#73756 - 2003-02-28 12:51 AM
RUNAS
|
KBG
Lurker
Registered: 2002-10-25
Posts: 2
Loc: Vancouver
|
Anyone have information on how to insert something like "runas" in a script so that we can have a basic user run a login script but portions as a different id?
|
|
Top
|
|
|
|
|
#73757 - 2003-02-28 01:13 AM
Re: RUNAS
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Do you have a plan on how are you going to get the alternate credentials to the script?
|
|
Top
|
|
|
|
|
#73759 - 2003-02-28 08:57 AM
Re: RUNAS
|
Mandala
Fresh Scripter
Registered: 2003-02-17
Posts: 36
|
i've got the same problem with my xp network
Trouble with su.exe is that it's not 100% compliant with XP PRO. The Microsoft support told us that it's better to use RUNAS on XP but i can't find a "secure" trick to give to runas the password in a logon proc.
[ 28. February 2003, 08:59: Message edited by: Mandala ]
_________________________
P.Maquoi
Cellule Antivirus du M.E.T.
pmaquoi@met.wallonie.be
|
|
Top
|
|
|
|
|
#73761 - 2003-02-28 10:09 AM
Re: RUNAS
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Mandala knows all about KiXcrypt ![[Wink]](images/icons/wink.gif)
The problem is that to elevate you privileges you need to use "RunAs" or "SU".
SU is fine, and works well in combination with KiXcrypt, but unfortunately SU just doesn't work reliably with XP.
I've just had a look at RunAs, and I can't find a way of passing the password - you have to type it in.
If anyone else knows different, please let us know.
|
|
Top
|
|
|
|
|
#73764 - 2003-02-28 11:50 AM
Re: RUNAS
|
Lonkero
KiX Master Guru
Registered: 2001-06-05
Posts: 22346
Loc: OK
|
k, richard could package this in kixcrypt:
code:
// RunAS.cpp : Defines the entry point for the console application.
// Logon and run an app as a different user
// 1 2 3 4 5 6
// params: user, password, domain, appname, folder, commandline
// Batch file example:
// RunAs Administrator, 123456,,D:\Installer.exe, d:\, -i
#include "stdafx.h"
// params user, password, domain, appname, folder, commandline
int main(int argc, char* argv[])
{
int LOGON_WITH_PROFILE = 1;
int LOGON_NETCREDENTIALS_ONLY = 2;
int res; // results
int creationflags; // flags to pass to define window type
int myerrorlevel; // errorlevel for this function
static PROCESS_INFORMATION myprocessinfo; // process return
static STARTUPINFO mystartupinfo;
// set window flags
creationflags=CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP;
// initailise the startupinfo structure
::ZeroMemory(&mystartupinfo, sizeof(mystartupinfo));
// load in size of structure
mystartupinfo.cb = sizeof(mystartupinfo);
// CreateProcessWithLogonW parameters:
// LPCWSTR lpUsername,
// LPCWSTR lpDomain,
// LPCWSTR lpPassword,
// DWORD dwLogonFlags,
// LPCWSTR lpApplicationName,
// LPWSTR lpCommandLine,
// DWORD dwCreationFlags,
// LPVOID lpEnvironment,
// LPCWSTR lpCurrentDirectory,
// LPSTARTUPINFOW lpStartupInfo,
// LPPROCESS_INFORMATION lpProcessInfo
// todo
// concatenate commandline arguments into a string
// argv[6 and +] should be moved into a string
// Start the process
res=CreateProcessWithLogonW(argv[1], argv[3], argv[2], LOGON_WITH_PROFILE,
argv[4], argv[6], creationflags, NULL, argv[5], &mystartupinfo, &myprocessinfo);
// return errorlevel
myerrorlevel=0;
if (res==0){
myerrorlevel=1;
}
else {
// close unwanted handles
CloseHandle (myprocessinfo.hThread); // close the handle to the main thread, since we don't use it
CloseHandle (myprocessinfo.hProcess); // close handle to the process
}
return (myerrorlevel);
}
_________________________
!download KiXnet
|
|
Top
|
|
|
|
|
#73765 - 2003-03-01 12:38 AM
Re: RUNAS
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
Cheers Jooel, I was wondering what to use the spare command switch letters for ![[Roll Eyes]](images/icons/rolleyes.gif)
Seriously, I'd already considered using the CreateProcessAsUser() call to similar effect.
I want to spend a little time thinking about security implications before adding this as a feature.
The CreateProcessWithLogon() information will be useful.
[edit]
Update: CreateProcessWithLogonW has the following requirements:
quote:
Requirements
Client: Included in Windows XP and Windows 2000 Professional.
Server: Included in Windows Server 2003 and Windows 2000 Server.
Unicode: Implemented only as Unicode.
Which is too restrictive.
