPI ) and would do the actual log file
manipulation, but the problem is that login API and SSPI can require
certain privilged user permissions (SE_TCB_NAME ) for the impersonation to
work properly (The impersonation level does not allow resource access).
Is there any way around the login API and SSPI limitations?
Is there any way to set application level(not user level) permissions ->
allow only a certain application to write to a file?
Any ideas comments would be appreciated.
Thank you,
James