Re: [squid-users] External Script for checks

From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
Date: Fri, 09 Oct 2009 02:00:12 +0200

tor 2009-10-08 klockan 20:29 +0200 skrev Stefan Dengscherz:

> As you can see squid basically "fingers" the currently logged on user
> from the registry using winexe (http://eol.ovh.org/winexe/). Keep in
> mind this is rather a hack rather than a real authentication - it
> won't even deny unknown users (and every local machine admin can
> impersonate other users by changing the registry key)! Still, it does
> the job for me very well and better than clumbsy authentication
> against the AD via NTLM/Kerberos/LDAP.

Wow, that winexe tool does a really nasty thing. But quite obvious way
to do what it's designed for when you think about it... I surely hope it
places sufficient access restrictions on the "ahexe" named pipe it sets
up on the called client stations.. Running things in SYSTEM context
gives you a whole lot more powers than a normal Administrator.

Would be much more comfortable if a remote registry access was being
done ala regedit than remote execution of commands in SYSTEM
privilege..

Regards
Henrik
Received on Fri Oct 09 2009 - 00:00:23 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT