JobObjects and Permissions  
Author Message
Karlis





PostPosted: Architecture General, JobObjects and Permissions Top

I am looking for a way to design an application that runs from a user account, possibly admin, possibly non admin, spawns group of processes, which in turn spawn more grandchild processes and at termination kills all processes including grandchild ones.

Because there is no straight parent child grandchild relation in windows I found that it's best to use jobObjects for process grouping, unfortunately there seems to be troubles all the way from here.

Firstly I tried creating the job object with user account (foo) and spawn suspended processes with (bar) limited account (CreateProcessWithLogonW) then add them to job object - access denied. Then I tried setting DACLS to NULL or "O:OWD:" or "O:OWD:(a;;ga;;ow)" or <insert more variations here>, setting security descriptors to inherited and whole lot of other things - allways same result - access denied when adding process to job object.

Now I have migrated to a little different way of doing same thing -> get a (bar) limited user account token, impersonate this user, create a job object and processes, assign them - same dreaded access denied.

When I check running process with Wininternals process explorer I see a job object with all rights enabled except execute for the limited user.

And maybe this will help, the processes are started from within screen saver, which as far as I've found from research runs with user privilegies (admin/operator/guest/anything...) and admin privilegies are not welcome.

By the way when I tried to use:

in_inf->JobToken = restrictedToken;
in_inf->SecurityLimitFlags = JOB_OBJECT_SECURITY_ONLY_TOKEN | JOB_OBJECT_SECURITY_NO_ADMIN;

to set execution rights for a job object I receive "A required privilege is not held by the client." message.

Is it possible to do what I need at all


Architecture1