From: ghoffer at globalscape dot com
Operating system: Windows
PHP version: 4.3.4
PHP Bug Type: Feature/Change Request
Bug description: Impersonation with FastCGI does not EXEC process as impersonated user
Description:
------------
(Related to Bug #10065, but slightly different and more detailed )
Environment:
Win2K3 running PHP 4.3.4 under FastCGI. PHP.INI has
"fastcgi.impersonate=1". IIS Site has "Anonymous Access" OFF and "NT
Authentication" ON (so that you have to log in to the site as an NT
User).
Up to this point, all is fine: the NT user is being impersonated by the
main thread of PHP so that file access permissions are handled properly.
HOWEVER, if the PHP script attempts to execute a command (using exec, or
passthru, or similar) then that spawned process is NOT impersonating the
NT account, but rather running under the IIS account.
SUGGESTED RESOLUTION: in proc_open.c, the proc_open function can make a
few calls in lieu of "CreateProcess" in order to "pass along" the
Impersonation. Instead of CreateProcess, it should use
"CreateProcessAsUser," passing in the token of the impersonated user
(which PHP is running under). If it does not do this, per the Win32 API
docs, CreateProcess simply uses the non-impersonated token.
Here is how to run a spawned process as the impersonated user (which CAN
be done conditionally when impersonation is necessary (e.g., "LOGON_USER"
is defined; but doing it ALWAYS should in no way impair security, only a
slight hit in performance as three additional API calls are made):
[ Error checking and variable declarations omitted ]
OpenThreadToken( GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken );
// get impersonation token
DuplicateTokenEx( hToken, MAXIMUM_ALLOWED, &sa, SecurityImpersonation,
TokenPrimary, &hToken2 ); // duplicate it for passing to
CreateProcessAsUser
CreateProcessAsUser( hToken2, ... ) // rest of params are the same as
CreateProcess
// . . .
CloseHandle( hToken2 );
CloseHandle( hToken );
Reproduce code:
---------------
<?php
# run this under FastCGI (with "fastcgi.impersonate=1" in PHP.INI
# with NT Auth access to the Virtual Site / Dir that houses the script.
# DOIT.bat can be any batch file. For example, have the batch file
attempt to write a new file to a folder that
# has ONLY write permissions for the logged-inNT User, NOT the IWAM
account.
# It will fail because cmd.exe is being executed as IWAM_* even though
# we logged into the website and properly impersonated another user.
$last_line = @exec("cmd.exe /c doit.bat");
?>
Expected result:
----------------
PHP running as impersonated user under FastCGI should spawn processes with
security context of that impersonated user.
Actual result:
--------------
The spawned process is being executed in the security context of the IIS
account (IWAM_*).
--
Edit bug report at http://bugs.php.net/?id=27051&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27051&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27051&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=27051&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=27051&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=27051&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=27051&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=27051&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=27051&r=support
Expected behavior: http://bugs.php.net/fix.php?id=27051&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=27051&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=27051&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=27051&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27051&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=27051&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=27051&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=27051&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=27051&r=float
