ID: 27051 Comment by: louis at steelbytes dot com Reported By: ghoffer at globalscape dot com Status: Open Bug Type: Feature/Change Request Operating System: Windows PHP Version: 4.3.4 New Comment:
I've added a new function to my now inappropriately named 'PHP_Filetimes' http://www.steelbytes.com/?mid=46 (use the *beta* download) The new function is a simple wrapper for CreateProcessAsUser that deals with this problem. come on PHP/Zend pull ya socks up, I shouldn't have to write my own extensions to work around such 'bugs'/limitations :-) Previous Comments: ------------------------------------------------------------------------ [2008-12-08 23:04:23] louis at steelbytes dot com please please please fix/add this. it is killing me with 5.2.6 / win2008. ------------------------------------------------------------------------ [2007-06-21 18:06:45] aheckmann at m-s dot de I have the same problem here. Has anything happens in the last three years on that feature request? The solution seems to be easy, or not? ------------------------------------------------------------------------ [2004-01-26 15:41:14] ghoffer at globalscape dot com Description: ------------ (Related to Bug #10065, but slightly different and more detailed ) Environment: Win2K3 running PHP 4.3.4 under FastCGI. PHP.INI has "fastcgi.impersonate=1". IIS Site has "Anonymous Access" OFF and "NT Authentication" ON (so that you have to log in to the site as an NT User). Up to this point, all is fine: the NT user is being impersonated by the main thread of PHP so that file access permissions are handled properly. HOWEVER, if the PHP script attempts to execute a command (using exec, or passthru, or similar) then that spawned process is NOT impersonating the NT account, but rather running under the IIS account. SUGGESTED RESOLUTION: in proc_open.c, the proc_open function can make a few calls in lieu of "CreateProcess" in order to "pass along" the Impersonation. Instead of CreateProcess, it should use "CreateProcessAsUser," passing in the token of the impersonated user (which PHP is running under). If it does not do this, per the Win32 API docs, CreateProcess simply uses the non-impersonated token. Here is how to run a spawned process as the impersonated user (which CAN be done conditionally when impersonation is necessary (e.g., "LOGON_USER" is defined; but doing it ALWAYS should in no way impair security, only a slight hit in performance as three additional API calls are made): [ Error checking and variable declarations omitted ] OpenThreadToken( GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken ); // get impersonation token DuplicateTokenEx( hToken, MAXIMUM_ALLOWED, &sa, SecurityImpersonation, TokenPrimary, &hToken2 ); // duplicate it for passing to CreateProcessAsUser CreateProcessAsUser( hToken2, ... ) // rest of params are the same as CreateProcess // . . . CloseHandle( hToken2 ); CloseHandle( hToken ); Reproduce code: --------------- <?php # run this under FastCGI (with "fastcgi.impersonate=1" in PHP.INI # with NT Auth access to the Virtual Site / Dir that houses the script. # DOIT.bat can be any batch file. For example, have the batch file attempt to write a new file to a folder that # has ONLY write permissions for the logged-inNT User, NOT the IWAM account. # It will fail because cmd.exe is being executed as IWAM_* even though # we logged into the website and properly impersonated another user. $last_line = @exec("cmd.exe /c doit.bat"); ?> Expected result: ---------------- PHP running as impersonated user under FastCGI should spawn processes with security context of that impersonated user. Actual result: -------------- The spawned process is being executed in the security context of the IIS account (IWAM_*). ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=27051&edit=1
