Jump to content

Run part of code as other user.

WJST

By WJST,
in AutoIt General Help and Support

 Share

Recommended Posts

WJST Seeker

WJST

Posted
Posted (edited)

Good day,

Since a few years I use AutoIt to create little tools for myself making the support of our it environment a bit easyer. But now I'm in a clash.

I want to create a tool, which allows users to do something they don't have the right for to do it. So I want to incorporate some kind of "run as" feature in it. This can off-course be done by using the RunAs function, however, that would meen I need to create some other exe file what'll do it for me, and I don't want that.

So is it possible, to create a script with domain user credentials and a password embedded in it to allow part of the code to be run as an "elevated rights domain user"?

In this case I use functions from services.au3 to visualize the restarting of specific services on remote applicationservers

I hope somebody knows the answer to this ;)

Thanks.

Edited by WJST
Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted (edited)

not utilizing the services.au3 but something along these lines should allow you to stop/start remotely

runas ("DomainUser" , "Domain" , "passwor*" , 1 , "cmd /c " & "sc SERVER stop MySERVICE")
runas ("DomainUser" , "Domain" , "passwor*" , 1 , "cmd /c " & "sc SERVER start MySERVICE")
Edited by iamtheky 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
PsaltyDS Universalist

PsaltyDS

Posted
Posted (edited)

Nobody is going to like the idea of embedding domain level credentials in a script. It is not secure and should not be done. There are other options, for instance: Have the client scripts post/send a request to a server where a monitor script, running with require perms, sees the request and remotely performs that action over the network. The clients never have to get perms to do anything except send the request. The monitor script is the only one with elevated perms.

;)

not utilizing the services.au3 but something along these lines should allow you to stop/start remotely

runas ("DomainUser" , "Domain" , "passwor*" , 1 , "cmd /c " & "sc SERVER stop MySERVICE")
runas ("DomainUser" , "Domain" , "passwor*" , 1 , "cmd /c " & "sc SERVER start MySERVICE")
@iamtheky: That doesn't answer the question of where the client gets those credentials from. Storing them in the script source is unsafe. But in the idea I posted above, the monitor script could use a simpler command line without credentials because the monitor already has the perms. Something like: 
; $sTarget was parsed from the client request
Run("sc.exe " & $sTarget & " start Your_Service_Name")

:)

Edited by PsaltyDS
Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Link to comment
Share on other sites
iamtheky Universalist

iamtheky

Posted
Posted

"to create a script with domain user credentials and a password embedded in it"

Since the OP asked in such a way...

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites
WJST Seeker

WJST

Posted
  • Author
Posted

Nobody is going to like the idea of embedding domain level credentials in a script. It is not secure and should not be done. There are other options, for instance: Have the client scripts post/send a request to a server where a monitor script, running with require perms, sees the request and remotely performs that action over the network. The clients never have to get perms to do anything except send the request. The monitor script is the only one with elevated perms.

I do realise that, but that's not an issue to be honest. Utilizing a 2nd monitoring script is a good idea in some cases, however, in this case it's not possible. Hence my question ;)

@iamtheky:

Yes, that's true and also a reasonable option, however, it's pretty limited.. It doesnt give all the options I'm looking for in this case, like being able to interact with a simple gui..

That's why I like the services.au3 options for the diagnostic options in it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...