php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70961 Allow service control from less privileged process
Submitted: 2015-11-23 20:26 UTC Modified: 2018-10-08 18:39 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: bdagnin at incontrol dot co dot nz Assigned: jbnahan (profile)
Status: Closed Package: win32service (PECL)
PHP Version: 5.5.30 OS: Windows
Private report: No CVE-ID: None
 [2015-11-23 20:26 UTC] bdagnin at incontrol dot co dot nz
Description:
------------
Currently to start or stop a service, the PHP application must run with administrator level privileges.
This patch allows a less privileged process (eg: running under IIS application pool identity) with a sufficient DACL grant on the service to be able to start or stop it.

It works for me with a minimal explicit 'RPWPRC' grant on the service.

Please be careful when modifying a service ACL - recovery could become tricky.
The 'sc sdset' command overwrites the entire ACL - you must specify the full ACL, not just additions (use 'sc sdshow' to see the current one).

For reference "Best practices and guidance for writers of service discretionary access control lists": https://support.microsoft.com/en-us/kb/914392
The Sysinternals utility "PsGetsid.exe" can be used to determine the SID of an IIS application pool identity - https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

The patch is based on the v0.1.0 svn tag: http://svn.php.net/repository/pecl/win32service/tags/win32service-0.1.0


Patches

permit-service-acl.patch (last revision 2015-11-23 20:27 UTC by bdagnin at incontrol dot co dot nz)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-08 18:39 UTC] jbnahan@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: jbnahan
 [2018-10-08 18:39 UTC] jbnahan@php.net
The 0.3.0 release can run service without admin right.

https://github.com/InExtenso/win32service/releases/tag/v0.3.0
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jan 20 21:01:24 2020 UTC