Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SeAssignPrimaryTokenPrivilege

2,385 views
Skip to first unread message

Alex Fedotov

unread,
May 9, 2001, 2:33:35 PM5/9/01
to
What are implications of SeAssignPrimaryTokenPrivilege?

MSDN says:
Allows a user to modify a process's security access token. This is a
powerful right used only by the system.

How this privilege can be used to break system security? Why it
should not be granted to normal users?

Thank you in advance.

--
Alex Fedotov,
3Cube, Inc.
www.3cube.com


Felix Kasza [MVP]

unread,
May 9, 2001, 9:23:27 PM5/9/01
to
Alex,

> How this privilege can be used to break system security?
> Why it should not be granted to normal users?

I didn't try this, but the first thing that comes to mind is building
(or grabbing) a token with higher privileges or a more convenient group
list and replacing the current process token with it.

--

Cheers,
Felix.

If you post a reply, kindly refrain from emailing it, too.
Note to spammers: fel...@mvps.org is my real email address.
No anti-spam address here. Just one comment: IN YOUR FACE!

Alex Fedotov

unread,
May 11, 2001, 11:18:32 PM5/11/01
to
Felix,

Thanks for the answer.

> > How this privilege can be used to break system security?
> > Why it should not be granted to normal users?
>
> I didn't try this, but the first thing that comes to mind is building
> (or grabbing) a token with higher privileges or a more convenient group
> list and replacing the current process token with it.

But it won't be easy to get a token with higher privileges. Even if we
got it, we still need TOKEN_ASSIGN_PRIMARY access permission in
order to use the that way.

My question is not why this privilege exists (My answer: it controls
which accounts are allowed to create processes as different users),
but why it is called powerful.

Once I have a token, why creating a process with this token is considered
a powerful action? In fact, I can use the token for impersonation without
any additional privileges. I know that several access checks are always
performed against the primary process token (some related to window
stations and desktops), but are they so important?

Or, maybe, assigning process token directly I can bypass audit that
otherwise will be generated?

Just trying to understand :)

Felix Kasza [MVP]

unread,
May 12, 2001, 5:36:01 AM5/12/01
to
Alex,

> Just trying to understand :)

Me, too. :) Let's wait for Prabagar to stop by.

Dave

unread,
May 14, 2001, 11:34:50 PM5/14/01
to
Well, I'm no Prabagar <g>, but I can affirm that the privilege is intended to
prevent the circumvention of auditing as Alex suggested. The NT privilege set is
pretty fine-grained, and sometimes public APIs don't specifically use all of
them, but they do serve a purpose.

Dave

-----Original Message-----
Alex,

--

Cheers,
Felix.

.

Felix Kasza [MVP]

unread,
May 15, 2001, 7:50:55 AM5/15/01
to
Dave,

good to see you are still alive! I appreciate the explanation.

Prabagar Ramadasse

unread,
May 16, 2001, 11:23:16 PM5/16/01
to
As Dave mentioned, public APIs don't specifically use all the privileges.
But theoritically, if you can successfully get an access token of a process
with TOKEN_ASSIGN_PRIMARY access, SE_ASSIGNPRIMARYTOKEN_NAME privilege will
allow you to assign this access token as the primary access token of a
random process. Although obtaining an access token with TOKEN_ASSIGN_PRIMARY
access is secured by the access token DACL, SE_ASSIGNPRIMARYTOKEN_NAME
privilege adds one more level of protection from being able to take that
access token and assign to some other random process as the primary access
token.

Thanks,
Prabagar

"Felix Kasza [MVP]" <fel...@mvps.org> wrote in message
news:3afd03ee...@msnews.microsoft.com...

0 new messages