NT Service and COM

[Duncan Booth]

Michael Powe <michael at trollope.org> wrote in 
news:87elsb2hbw.fsf at cecilia.trollope.org:

>>>>>> "Duncan" == Duncan Booth <duncan at NOSPAMrcp.co.uk> writes:
>     Duncan> I'm not sure how to get round this. I can use DCOMCNFG to
>     Duncan> give access, but I feel I should be able to set the
>     Duncan> security from inside the process.  Unfortunately I cannot
> 
> This would be a horrible security weakness if it is allowed.  What's
> to stop somebody from cracking a process and having it reset its own
> security to, say, 'administrator' and having fun with the system?
> 

Perhaps I wasn't clear enough. I don't want the service to have special 
privileges: it is publishing the COM object, not attempting to use it. My 
own userid, which is in the 'Power Users' group doesn't have sufficient 
privileges to use the COM object by default. So far I can get around this 
by giving my userid (or a group) access to all DCOM objects on the machine, 
but it would seem reasonable for the COM server to be able to selectively 
grant other users access to itself.
This doesn't require the process to be able to give itself any additional 
privileges, so the problem you are worrying about doesn't arise.

-- 
Duncan Booth                                             duncan at rcp.co.uk
int month(char *p){return(124864/((p[0]+p[1]-p[2]&0x1f)+1)%12)["\5\x8\3"
"\6\7\xb\1\x9\xa\2\0\4"];} // Who said my code was obscure?