Is impersonation in Win32 per thread?

我的梦境 提交于 2020-01-14 18:54:29

问题


Is calling ImpersonateSecurityContext on the server impersonating the client on the calling thread or for the entire process. The documentation is a bit vague on the matter as it states that "The function creates an impersonation token and allows the thread or process to run with the impersonation context".

I assume that impersonation is only for the calling thread, anything else would be strange, but I want to be sure.


回答1:


Per MSDN:

Client Impersonation

Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. Typically, a thread in a server application impersonates a client. This allows the server thread to act on behalf of that client to access objects on the server or validate access to the client's own objects.

The Microsoft Windows API provides the following functions to begin an impersonation:
...
- A security package or application server can call the ImpersonateSecurityContext function to impersonate a client.

So Impersonation is done on a per-thread basis.

Impersonation can be used to spawn a new process as the impersonated user (by using DuplicateTokenEx() and CreateProcessAsUser()) but impersonation never makes the calling process run as the impersonated user, only the calling thread.

In a server context, where multiple clients can be connected at the same time, it would be very dangerous if client impersonation was applied on a process-wide basic.



来源:https://stackoverflow.com/questions/28023447/is-impersonation-in-win32-per-thread

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!