{"id":555,"date":"2008-08-04T23:04:22","date_gmt":"2008-08-04T22:04:22","guid":{"rendered":"http:\/\/soci.hu\/blog\/?p=555"},"modified":"2008-08-04T23:04:22","modified_gmt":"2008-08-04T22:04:22","slug":"az-iis7-secu-magia-titka-service-sid","status":"publish","type":"post","link":"https:\/\/soci.hu\/blog\/index.php\/2008\/08\/04\/az-iis7-secu-magia-titka-service-sid\/","title":{"rendered":"Az IIS7 secu m\u00e1gia titka: Service SID"},"content":{"rendered":"<p>Az IIS7-ben megoldott\u00e1k, hogy hi\u00e1ba egy account alatt fut sok worker processz, akkor SEM tudj\u00e1k egym\u00e1s v\u00e9dett f\u00e1jljait olvasni. \u00cdgy el lehet szigetelni a webappokat annak ELLEN\u00c9RE, hogy egy account alatt futnak (m\u00e9g ha nem is a javasolt konfig hosztereknek). De hogy a csud\u00e1ba? Eddig nem tudtam, de most megtal\u00e1ltam a v\u00e1laszt: <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc748650.aspx\">Service SID<\/a>.<\/p>\n<p>&#8220;Service SIDs protect access to resources owned by a particular service, but by default services still have access to all the objects that the user account in which they run can access. For example, a service running in the Local Service account might not be able to access resources created by another service running as Local Service in a different process that has protected its objects with permissions referencing a service SID, however, it can still read and write any objects to which Local Service (and any groups to which Local Service belongs, like the Service group) has permissions.<\/p>\n<p>Windows Vista therefore introduces a new restricted service type called a write-restricted service that permits a service write access only to objects accessible to its service SID, the Everyone group, and the SID assigned to the logon session. To accomplish this, it uses restricted SIDs, a SID type introduced back in Windows 2000. When the process opening an object is a write-restricted service, the access-check algorithm changes so that a SID that has not been assigned to a process in both restricted and unrestricted forms cannot be used to grant the process write access to an object. &#8221;<\/p>\n<p>M\u00e1r csak az nem vili, hogy ezt hogyan haszn\u00e1lj\u00e1k fel az IIS wp-ek eset\u00e9n, azok ugyanis nem szervizek. Ha egyszer megtal\u00e1lom a v\u00e1laszt, le\u00edrom.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Az IIS7-ben megoldott\u00e1k, hogy hi\u00e1ba egy account alatt fut sok worker processz, akkor SEM tudj\u00e1k egym\u00e1s v\u00e9dett f\u00e1jljait olvasni. \u00cdgy el lehet&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,22,23,54],"tags":[],"class_list":["post-555","post","type-post","status-publish","format-standard","hentry","category-szakmai-elet","category-security","category-vista","category-windows-server-2008"],"_links":{"self":[{"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/posts\/555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=555"}],"version-history":[{"count":0,"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/posts\/555\/revisions"}],"wp:attachment":[{"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/soci.hu\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}