Win2000: how can I do the equivilent of Unix's SUID under Win2K?

jones42
jones42 used Ask the Experts™
on
Is there a way for the owner of an executable (or script, shortcut, etc) to set a permission such that any user executing that file AUTOMATICALLY assumes the owner's identity for that process (and subprocesses, etc)?

"Run As" always appears to require a password to be entered, which is neither friendly nor secure if that means the administrator password must be given out.

Yes, I am aware that suid itself has security implications, but I'd rather deal with that than Run As.

Thanks.
- Michael.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Windows (thankfully) does NOT have any capability like SUID in unix.  This is an incredible dangerous feature and many exploits of unix/linux systems have been based on this.

What you DO have are some other possibilities:

1) A SERVICE running on the machine is the most common way of running applications with userid and privileges different from the interactive user.  You make a typical application using a service in two parts, the service that does the "dirty" work and a user-interface of some sort that interacts with the user.  The service carefully validates the request and then acts upon it.

2) An application that uses the Windows LogonUser() capability.  Here you are essentially doing a "Run As..." and the process is started as another user.  Of course the proper authentication of that user must be done and so usually you ask for a username/password when doing this.  It is NOT a good idea to embed username/password information inside such an application.

My recommendation is the SERVICE solution.
Falco Bethkeperformance engineering

Commented:
100% agree

Author

Commented:
Thanks for the comments. Unfortunately, I'm not sure either suggestion will work for me - I'm trying to work around the lack of proper Win2K compatibility in a couple of existing applications. These apps don't run properly unless run as an administrator. I can't convince the vendor to fix them, and I surely don't have access to the code to alter it myself.

Perhaps I could use your second solution after all to make a wrapper for the badly written apps and embed the admin password so it doesn't need to be enetered manually.

Thanks.
Commented:
In cases like this a free utility called FireDaemon may be useful.

http://www.firedaemon.com

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial