在winapi中运行具有最低可能特权的进程 [英] Running a process with lowest possible privileges in winapi
问题描述
我写的内容与 http://ideone.com/ 类似。目前我正在使用CreateProcess调用来运行用户进程。我杀了进程,如果它运行更长,然后指定的时间,但我不知道如何拒绝读/写文件系统权限/创建进程权限等创建过程。给定的可执行文件可以是字面上的任何东西,我需要只允许stdin / stdout。如果我可以设置工作内存集,这将是巨大的。
I am writing something similar to the http://ideone.com/. Currently I am running user processes with CreateProcess call. I kill the process if it runs longer then specified amount of time but I don't know how to deny read/write filesystem rights / creating process rights etc. to the created process. The given executable can be literally anything and I need to allow only stdin / stdout. Also it would be great if I could set working memory set.
我读了很多关于msdn的文章,如 CreateProcessAsUser函数, CreateProcessWithLogonW功能等,但我很困惑非常快(可能是因为我的win32知识是非常有限的)。
只需调用CreateProcessAsUser并创建具有这些有限权限的特殊用户(以及如何创建此类用户)就足够了。
I read a lot of articles on msdn such as CreateProcessAsUser Function, CreateProcessWithLogonW Function etc. but I get confused very fast (probably because my win32 knowledge is extremely limited). Is it sufficient just to call CreateProcessAsUser and create special user with those limited privileges (and how to create such user).
我希望我能实现这一点一个函数调用具有正确的参数,请帮助。
I hope I can achieve this in one function call with right parameters so please help.
此外,如果你知道一些类似的开源项目,这将是巨大的。
Also, if you know some similar open source project it would be great.
感谢。
============================ ============================
==========================================================
编辑:
Hi again :)
我仍然坚持这一点。我没有足够的时间来工作,但我猜Snemarch的职位是非常有用的。如果有人有开箱即用的解决方案,这将是巨大的。我将发布,如果我做一些与snemarch的链接。
Hi again :) I am still stuck with this. I didn't have enough time to work on this, but I guess snemarch post is very useful. If someone has out of the box solution it would be great. I will post if I do something with snemarch's links.
推荐答案
请参阅 OpenProcessToken 和 AdjustTokenPrivileges -这让你微调extent)您的进程的权限。您可以对某些标准权利使用 SaferCreateLevel 如 SAFER_LEVELID_UNTRUSTED 。
Take a look at OpenProcessToken and AdjustTokenPrivileges - this lets you fine-tune (to some extent) the permissions of your process. You can use SaferCreateLevel for some standard rights like SAFER_LEVELID_UNTRUSTED.
这篇关于在winapi中运行具有最低可能特权的进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
