PHP :: Request #70961 :: Allow service control from less privileged process

Allow service control from less privileged process

Submitted:

2015-11-23 20:26 UTC

Modified:

2018-10-08 18:39 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 1 (0.0%)

From:

bdagnin at incontrol dot co dot nz

Assigned:

jbnahan (profile)

Status:

Closed

Package:

win32service (PECL)

PHP Version:

5.5.30

OS:

Windows

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bdagnin at incontrol dot co dot nz
New email:
PHP Version:		OS:

New Comment:

[2015-11-23 20:26 UTC] bdagnin at incontrol dot co dot nz

Description:
------------
Currently to start or stop a service, the PHP application must run with administrator level privileges.
This patch allows a less privileged process (eg: running under IIS application pool identity) with a sufficient DACL grant on the service to be able to start or stop it.

It works for me with a minimal explicit 'RPWPRC' grant on the service.

Please be careful when modifying a service ACL - recovery could become tricky.
The 'sc sdset' command overwrites the entire ACL - you must specify the full ACL, not just additions (use 'sc sdshow' to see the current one).

For reference "Best practices and guidance for writers of service discretionary access control lists": https://support.microsoft.com/en-us/kb/914392
The Sysinternals utility "PsGetsid.exe" can be used to determine the SID of an IIS application pool identity - https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

The patch is based on the v0.1.0 svn tag: http://svn.php.net/repository/pecl/win32service/tags/win32service-0.1.0

Patches

permit-service-acl.patch (last revision 2015-11-23 20:27 UTC by bdagnin at incontrol dot co dot nz)

Add a Patch

Pull Requests

Pull requests:

protect master branches except for the pecl repos against force pushes (karma/4)

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-10-08 18:39 UTC] jbnahan@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: jbnahan

[2018-10-08 18:39 UTC] jbnahan@php.net

The 0.3.0 release can run service without admin right.

https://github.com/InExtenso/win32service/releases/tag/v0.3.0

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 05:01:29 2024 UTC