| Subject | Running as a normal user on NT. |
|---|---|
| Author | rfm@collectivecomputing.com |
| Post date | 2000-04-27T00:28:55Z |
Arrgh. This isn't architect or priorities really, but making it
work right will require some changes, so I'll go with architect ...
the server service must be run as localsystem, because it needs
the 'interact with desktop' right, which only services running as
localsystem are allowed to have. It doesn't actually need to interact
with the desktop, but IPC is initiated by a windows message, so this
right is required. There was talk of removing the use of windows
messaging
this in the next generation IPC protocol, so this issue might go away.
I first tried taking away the 'interact with desktop'
right (while continuing to let IB run as localsystem), and, as expected,
I could connect with tcpip loopback but not with IPC. Anyway, I created
an NT user interbase, with the default priviledges (a member of the
group 'users' and nothing else), and set the server and gaurdian to run
as that. Nt notified me that it had given the user interbase the 'log on
as a service' right.
I tried connecting with tcp/ip and failed. Checkin gthe interbase.log,
there was a message saying that the gaurdian could not start the server.
I then added the interbase user to the administrators group, (I know
this
defeats the purpose, but it helps the process of elimination), and
was able to connect via tcp/ip. So this means its a matter of finding
the right rights (or is that rites ? ;-)
Final result (after a misguided attempt buring some old apple ][
floppies while facing Redmond), was that setting the >gaurdian< to log
on as local system, and the server to log on a regular user interbase
(who did not have admin privs) allows a tcp/ip connection.
It is probably possible to further restrict the rights of the interbase
user. Given a careful use of filesystm ACLs, I imagine you could greatly
reduce the potential damage done by a rouge ib user.
Please not that to make this of any use at all, you need to do a bunch
of work setting the file and registry permissions on your NT box,
because
microsfts default settings are nuts from a security point of view. I
can dig up references to sites that describe this process if anyone
wants.
You also (obviously) have to use NTFS for your system drive and
interbase
installation area.
BTW, all of the above was done on ib version WI-B6.0.0.530
and NT 4.0 SP6a
Finally, I didn't test anything more than connect, show database
and select * from employee. And I only tested using localhost
for tcpip.
I'll try to do a little more testing and come up with a 'running
ib as a normal user on NT' howto.
Regards,
reed.
--
Reed Mideke
rfm(at)collectivecomputing.com
work right will require some changes, so I'll go with architect ...
> Of course you have to do a lot of work to make NT reasonably secure toOk, i checked this out a little. First of all, to use IPC access,
> begin with (see ntbugtraq.com, for example for some hints on getting
> there). I'm not sure if there is any problem running IB service as
> another user on NT. Anyone tried ?
>
the server service must be run as localsystem, because it needs
the 'interact with desktop' right, which only services running as
localsystem are allowed to have. It doesn't actually need to interact
with the desktop, but IPC is initiated by a windows message, so this
right is required. There was talk of removing the use of windows
messaging
this in the next generation IPC protocol, so this issue might go away.
I first tried taking away the 'interact with desktop'
right (while continuing to let IB run as localsystem), and, as expected,
I could connect with tcpip loopback but not with IPC. Anyway, I created
an NT user interbase, with the default priviledges (a member of the
group 'users' and nothing else), and set the server and gaurdian to run
as that. Nt notified me that it had given the user interbase the 'log on
as a service' right.
I tried connecting with tcp/ip and failed. Checkin gthe interbase.log,
there was a message saying that the gaurdian could not start the server.
I then added the interbase user to the administrators group, (I know
this
defeats the purpose, but it helps the process of elimination), and
was able to connect via tcp/ip. So this means its a matter of finding
the right rights (or is that rites ? ;-)
Final result (after a misguided attempt buring some old apple ][
floppies while facing Redmond), was that setting the >gaurdian< to log
on as local system, and the server to log on a regular user interbase
(who did not have admin privs) allows a tcp/ip connection.
It is probably possible to further restrict the rights of the interbase
user. Given a careful use of filesystm ACLs, I imagine you could greatly
reduce the potential damage done by a rouge ib user.
Please not that to make this of any use at all, you need to do a bunch
of work setting the file and registry permissions on your NT box,
because
microsfts default settings are nuts from a security point of view. I
can dig up references to sites that describe this process if anyone
wants.
You also (obviously) have to use NTFS for your system drive and
interbase
installation area.
BTW, all of the above was done on ib version WI-B6.0.0.530
and NT 4.0 SP6a
Finally, I didn't test anything more than connect, show database
and select * from employee. And I only tested using localhost
for tcpip.
I'll try to do a little more testing and come up with a 'running
ib as a normal user on NT' howto.
Regards,
reed.
--
Reed Mideke
rfm(at)collectivecomputing.com