I l@ve RuBoard |
7.14 Impersonating Principals on WindowsCredit: John Nielsen 7.14.1 ProblemYou need to authenticate a thread temporarily as another principal on a Windows machine—for example, to make something run with the appropriate administrative rights. 7.14.2 SolutionOn Unix, you can call setuid. On Windows, the impersonation task is slightly more involved, but not terribly so: import win32security, win32con
class Impersonate:
def _ _init_ _(self, login, password):
self.domain = 'bedrock'
self.login = login
self.password = password
def logon(self):
self.handle = win32security.LogonUser(self.login, self.domain,
self.password, win32con.LOGON32_LOGON_INTERACTIVE,
win32con.LOGON32_PROVIDER_DEFAULT)
win32security.ImpersonateLoggedOnUser(self.handle)
def logoff(self):
win32security.RevertToSelf( ) # terminates impersonation
self.handle.Close( ) # guarantees cleanup
if __name__=='__main__':
a = Impersonate('barney', 'bambam')
try:
a.logon() # become the user
try:
# Do whatever you need to do, e.g.,:
print win32api.GetUserName() # show you're someone else
finally:
a.logoff() # Ensure return-to-normal no matter what
except:
print 'Exception:', sys.exc_type, sys.exc_value
7.14.3 DiscussionSometimes it is convenient to authenticate a thread as another principal. For example, perhaps something should run temporarily with administrative rights. This is especially useful if you do not want the hassle of making a COM object or a service (which are other ways to solve the problem or, rather, work around it). On Windows, processes run with a specific security token. By default, all threads use that token. You can, however, easily attach another token to the thread, thanks to Mark Hammond's win32all package. The way to do this is with the Win32 calls LogonUser and ImpersonateLoggedOnUser. LogonUser gives you a handle that ImpersonateLoggedOnUser can then use to become the user. To do this, the thread calling LogonUser needs the SE_TCB_NAME, SE_CHANGE_NOTIFY_NAME, and SE_ASSIGNPRIMARYTOKEN_NAME privileges. 7.14.4 See AlsoDocumentation for the win32security and win32con in win32all (http://starship.python.net/crew/mhammond/win32/Downloads.html) or ActivePython (http://www.activestate.com/ActivePython/); Windows API documentation available from Microsoft (http://msdn.microsoft.com); Python Programming on Win32, by Mark Hammond and Andy Robinson (O'Reilly). |
I l@ve RuBoard |