NT Service and COM
Duncan Booth
duncan at NOSPAMrcp.co.uk
Mon Jun 25 03:37:06 EDT 2001
Michael Powe <michael at trollope.org> wrote in
news:87elsb2hbw.fsf at cecilia.trollope.org:
>>>>>> "Duncan" == Duncan Booth <duncan at NOSPAMrcp.co.uk> writes:
> Duncan> I'm not sure how to get round this. I can use DCOMCNFG to
> Duncan> give access, but I feel I should be able to set the
> Duncan> security from inside the process. Unfortunately I cannot
>
> This would be a horrible security weakness if it is allowed. What's
> to stop somebody from cracking a process and having it reset its own
> security to, say, 'administrator' and having fun with the system?
>
Perhaps I wasn't clear enough. I don't want the service to have special
privileges: it is publishing the COM object, not attempting to use it. My
own userid, which is in the 'Power Users' group doesn't have sufficient
privileges to use the COM object by default. So far I can get around this
by giving my userid (or a group) access to all DCOM objects on the machine,
but it would seem reasonable for the COM server to be able to selectively
grant other users access to itself.
This doesn't require the process to be able to give itself any additional
privileges, so the problem you are worrying about doesn't arise.
--
Duncan Booth duncan at rcp.co.uk
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?
More information about the Python-list
mailing list