EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Getting the real user from a network share

#22154
Posted: 10/24/2012 04:41:16
by Michael Dudenhoeffer (Standard support level)
Joined: 10/23/2012
Posts: 7

@Eugene
Thanks for the explanation regarding to network access.

@Vladimir
The OnCanFileBeDeleted is in fact giving me the information required (original domain and username). Actually my workaround does save the user information in the OnCanFileBeDeleted callback and when the OnFileDelete callback is called i restore the previously saved information there. Thank you for this solution.
But perhaps it's possible (in a future version of CBFS) that OnDeleteFile will also get the original user information. Only as a suggest.
#22157
Posted: 10/24/2012 05:01:11
by Volodymyr Zinin (Team)

Quote
Michael Dudenhoeffer wrote:
But perhaps it's possible (in a future version of CBFS) that OnDeleteFile will also get the original user information. Only as a suggest.

Yes. We will check it and correct the code if it's possible.
#39065
Posted: 05/02/2017 16:24:05
by Ivan P (Priority Standard support level)
Joined: 04/11/2011
Posts: 70

We are experiencing the same issue.

I'm testing Mapper sample. I mount disk as a network share and try to access it from another computer by different domain user.

In this case GetOriginatorToken() called from CbfsOpenFile() callback returns "NT AUTHORITY\SYSTEM"'s token.


I tried 2 ways of mounting a disk:
1. Using CBFS mount point with CBFS_SYMLINK_NETWORK.
2. Using Windows ability to share a drive letter.

In both cases I wasn't able to get the original user who accessed the share.

Is there any way to identify remote user?

CBFS 6.1.84
Mapper works on Windows 7 x64
Connection was made from Windows 7 and Server 2012 R2
#39082
Posted: 05/03/2017 08:33:11
by Volodymyr Zinin (Team)

It is the system component, which supports network shares, specifies "NT AUTHORITY\SYSTEM" during file opening. Unfortunately CBFS can't do anything in this case.
#39083
Posted: 05/03/2017 09:21:57
by Ivan P (Priority Standard support level)
Joined: 04/11/2011
Posts: 70

What a pity!

I posted a suggestion to CBFS wishlist.

BTW: how does Windows check file permissions through the share?
#39084
Posted: 05/03/2017 09:37:32
by Eugene Mayevski (Team)

It is not possible to obtain the name of the user if the SMB manager doesn't give it.

It's the SMB server, that handles shared resources, that checks user permissions in authenticated shares. And once the permissions are checked, it acts on behalf of the client, but doesn't necessarily give the client's user name. It is the voluntary decision of the SMB server developers to provide or not provide the client user name.

Maybe, if you make your own share (not by using the flags when calling AddMountingPoint, but by calling WNet* functions directly), you will be able to configure the share to be authenticated. But this is beyond the scope of Callback File System, and we don't have information about how this can work.


Sincerely yours
Eugene Mayevski
#39085
Posted: 05/03/2017 10:59:12
by Ivan P (Priority Standard support level)
Joined: 04/11/2011
Posts: 70

I see. I can configure a windows share permissions, but they are different from filesystem permissions. And SMB server somehow checks FS permissions as well: even though the share is RW-accessible for all, access to specific files is denied for users with insufficient permissions.

I did a small test with ProcessMonitor and I can see there's some impersonation info in the 'details' section of events.


Maybe it's possible for CBFS to obtain an impersonation token of a calling thread?
#39088
Posted: 05/03/2017 12:22:19
by Volodymyr Zinin (Team)

Thank you for the information. I will explore it and then write the result here.
#39097
Posted: 05/04/2017 04:20:15
by Volodymyr Zinin (Team)

I have not been able to reproduce it. Could you please specify in details how to do it?
Thanks.
#39166
Posted: 05/11/2017 17:14:37
by Ivan P (Priority Standard support level)
Joined: 04/11/2011
Posts: 70

Sorry, that was my fault.

I did deeper testing and found that only some Open and Enumerate callbacks come from SYSTEM user, but other callbacks do come with impersonation token and I could successfully impersonate remote users.

Sincerely,
IP

Reply

Statistics

Topic viewed 17467 times

Number of guests: 2, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!