[Mongrel] Mongrel as Windows service with normal privileges
ml at stiegerhs.de
Thu Jun 5 10:19:03 EDT 2008
Luis Lavena wrote:
> Hmn, looks like user web user is too limited to do anything.
Interesting: The result of proc_info.exe is different when I log in
interactively with the "web" user:
*** CURRENT PROCESS ***
EnumProcessModules (PID, name): 228 proc_info.exe
Module32First (PID, name): 228 proc_info.exe
GetProcessImageFileName (PID, name): 228
*** PARENT PROCESS ***
EnumProcessModules (PID, name): 3312 cmd.exe
Module32First (PID, name): 3312 cmd.exe
GetProcessImageFileName (PID, name): 3312
The previous attempt with "runas" had PID 244 as parent process id,
which at that time was "svchost.exe". The full process hierarchy looked
like this (gathered with Process Explorer):
System - smss.exe - winlogon.exe - services.exe - svchost.exe -
It seems not to be only the user, but also the way the executeable is
started. The "web" user may query its parent process if it is cmd.exe,
but not if the parent is svchost.exe. I do not know how svchost starts
its child processes, but apparently with less rights than the command
> How normal is normal? I mean, it can log in? it has applied some group
> policy stuff in it?
> Just for the sake of testing, can you create a "limited" account using
> the control panel and try running proc_info.exe with it?
> With that info maybe I can figure out what's wrong.
> Thanks for your time,
The "normal" user may run the whole rails stack as service without
problems. I hacked ServiceFB_Utils.bas to ignore the result of
parent_name, and now it works as expected (btw, you are right, FreeBasic
isnt' that hard :)) with limited rights. The test was run on the
isolated XP home machine, so no group policies are in effect.
Hope this helps,
More information about the Mongrel-users