Windows NT Security -- Impersonation
Python's win32 access to help to simplify providing privileged access.
There may be times when you want to give specific access to
someone with NT. One mechanism to do this is with the win32 calls:
LogonUser and ImpersonateLoggedOnUser. LogonUser gives you a handel
which ImpersonateLoggedOnUser can then use to "become" the user. To do
this the thread calling, LogonUser, needs SE_TCB_NAME,
SE_CHANGE_NOTIFY_NAME, and SE_ASSIGNPRIMARYTOKEN_NAME privileges. If
you plan to do this with something like IIS and cgi, be careful, the anonymous
account IIS uses is already impersonated from the system account. You
will need to use the RevertToSelf, api call to first terminate the
impersonation. And, the system account, a local account, ultimately
limits you, regardless of who you log in as (COM/MTS can provide an
alternative security solution).
Example
The c++ api call for Logonasuser looks like:
BOOL LogonUser( LPTSTR lpszUsername, LPTSTR lpszDomain, LPTSTR lpszPassword, DWORD dwLogonType, DWORD dwLogonProvider, PHANDLE phToken );The python documentation says this:
PyHANDLE = LogonUser( userName, domain , password , logonType , logonProvider )The api call is very similar in both cases except in python the handel is returned seperately to the caller. The interesting options in this case are logonType and logonProvider. To give values for these, you need to use the constants present in win32con (you can use the browser in pythonwin->tools to list the constants in win32con). Unless you have unusual server requirements, for logonType, win32con.LOGON32_LOGON_INTERACTIVE should be fine. With regards to logonProvider, generally use win32con.LOGON32_PROVIDER_DEFAULT -- it's for specifiying the type of logon NT 3.5, 4.0, win2000. Generally, default is fine.
ImpersonateLoggedOnUser is extremely simple and you'll see it's usage in the examples.
Now for some code
#A raw example looks like this: handel=win32security.LogonUser('barney','bedrock','bambam'\\ ,win32con.LOGON32_LOGON_INTERACTIVE,win32con.LOGON32_PROVIDER_DEFAULT) win32security.ImpersonateLoggedOnUser(handel) #do stuff here print win32api.GetUserName() #show you're someone else win32security.RevertToSelf() #terminates impersonation handel.Close() #The impersonate code can be encapsulated in a class, which then makes it even more #trivial to use import win32security import win32con import win32api class Impersonate: def __init__(self,login,password): self.domain='bedrock' self.login=login self.password=password def logon(self): self.handel=win32security.LogonUser(self.login,self.domain,self.password,\\ win32con.LOGON32_LOGON_INTERACTIVE,win32con.LOGON32_PROVIDER_DEFAULT) win32security.ImpersonateLoggedOnUser(self.handel) def logoff(self): win32security.RevertToSelf() #terminates impersonation self.handel.Close() #guarantees cleanup a=Impersonate('barney','bambam') try: a.logon() #become the user #do whatever here print win32api.GetUserName() #show you're someone else a.logoff() #return to normal except: print sys.exc_type , sys.exc_valueHave a great time with programming with python!
John Nielsen nielsenjf@my-deja.com