Corinna Vinschen
Fri Dec 13 03:50:00 GMT 2002

On Fri, Dec 13, 2002 at 11:55:46AM +0100, Hartmut Honisch wrote:
> Hi Pierre,
> I think I found a way to make GetUserName return the correct user after
> impersonating a token created my NtCreateToken: The token needs a valid
> logon session id, one that is associated with the correct user.
> As I mentioned, when logging on, Windows creates a new logon session, and
> LSA associates the username with that session.
> And even though NtCreateToken allows to specify a TokenUser, It seems that
> when impersonating a token, Windows replaces the TokenUser by the user
> associated with the token's logon session id. And since create_token uses
> the active logon session associated with the _impersonating_ user, not the
> user to _be_ impersonated, TokenUser will contain the wrong user name after
> impersonating it.
> So I successfully tried the following approch:
> - use subauthentication to create a new logon session for the new user
> - if the token is suitable (i.e. verify_token returns TRUE), use it for
> impersonation
> - if the token is not suitable(because of the setgid issues you explained to
> me), call create_token, but reuse the subauthentication token's logon
> session id in the new token.
> I verified that with a token created by NtCreateToken (with the right logon
> session id of course), I'm able to impersonate and GetUserName /
> GetTokenInformation(...TokenUser...) will give me the correct user.

That sounds really interesting.  If we turn around the order in
seteuid again (first call subauth, if that fails create_token) we
could use that extra step as explained above to create a correct
logon token.  It's just important, that the current NTCreateToken
stuff still works as today if subauth is not installed.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Developer                      
Red Hat, Inc.

More information about the Cygwin-developers mailing list