[jira] [Created] (DAEMON-245) Support privilege escalation on Windows (UAC)

Sat, 03 Mar 2012 15:02:20 -0800 

Support privilege escalation on Windows (UAC)
---------------------------------------------

                 Key: DAEMON-245
                 URL: https://issues.apache.org/jira/browse/DAEMON-245
             Project: Commons Daemon
          Issue Type: New Feature
          Components: Procrun
    Affects Versions: 1.0.10
         Environment: Windows Vista+
            Reporter: Rainer Jung


Windows introduced User Access Control which limits things users can do even if 
they are logged in as administrators. Management of services is one of those 
things. Usually the recommendation was to switch the UAC feature off, but it is 
not to hard to support UAC for procrun.

Any binary can include information about a needed privilege escalation. If you 
start such a binary, the usualy Windows confirmation popup of UAC will show and 
you can confirm the operation.

To support this, the manifest included in the exe files need to be enhanced. 
The following is an example for prunsrv:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="3.1.0.0" processorArchitecture="*" 
name="Apache.Procrun.Prunsrv" type="win32"></assemblyIdentity>
<description>Apache Procrun Service Manager</description>
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" 
version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" 
language="*"></assemblyIdentity>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" 
uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>

I used this manifest and the same one with the string "Prunsrv" replaced by 
"Prunmgr" successfully on Windows 7.

I do not know, whether such an extended manifest has negative cnsequences on 
older Windows.

If accepted, the manifest should be added to both binaries. Currently only one 
of them contains a manifest.

Regards,

Rainer


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to