[/edit]
[ 28. February 2003, 12:53: Message edited by: Richard H. ]
|
|
Top
|
|
|
|
|
#73767 - 2003-02-28 01:12 PM
Re: RUNAS
|
cellnet
Starting to like KiXtart
Registered: 2002-02-26
Posts: 115
Loc: Sweden
|
I run the "run as" part with a encrypted vbs code.
not 100 % success.
the window have to be "active" otherwise the script will fail, and the password is pasted to the active window.
kixcode code:
IF $OS = "WinNT4"
? "Do Noting procced"
else
Run '%comspec% /c wscript x:\script\vbs\hfnetchk.vbe'
sleep 2
endif
hfnetchk.vbs
code:
Dim vbOK: vbOK = 1
Dim vbCancel: vbCancel=2
Dim Wshell, ret, msg01, msghdr01, strUser, strPass
Dim CompName: CompName="Blank"
Set WshNetwork = WScript.CreateObject("WScript.Network")
CompName = WshNetworK.ComputerName
Set WshNetwork = nothing
function execute()
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "%windir%\system32\runas.exe /user:" & strUser & " " & Chr(34)& "\\whatand where to start" & CompName & ".bat" & Chr(34)
Wscript.Sleep 100
WshShell.AppActivate "runas"
wScript.Sleep 100
WshShell.SendKeys strPass
wScript.Sleep 100
WshShell.SendKeys "~"
Wscript.Quit
end function
'** Start Encode **
strUser="domain\user"
strPass="password"
execute()
\erik
|
|
Top
|
|
|
|
|
#73768 - 2003-02-28 01:22 PM
Re: RUNAS
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
I've looked into this further, and it is not going to happen in KiXcrypt
The CreateProcessAsUser() call requires security a security token provided by LogonUser(). This can only be a local (machine) login. To run stuff in a network user environment requires a client/server approach, which is why su.exe requires the "suss" service. Requests are send to the login server which I assume either executes calls in a local context (on the server), or executes LogonUser() locally and then returns security tokens that can be used by the client to start processes.
To implement this would require me to write a secure client server product which is well beyond the remit of KiXcrypt.
Best option is to get MS to fix SU.EXE for XP ![[Frown]](images/icons/frown.gif)
While looking into this I found a third-party su here:
http://www.stefan-kuhr.de/supsu/main.php3
At least this one is actively supported ![[Razz]](images/icons/tongue.gif)
|
|
Top
|
|
|
|
|
#73769 - 2003-02-28 02:13 PM
Re: RUNAS
|
Mandala
Fresh Scripter
Registered: 2003-02-17
Posts: 36
|
I've tested Supsu yesterday
and the result is ....
The same error !
Too bad but nice third party upgrade tool
The quest continue
_________________________
P.Maquoi
Cellule Antivirus du M.E.T.
pmaquoi@met.wallonie.be
|
|
Top
|
|
|
|
|
#73771 - 2003-02-28 03:54 PM
Re: RUNAS
|
Mandala
Fresh Scripter
Registered: 2003-02-17
Posts: 36
|
YES ! THE SOLUTION !
So simple, so easy
To use SU from a shared drive / Network drive on a XP Pro, you MUST be localised on a local drive before executing it
I'll mix my code on monday (It's a long and complex script) and i'll post it here
[ 28. February 2003, 16:33: Message edited by: Mandala ]
_________________________
P.Maquoi
Cellule Antivirus du M.E.T.
pmaquoi@met.wallonie.be
|
|
Top
|
|
|
|
#73773 - 2003-03-03 03:45 AM
Re: RUNAS
|
Jason L Stenklyft
Lurker
Registered: 2003-03-03
Posts: 2
|
I've got an idea, and I just put a script together to provide a possible solution.
I posted it at my website: RUNAS Example
Click the link on the main page called RUNAS.
It seems to work well. It uses the SENDKEYS function.
I'll also post the script here for your reading pleasure.
code:
;RUNAS USER
;Kixtart script put together by Jason L Stenklyft
;Jason@Stenklyft.com
;example of using sendkeys to pass a password to runas
;not recommended for production networks, due to security risks
;Requirements to test this script
;Create a make a user on the local box named LUser and set the password to password
SETTITLE ("SENDKEYS ROCKS!")
;set self window title
RUN '%COMSPEC% /e:1024 /c runas /user:@WKSTA\LUser "notepad"'
;launch some notepad action as LUser
$trash= SetFocus ("SENDKEYS ROCKS!")
;set focus back to self
$trash= SendKeys("password{ENTER}")
;send the password and enter
sleep 3
;wait a few for notepad to launch
If SetFocus ("Untitled - Notepad") = 0
;if we can now setfocus to notepad, write some text
$trash = SendKeys("Would you like to play a game?")
Endif
_________________________
Jason Lee Stenklyft
Jason@Stenklyft.com
Depend upon it there comes a time when for every addition of knowledge you forget something that you knew before. It is of the highest importance, therefore, not to have useless facts elbowing out the useful ones.
The Stenklyft.com domain and all associated e-mail addresses are located in the State of Washington,
and sending mail to addresses at this domain is subject to the provisions of the Revised Code of Washington.
|
|
Top
|
|
|
|
|
#73775 - 2003-03-03 04:34 AM
Re: RUNAS
|
Jason L Stenklyft
Lurker
Registered: 2003-03-03
Posts: 2
|
The original post did not require the password to be masked or hidden.
_________________________
Jason Lee Stenklyft
Jason@Stenklyft.com
Depend upon it there comes a time when for every addition of knowledge you forget something that you knew before. It is of the highest importance, therefore, not to have useless facts elbowing out the useful ones.
The Stenklyft.com domain and all associated e-mail addresses are located in the State of Washington,
and sending mail to addresses at this domain is subject to the provisions of the Revised Code of Washington.
|
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 320 anonymous users online.
|
|
|
