0

I have a web service which needs to execute a command on the server it's sitting on. Specifically, I'm running the "net start [certain service]" command. The problem lies in the permissions... the web service is running as NETWORK SERVICE, which doesn't have the appropriate permissions to execute this command. Is there a way (possibly using Windows.Security) such that I can execute this as a higher privileged user.

** The command executes fine when ran locally, but this needs to be executed through the service (the point of the service...)

When attempting to impersonate a user, (using MSDN example, http://msdn.microsoft.com/en-us/library/chf6fbt4.aspx):

[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
static public string Impersonate(string userName, string domainName, string password)
{
IntPtr tokenHandle = new IntPtr(0);
IntPtr dupeTokenHandle = new IntPtr(0); string output = "";
try { const int LOGON32_PROVIDER_DEFAULT = 0; const int LOGON32_LOGON_INTERACTIVE = 2; output += "Set Token to ptrzero"; tokenHandle = IntPtr.Zero;

      output += "getting return value";
      //Call LogonUser to obtain a handle to an access token
      bool returnValue = LogonUser(userName, domainName,
                  password, LOGON32_LOGON_INTERACTIVE, 
                      LOGON32_PROVIDER_DEFAULT, ref tokenHandle);

      output += "LogonUser called";

      if (!returnValue)
      {
          int ret = Marshal.GetLastWin32Error();
          output += "\n LogonUser failed with error code: " + ret.ToString();
      }
      else
          output += "\nLogonUser succeeded!";

      //check the identity:
      output += "\n current: " + WindowsIdentity.GetCurrent().Name;

      WindowsIdentity newId = new WindowsIdentity(tokenHandle);
      WindowsImpersonationContext impersonatedUser = newId.Impersonate();

      //Check:
      output += "\n after: " + WindowsIdentity.GetCurrent().Name;
  }   
  catch (Exception ex)            
  {
  output += ex.ToString();            
  } 
  return output;

}

I call the function to perform a shell execution, (Prior to execution I check if the current user is correct; which says the "current user" is my administrative-privileged account), but it still won't execute the same commands.

DUBYATOO
  • 65
  • 1
  • 5
  • Your impersonation code looks OK, from memory. Check the output of `Environment.UserName` - it should match what `WindowsIdentity.GetCurrent().Name` returns. – Tim Robinson Dec 09 '10 at 20:13
  • Just checked the Environment.UserName, matches that of WindowsIdentity.GetCurrent().Name... I'm stumped on this – DUBYATOO Dec 09 '10 at 20:23

1 Answers1

0

You should impersonate an admin user: Run Code as a different user (C#)

By the way, you shouldn't need to shell out to the net command. The ServiceController class can start and stop services.

Community
  • 1
  • 1
Tim Robinson
  • 53,480
  • 10
  • 121
  • 138
  • I check the instance of servicecontroller's "CanPauseAndContinue", I get a false return... permission problem it seems. – DUBYATOO Dec 08 '10 at 22:44
  • Try `CanStop` - I've never seen a service that implements pause and continue functionality. Did you try impersonating? – Tim Robinson Dec 08 '10 at 23:29
  • CanStop also returns false, I'm trying to implement impersonating, so far no luck. – DUBYATOO Dec 09 '10 at 15:43
  • You could update your question with the details of how you're invoking impersonation, so someone could give you a hand. (Or maybe opening a second question would get more attention, if you get stuck.) – Tim Robinson Dec 09 '10 at 15:49
  • Sample code added above. And thanks for continually checking on this Tim, it's greatly appreciated! – DUBYATOO Dec 09 '10 at 20:06