apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mladen Turk <mt...@apache.org>
Subject Re: [PATCH] set process attribute uid (WAS: [PATCH] WIN32 CreateProcessAsUser)
Date Fri, 27 Aug 2004 11:00:07 GMT
Jeff Trawick wrote:

>>The unix version uses apr_uid_get to obtain the uid and gid,
>>but the actual code is noop for now.
> either return ENOTIMPL and don't bother putting in dead, untested
> code, or activate the code and hope for the best; the latter is how
> many things begin working ;)

OK, I'll test on (have only FreeBSD) unix and then enable.

>>The win version now makes sure that the calling tread does
>>not remain under impersonated user if something goes wrong.
> it seems very uncool for apr_procattr_FOO_set to modify any
> characteristics of the calling thread/process...  is that happening on
> Win32?  there's quite a bit of interesting logic in
> apr_procattr_user_set for Win32

That's the only way AFAICT to enable the 'RunAs'.
The calling thread is switching to a different account only to call
the single API function and then reverts. Other threads are not 
affected, even if this is a main thread.

The actual code comes from jakarta-commons/daemon's procrun, that
I wrote and it drives the Tomcat as a service, so It's quite tested :).

>>+ */
>>+APR_DECLARE(apr_status_t) apr_procattr_user_set(apr_procattr_t *attr,
>>+                                                const char *username,
>>+                                                const char *password);
> maybe this should allow specifying a group too, in case on Unix you
> don't want to require that the identity change to the default group of
> the specified user?

OK. Any suggestons for the name of the second param?
Perhaps grp_or_pwd?

>>--- test/testproc.c     14 May 2004 14:43:22 -0000      1.46
>>+++ test/testproc.c     27 Aug 2004 08:18:04 -0000
>>@@ -21,6 +21,11 @@
>> #include "testutil.h"
>> #define TESTSTR "This is a test"
>>+/* You will need to create an account with
>>+ * 'Replace a process level token' priviledge set.
>>+ */
>>+#define USERNAME "test"
>>+#define PASSWORD "test"
> shouldn't this be an optional aspect of the test?  folks will want to
> be able to run the test suite without adding new accounts

OK. Seems reasonable.


View raw message