Security and file permissions....

[Robinson]

May I be so bold as to run a scenario by you and solicit some advice on the
best way to proceed?

I have a database (SQL Server), which stores paths of image files on disk
(on the server). I have a client program on a remote machine that runs
queries on the server, fetching the image files by getting back a table with
the paths in and using the file system to copy or read them over. The
security headache I have at the moment is how to ensure that the user of my
program doesn't have any permissions on the remote filesystem, but that my
client software at certain moments (when it's reading/writing the
repository), does. Can I "elevate" my process to a different user at
various points in the code and then reduce it back again?

Thanks,



Robin

 

[Chris Dunaway]

May I be so bold as to run a scenario by you and solicit some advice on the
best way to proceed?

I have a database (SQL Server), which stores paths of image files on disk
(on the server). I have a client program on a remote machine that runs
queries on the server, fetching the image files by getting back a table with
the paths in and using the file system to copy or read them over. The
security headache I have at the moment is how to ensure that the user of my
program doesn't have any permissions on the remote filesystem, but that my
client software at certain moments (when it's reading/writing the
repository), does. Can I "elevate" my process to a different user at
various points in the code and then reduce it back again?

I use the following class to impersonate a user in one of my programs.
It is called with this syntax:

ImpersonationUtil.Impersonate(userid, password, domain);

And to Un-impersonate:

ImpersonationUtil.Unimpersonate();

I don't remember where I got this class, maybe in these groups!




/// <summary>
/// Impersonate a windows logon.
/// </summary>
public class ImpersonationUtil {

/// <summary>
/// Impersonate given logon information.
/// </summary>
/// <param name="logon">Windows logon name.</param>
/// <param name="password">password</param>
/// <param name="domain">domain name</param>
/// <returns></returns>
public static bool Impersonate( string logon, string password, string
domain ) {
WindowsIdentity tempWindowsIdentity;
IntPtr token = IntPtr.Zero;
IntPtr tokenDuplicate = IntPtr.Zero;

if( LogonUser( logon, domain, password, LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT, ref token) != 0 ) {

if ( DuplicateToken( token, 2, ref tokenDuplicate ) != 0 ) {
tempWindowsIdentity = new WindowsIdentity(tokenDuplicate);
impersonationContext = tempWindowsIdentity.Impersonate();
if ( null != impersonationContext ) return true;
}
}

return false;
}

/// <summary>
/// Unimpersonate.
/// </summary>
public static void UnImpersonate() {
impersonationContext.Undo();
}

[DllImport("advapi32.dll", CharSet=CharSet.Auto)]
public static extern int LogonUser(
string lpszUserName,
String lpszDomain,
String lpszPassword,
int dwLogonType,
int dwLogonProvider,
ref IntPtr phToken );

[DllImport("advapi32.dll",
CharSet=System.Runtime.InteropServices.CharSet.Auto,
SetLastError=true)]
public extern static int DuplicateToken(
IntPtr hToken,
int impersonationLevel,
ref IntPtr hNewToken );

private const int LOGON32_LOGON_INTERACTIVE = 2;
private const int LOGON32_LOGON_NETWORK_CLEARTEXT = 4;
private const int LOGON32_PROVIDER_DEFAULT = 0;
private static WindowsImpersonationContext impersonationContext;
}

 

[Chris Dunaway]

I use the following class to impersonate a user in one of my programs.
It is called with this syntax:

<snip C# class>

Oops! I thought I was in a C# group. I don't have a VB translation
for this code, it is fairly straight forward. Just take care to get
the API signatures correct. You can go to pinvoke.net for that.

Chris

 

[Robinson]

<snip C# class>

Oops! I thought I was in a C# group. I don't have a VB translation
for this code, it is fairly straight forward. Just take care to get
the API signatures correct. You can go to pinvoke.net for that.

Chris

Superb. I can translate. I'll post it when I'm done to complete the
thread. Thanks.