Edit report at http://bugs.php.net/bug.php?id=27051&edit=1
ID: 27051
Comment by: heer2351 at zonnet dot nl
Reported by: ghoffer at globalscape dot com
Summary: Impersonation with FastCGI does not EXEC process as
impersonated user
Status: Feedback
Type: Bug
Package: CGI related
Operating System: Windows
PHP Version: 5.3
Assigned To: pajoye
New Comment:
Located the problem and have been able to fix it.
I am using a special user for my Application Pool (say AppPoolUser), so
PHP runs as this user. The new exec function uses CreateProcessAsUser()
with impersonation. This means that the AppPoolUser must have the right
to change the process level token.
You can assign this right to the user in the "Local Security Settings"
-> User Rights Assignment.
I have granted my AppPoolUser the "Replace a process level token"
setting -> fork error has gone.
Thought this might be useful information, so access is required to
cmd.exe but in addition the "Replace a process level token" setting.
Previous Comments:
------------------------------------------------------------------------
[2010-03-25 00:45:36] paj...@php.net
I will repeat a last time :) It does work here using IIS6 and the exact
same windows version of FastCGI. The other users with issues with that
have solved the problem as well using latest 5.3 and the right
configuration.
There are differences between 5.2 and 5.3, a lot. One of them is a
working impersonation (which is not only about exec).
------------------------------------------------------------------------
[2010-03-25 00:40:55] heer2351 at zonnet dot nl
Thanks for your help. I think there are still more people with the same
problem. I will try to find a solution and will post here if I find
one.
For now I stick with 5.2.13
I am not convinced it is a config problem. Will dig into SVN and find
what the difference is between the two versions.
------------------------------------------------------------------------
[2010-03-25 00:30:20] paj...@php.net
I don't know either and hard to say why it does not work for you but for
us (same config).
I feel like you actually configure it wrong. impersonation in 5.2 was
not fully working and was not doing the right thing (not only for
exec&co).
I can't help further without more details about how you configure the
impersonation or having a remote access to debug.
------------------------------------------------------------------------
[2010-03-25 00:17:50] heer2351 at zonnet dot nl
Changed to your suggestion with \\, same error.
Changed to 5.2.13 ran my version and your version both echo the correct
username.
------------------------------------------------------------------------
[2010-03-25 00:13:31] heer2351 at zonnet dot nl
What I do not understand is that 5.2.13 works and 5.3.2 (or 5.3.3) does
not work with the same configuration.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=27051
--
Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
