| Author |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
 Posted: Tue 07 Aug '07 11:10 Post subject: something like suEXEC for windows |
 |
|
Hi there,
im still new in things like Apache, so i got very fast my first problems.
A client wants to connect to a webserver, this is ok, and we let this happen.
The client authenticates now with the mod_auth_sspi and the AD.
Now the client wants to start an application on the server, this is great, but i need this application running with the clients user rights context. So i have to impersonate the client / user and then start the application with the user context.
In unix there is the module suEXEC, wich accomplishes impersonation of the client.
Is there any compareable module for windows ? Or do u have an idea of how i could get a workaround for this problem ?
I appreciate every answer to this post, even if it's an answer, doesn't get a resolve.
thx for listen to me
daytalker |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 07 Aug '07 12:01 Post subject: |
|
|
The only program I know is runas
e.g.
| Code: |
runas /user:User@Domain.bla.tld "notepad \"myfiel.txt\""
|
That works only if the user calls the programm through a server side based programing language like PHP or Perl.
use cmd => runas /? for more info. |
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Tue 07 Aug '07 15:14 Post subject: |
|
|
yes, i tried it before ...
runas, lsrunas, sanur, lsranusE
but if i run this programs, it doesn't run this way i want it to do ... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 07 Aug '07 16:04 Post subject: |
|
|
| What does runas do wrong? What do you don't like? |
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Wed 08 Aug '07 10:18 Post subject: |
|
|
It's hard to describe, but i try it.
First, Runas starts the programs in the prefered user context, this is right. If i open the taskmanager it shows me, let's say, cmd.exe runs with the credentials of daytalker instead of apache. That looks fine.
But the cmd.exe does nothing. Let's say the cmd.exe will be called by a batch or a .exe where some work is to be done, i expect it be done. But nothing's done.
K, for this i have to say, i didn't got runas to work this way i wanted, because i work with PERL and i didn't got the Password given to runas. So i tried with Sanur or Lsrunas.
And something like the User context switched only if the Apache was running under the user i prefered to switch to ... it was incredible, so i swamped it out of my memory ... perhaps i did something wrong ? |
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Mon 13 Aug '07 9:53 Post subject: |
|
|
ok, i tested now again with runas / sanur and lsrunas and now i can tell u exactly whats going wrong with them :
First the programs sanur and lsrunas sitting in my htdocs directory.
The client, connecting to my server and authenticated on the AD via mod_auth_sspi, starts a cgi skript wich should start a *.bat in the htdocs directory but with the credentials of the client.
So i call runas with sanur or lsrunas like this :
$lsrunas = "c:\\Apache2.2\\htdocs\\lsrunas.exe";
$sanur = "c:\\apache2.2\\htdocs\\sanur.exe";
system("runas.exe /user:rsint\\$user c:\\Apache2.2\\htdocs\\t.bat \| $sanur $password");
system("$lsrunas /user:$user /password:$password /domain:rsint /command:c:\\Apache2.2\\htdocs\\t.bat /runpath:c:\\");
If i call the runas statement there's done nothing ... taskmanager shows nothing and nothing happens ... for testing i got only the statements mkdir and sleep in the batch file.
If i call the lsrunas statement, taskmanager shows the cmd.exe running with my credentials, but nothing else happens and the cmd.exe won't terminate in taskmanager ...
pls ... anybody any ideas ?
thx for reading my post
daytalker |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 13 Aug '07 10:02 Post subject: |
|
|
Use
<pre>
<?php
error_reporting(E_ALL);
passthru("lorem ipsum");
?>
</pre>
To see what comes out. Maybe there is an error. Also you can
in php.ini
log_errors = On
error_log = /server2/logs/phperror.log
to see an error which isn't output. |
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Mon 13 Aug '07 10:36 Post subject: |
|
|
öhm ...
im scripting with perl ... is there something in perl i can do this ? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Mon 13 Aug '07 11:14 Post subject: |
|
|
I'm not used to perl, but google tells me that qx() can give you some feedback if there is an error.
| Code: |
my $Output = qx("runas.exe /user:rsint\\$user c:\\Apache2.2\\htdocs\\t.bat \| $sanur $password");
print "$Output";
|
|
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Mon 13 Aug '07 11:33 Post subject: |
|
|
thx ... does qx only shoot if an error appears ?
edit: qx gives the return statement of the cmd commando, so everything i would get inside the commandline, i get with qx - and my calls give nothing back 
if that's the fact, there is no error ... nothing is inside $Output
tried it with
| Code: | | my $Output = qx("\"c:\\apache2.2\\htdocs\\lsrunas\" /user:$user /password:$password /domain:rsint command:\"c:\\Apache2.2\\htdocs\\t.bat\" /runpath:c:\\"); |
and
| Code: | | my $Output = qx("runas.exe /user:rsint\\$user c:\\Apache2.2\\htdocs\\t.bat \| $sanur $password"); |
edit the 2nd:
i think its correct that there appears no error. The process is running with the new credentials but it doesn't do anything. Lsrunas is only for starting with other credentials ... so the error should be anywhere else, or ? runas with sanur gives nothing back, it would give nothing back if there would be an error, too.
is there a possibility to start runas with perl without sanur and to give runas the password ??? i tried some things, but everytime he's waiting for the user interaction to give the password (don't know if i explained it coherent ) |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 14 Aug '07 15:59 Post subject: |
|
|
| You can call runas with Parameter /savecred Than runas won't ask again (only one time untill you turn of or reboot). That will work only with one user |
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Tue 14 Aug '07 16:03 Post subject: |
|
|
damn ... there is no other chance to start a process with other user credentials than the apache runs ? or any module for apache wich imperosnater automaticaly the authenticated user ?
i'm frustrated ... it can't be that the iis performs this feature and the apache doesn't ... |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Tue 14 Aug '07 17:36 Post subject: |
|
|
| While googling with runas command without prompting I saw a post in a forum about a non free product. |
|
| Back to top |
|
daytalker
Joined: 07 Aug 2007
Posts: 10
|
| Posted: Thu 16 Aug '07 8:21 Post subject: |
|
|
i don't think that i will use this product, but i'll take a look ...
thx for ur help ...
it's so depressing |
|
| Back to top |
|
