IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Re: What does hiererchy of processes have to do with it?
Because it guarantees that a process will have a determinate user context. As you know, there are floating "NT_AUTHORITY" and "SYSTEM" contexts in NT that are only there so legacy code can run. Plus, there is no simple way to isolate everything executing in a given context in NT - you have to slog through all the processes and get their access tokens. NT was deliberately not built with a determinate user context so that legacy code would run.

Eric Raymond wrote a FAQ about UNIX programming, I think he talks about it in there. He points out that because of all the compromises related to legacy code, NT become practically impossible to make secure. The boundaries are "too porous" as he put it. In a real multi-user system, the user context is always known and determinate.

To give a practical example, suppose I want to immediately remove a user from a UNIX system. I remove his login, find his top-level processes and terminate them, and he's gone. In NT, you make a change to the user database, this has to propagate everywhere, his processes still run until they quit. Because there is no determinate user context, he fades away.
-drl
New I am not sure what NT_AUTHORITY is
But System is a very definite context. It has all rights of Adminstartor account on a local machine and no rights on the network. It has no user name/password associated with it, so users cannot log in on it.

Legacy is indeed a major problem for Windows, but it's mostly in GUI and SMB code. Avoid both, and you should be OK.

On single NT or Unix machine, you remove the user the same way: disable login and terminate processes. It's immaterial whether you jave to kill all processes or "top-level" processes: in practice, in Unix and NT you keep killing till there is nothing to kill. And yes, NT knows who started the processes.

On multi-machine installations, such as NIS or NT Domain, you disable the user in the central database and it may or may not have to propagate. Apples to apples, please.
--

"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"

-- James Lileks
New Except:
But System is a very definite context. It has all rights of Adminstrator account on a local machine and no rights on the network. It has no user name/password associated with it, so users cannot log in on it.


That's not the same thing as saying users can't execute code under its authority. Just run a service as System.
I was one of the original authors of VB, and *I* wouldn't use VB for a text
processing program. :-)
Michael Geary, on comp.lang.python
New RIght you are
--

"It\ufffds possible to build a reasonably prosperous society that invests in its people, doesn\ufffdt invade its neighbors, opposes Israel and stands up to America. (Just look at France.)"

-- James Lileks
New Bottom line
If you can start a service, you can start it as System.


Peter
[link|http://www.debian.org|Shill For Hire]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Blog]
     NET SEND to all except a few systems? - (SpiceWare) - (42)
         Send to group -NT - (Silverlock)
         If you send not to machine names, but... - (CRConrad) - (6)
             Re: If you send not to machine names, but... - (deSitter) - (5)
                 "Messenger" != "NET SEND" ? - (CRConrad) - (4)
                     NET SEND Help - (orion)
                     Re: "Messenger" != "NET SEND" ? - (deSitter) - (2)
                         Alternatively... - (pwhysall)
                         So if Darrell's gang use W2K or later, they could try my way -NT - (CRConrad)
         update - (SpiceWare)
         Re: NET SEND to all except a few systems? - (qstephens) - (32)
             ROFL - (deSitter) - (31)
                 It inspires me - (orion) - (30)
                     Re: It inspires me - (deSitter) - (22)
                         On this we agree - (orion)
                         Windows has no user context? - (Arkadiy) - (20)
                             process-level user context - (deSitter) - (19)
                                 I am still at a loss as to what you mean -NT - (Arkadiy) - (18)
                                     A login is a profile - (orion)
                                     Re: I am still at a loss as to what you mean - (deSitter) - (16)
                                         You're much mistaken - (Arkadiy) - (15)
                                             Can you be logged in as two people at once? - (ben_tilly) - (7)
                                                 Not log in, no. - (admin) - (3)
                                                     I'll tuck that away in case I ever need it -NT - (ben_tilly)
                                                     Yes you can and it is a weak security system - (orion) - (1)
                                                         Re: Yes you can and it is a weak security system - (pwhysall)
                                                 Certainly - (Arkadiy) - (2)
                                                     Re: Certainly - (deSitter) - (1)
                                                         You keep hearing yourself, not me - (Arkadiy)
                                             Re: You're much mistaken - (deSitter) - (6)
                                                 What does hiererchy of processes have to do with it? - (Arkadiy) - (5)
                                                     Re: What does hiererchy of processes have to do with it? - (deSitter) - (4)
                                                         I am not sure what NT_AUTHORITY is - (Arkadiy) - (3)
                                                             Except: - (FuManChu) - (2)
                                                                 RIght you are -NT - (Arkadiy)
                                                                 Bottom line - (pwhysall)
                     Careful there . . - (Andrew Grygus) - (5)
                         Does it really? - (ben_tilly) - (3)
                             I don't remember all the details . . . - (Andrew Grygus) - (2)
                                 The licenses are more forgiving than you think - (ben_tilly) - (1)
                                     Really interesting issue - (orion)
                         Bah! I'll make it freeware then. - (orion)
                     that's what I did - (SpiceWare)

Where's the pick-a-nick bas-ket?
134 ms