Re: Impersonate

From: Larry Kilgallen (Kilgallen_at_SpamCop.net)
Date: 09/12/04

• Next message: Vance Haemmerle: "Re: VAXstation 4000-90 , SPX and KVT"
• Previous message: Mike Bartman: "Re: I'm giving up computers if this is the future."
• In reply to: The KGB: "Impersonate"
• Next in thread: David Froble: "Re: Impersonate"
• Reply: David Froble: "Re: Impersonate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: 11 Sep 2004 20:02:12 -0500

In article <yLs0d.24224$Of3.1627@tornado.tampabay.rr.com>, "The KGB" <kgb@tampabay.rr.com> writes:
> Looking in the UAF at SYSTEM rights and stuff I see that 'impersonate' is
> listed. I find very little information on it. Can someone please clue me

You can defend against it by demanding that VMS Development make
privilege names more clear.

Others have done that in the past, and the response was that the
VMS Developers renamed the old DETACH privilege to IMPERSONATE.
It did not gain any capabilities in the renaming, but it certainly
made things more clear.

> in on it's use? As in how it is used and more importantly how can a SYSMAN
> defend against it assuming it's to impersonate a user! VMS Ver 7.2.1.

IMPERSONATE (nee DETACH) is no different from any other privilege
in this regard.

The technique is to avoid granting any privileges outside the category
Normal except to users who both:

        1. Need the privilege for their job (think of alternatives)
        2. Are honest
        3. Are technically competent in the use of the privilege*

For those users who need privilege (the system managers come to mind)
the only approach is to use extensive auditing of what they do, and
that includes video surveillance. Speak to your physical security
department. And if you don't have physical security, you have nothing.

* For a fee I would be happy to administer a test on number 3 for
  those who think they deserve privilege :-)

---

• Next message: Vance Haemmerle: "Re: VAXstation 4000-90 , SPX and KVT"
• Previous message: Mike Bartman: "Re: I'm giving up computers if this is the future."
• In reply to: The KGB: "Impersonate"
• Next in thread: David Froble: "Re: Impersonate"
• Reply: David Froble: "Re: Impersonate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages ASP and LogonUser ... because LocalSystem has that privilege. ... RevertToSelf doesn't work because by default, the IWAM account doesn't ... since even out-of-process apps impersonate the IUSR ... IWAM privilege get the impersonation token for IUSR? ... (microsoft.public.inetserver.iis.security) Re: Impersonate user (seteuid/setegid) ... > impersonate the user, then you switch back to the original context and then ... LogonUser() required the caller to be in the "trusted computing ... i.e. have the SE_TCBNAME privilege which is often displayed with the ... an alternative is to use the Security Services Provider ... (microsoft.public.vc.language) RE: CreateProcessWithLogon and managed Processes ... the Process class will try to call the OpenProcess ... To open a handle to another another process and obtain full access rights, ... you must enable the SeDebugPrivilege privilege. ... "Unable to Impersonate User" Error Message When You Use ... (microsoft.public.dotnet.general) Re: Impersonate user (seteuid/setegid) ... These functions, under Linux, allow a high ... impersonate the user, then you switch back to the original context and then ... i.e. have the SE_TCBNAME privilege which is often displayed with the ... an alternative is to use the Security Services Provider ... (microsoft.public.vc.language) Re: Impersonate ... The KGB wrote: ... > Looking in the UAF at SYSTEM rights and stuff I see that 'impersonate' is ... (comp.os.vms)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.os.vms  > 2004-09