subprocess and win32security.ImpersonateLoggedOnUser

[Emin.shopper Martinian.shopper]

Dear Experts,

I am having some issues with the subprocess module and how it
interacts with win32security.ImpersonateLoggedOnUser. Specifically, I
use the latter to change users but the new user does not seem to be
properly inherited when I spawn further subprocesses.

I am doing something like

import win32security, win32con
handle = win32security.LogonUser(
user,domain,password,win32con.LOGON32_LOGON_INTERACTIVE,
win32con.LOGON32_PROVIDER_DEFAULT)

win32security.ImpersonateLoggedOnUser(handle)

Then spawning subprocesses but the subprocesses cannot read the same
UNC paths that that the parent could.

Any advice on either spawning subprocesses which inherit parent user
properly or changing users in a better way on Windows would be greatly
appreciated.

Thanks,
-Emin

[Tim Golden]

Emin.shopper Martinian.shopper wrote:
> Dear Experts,
>
> I am having some issues with the subprocess module and how it
> interacts with win32security.ImpersonateLoggedOnUser. Specifically, I
> use the latter to change users but the new user does not seem to be
> properly inherited when I spawn further subprocesses.
>
> I am doing something like
>
> import win32security, win32con
> handle = win32security.LogonUser(
> user,domain,password,win32con.LOGON32_LOGON_INTERACTIVE,
> win32con.LOGON32_PROVIDER_DEFAULT)
>
> win32security.ImpersonateLoggedOnUser(handle)
>
> Then spawning subprocesses but the subprocesses cannot read the same
> UNC paths that that the parent could.

http://support.microsoft.com/kb/111545

"""
Even if a thread in the parent process impersonates a client and then creates a new process, the new process still runs under the parent's original security context and not the under the impersonation token.
"""

TJG

[Emin.shopper Martinian.shopper]

Thanks. But how do I fix this so that the subprocess does inherit the
impersonated stuff?

> --
> http://mail.python.org/mailman/listinfo/python-list
>

[Tim Golden]

[slightly rearranged for top-to-bottom reading...]

Emin.shopper Martinian.shopper wrote:
> Thanks. But how do I fix this so that the subprocess does inherit the
> impersonated stuff?
>

The source for subprocess just uses CreateProcess. Which means that,
short of monkey-patching it, you're going to have to roll your own
subprocess-like code (I think). Basically, you'll need to run
CreateProcessAsUser or CreateProcessAsLogonW. They're both a bit
of a pig in terms of getting the right combination of parameters
and privileges, I seem to remember. Haven't got time right now
to fish for an example, I'm afraid: maybe someone else on the list
has a canned example...?

Also worth cross-posting this to the python-win32 list where more
win32 expertise resides.

TJG

[Emin.shopper Martinian.shopper]

> The source for subprocess just uses CreateProcess. Which means that,
> short of monkey-patching it, you're going to have to roll your own
> subprocess-like code (I think). Basically, you'll need to run
> CreateProcessAsUser or CreateProcessAsLogonW. They're both a bit
> of a pig in terms of getting the right combination of parameters
> and privileges,

Thanks. I tried rolling my own via CreateProcessAsUser but it
complained about needing some special permissions so its probably not
going to work. I'd like to try CreateProcessAsLogonW but can't see how
to access that via python. I will start a new thread on the
python-win32 list about that.

Thanks,
-Emin

[Martin P. Hellwig]

Maybe this post on my blog
http://blog.dcuktec.com/2009/05/python-on-windows-from-service-launch.html
can be of some help for you, although it was more thought to run under
LocalSystem instead of another active user.

--
MPH
http://blog.dcuktec.com
'If consumed, best digested with added seasoning to own preference.'