logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: something like suEXEC for windows
Author
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Tue 07 Aug '07 11:10    Post subject: something like suEXEC for windows Reply with quote

Hi there,

im still new in things like Apache, so i got very fast my first problems.

A client wants to connect to a webserver, this is ok, and we let this happen.
The client authenticates now with the mod_auth_sspi and the AD.

Now the client wants to start an application on the server, this is great, but i need this application running with the clients user rights context. So i have to impersonate the client / user and then start the application with the user context.

In unix there is the module suEXEC, wich accomplishes impersonation of the client.

Is there any compareable module for windows ? Or do u have an idea of how i could get a workaround for this problem ?

I appreciate every answer to this post, even if it's an answer, doesn't get a resolve.

thx for listen to me
daytalker
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 07 Aug '07 12:01    Post subject: Reply with quote

The only program I know is runas

e.g.
Code:

runas /user:User@Domain.bla.tld "notepad \"myfiel.txt\""


That works only if the user calls the programm through a server side based programing language like PHP or Perl.

use cmd => runas /? for more info.
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Tue 07 Aug '07 15:14    Post subject: Reply with quote

yes, i tried it before ...

runas, lsrunas, sanur, lsranusE

but if i run this programs, it doesn't run this way i want it to do ...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 07 Aug '07 16:04    Post subject: Reply with quote

What does runas do wrong? What do you don't like?
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Wed 08 Aug '07 10:18    Post subject: Reply with quote

It's hard to describe, but i try it.

First, Runas starts the programs in the prefered user context, this is right. If i open the taskmanager it shows me, let's say, cmd.exe runs with the credentials of daytalker instead of apache. That looks fine.

But the cmd.exe does nothing. Let's say the cmd.exe will be called by a batch or a .exe where some work is to be done, i expect it be done. But nothing's done.

K, for this i have to say, i didn't got runas to work this way i wanted, because i work with PERL and i didn't got the Password given to runas. So i tried with Sanur or Lsrunas.

And something like the User context switched only if the Apache was running under the user i prefered to switch to ... it was incredible, so i swamped it out of my memory ... perhaps i did something wrong ?
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Mon 13 Aug '07 9:53    Post subject: Reply with quote

ok, i tested now again with runas / sanur and lsrunas and now i can tell u exactly whats going wrong with them :

First the programs sanur and lsrunas sitting in my htdocs directory.
The client, connecting to my server and authenticated on the AD via mod_auth_sspi, starts a cgi skript wich should start a *.bat in the htdocs directory but with the credentials of the client.

So i call runas with sanur or lsrunas like this :

$lsrunas = "c:\\Apache2.2\\htdocs\\lsrunas.exe";
$sanur = "c:\\apache2.2\\htdocs\\sanur.exe";

system("runas.exe /user:rsint\\$user c:\\Apache2.2\\htdocs\\t.bat \| $sanur $password");

system("$lsrunas /user:$user /password:$password /domain:rsint /command:c:\\Apache2.2\\htdocs\\t.bat /runpath:c:\\");

If i call the runas statement there's done nothing ... taskmanager shows nothing and nothing happens ... for testing i got only the statements mkdir and sleep in the batch file.
If i call the lsrunas statement, taskmanager shows the cmd.exe running with my credentials, but nothing else happens and the cmd.exe won't terminate in taskmanager ...

pls ... anybody any ideas ?
thx for reading my post
daytalker
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 13 Aug '07 10:02    Post subject: Reply with quote

Use
<pre>
<?php
error_reporting(E_ALL);
passthru("lorem ipsum");
?>
</pre>
To see what comes out. Maybe there is an error. Also you can
in php.ini
log_errors = On
error_log = /server2/logs/phperror.log

to see an error which isn't output.
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Mon 13 Aug '07 10:36    Post subject: Reply with quote

öhm ...

im scripting with perl ... is there something in perl i can do this ?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Mon 13 Aug '07 11:14    Post subject: Reply with quote

I'm not used to perl, but google tells me that qx() can give you some feedback if there is an error.

Code:

my $Output = qx("runas.exe /user:rsint\\$user c:\\Apache2.2\\htdocs\\t.bat \| $sanur $password");
print "$Output";
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Mon 13 Aug '07 11:33    Post subject: Reply with quote

thx ... does qx only shoot if an error appears ?
edit: qx gives the return statement of the cmd commando, so everything i would get inside the commandline, i get with qx - and my calls give nothing back Sad

if that's the fact, there is no error ... nothing is inside $Output

tried it with
Code:
my $Output = qx("\"c:\\apache2.2\\htdocs\\lsrunas\" /user:$user /password:$password /domain:rsint  command:\"c:\\Apache2.2\\htdocs\\t.bat\" /runpath:c:\\");


and

Code:
my $Output = qx("runas.exe /user:rsint\\$user c:\\Apache2.2\\htdocs\\t.bat \| $sanur $password");


edit the 2nd:
i think its correct that there appears no error. The process is running with the new credentials but it doesn't do anything. Lsrunas is only for starting with other credentials ... so the error should be anywhere else, or ? runas with sanur gives nothing back, it would give nothing back if there would be an error, too.

is there a possibility to start runas with perl without sanur and to give runas the password ??? i tried some things, but everytime he's waiting for the user interaction to give the password (don't know if i explained it coherent )
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 14 Aug '07 15:59    Post subject: Reply with quote

You can call runas with Parameter /savecred Than runas won't ask again (only one time untill you turn of or reboot). That will work only with one user Sad
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Tue 14 Aug '07 16:03    Post subject: Reply with quote

damn ... there is no other chance to start a process with other user credentials than the apache runs ? or any module for apache wich imperosnater automaticaly the authenticated user ?

i'm frustrated ... it can't be that the iis performs this feature and the apache doesn't ...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Tue 14 Aug '07 17:36    Post subject: Reply with quote

While googling with runas command without prompting I saw a post in a forum about a non free product.
Back to top
daytalker



Joined: 07 Aug 2007
Posts: 10

PostPosted: Thu 16 Aug '07 8:21    Post subject: Reply with quote

i don't think that i will use this product, but i'll take a look ...

thx for ur help ...

it's so depressing
Back to top


Reply to topic   Topic: something like suEXEC for windows View previous topic :: View next topic
Post new topic   Forum Index -> Apache