Run KeyView with Reduced Privileges
KeyView, by default, runs as the same user and has the same privileges as the application that calls it. When you run KeyView in-process this cannot be changed. When you run KeyView out-of-process, you can choose to run KVOOP
(the out-of-process server) as a different user with reduced privileges. This feature might be useful if your application has to run with elevated privileges, but you want to run KeyView with limited privileges.
To run KVOOP with reduced privileges on Windows
-
Use
KVStructInit()
to initialize a KV_SET_OOP_USER structure and provide the username, password, and domain of the user to run KVOOP as. Pass this structure to fpSetConfig(), using the optionKVFLT_SETOOPUSERWIN
.This will log on the user and create a window station and desktop for the user. KeyView does not store the credentials passed to
fpSetConfig
. The KVOOP process will then restart and run as the specified user. Whenever KVOOP is restarted after this, it will start as the specified user, unless the option is disabled or a different user is specified by callingfpSetConfig
again.NOTE: The main application needs sufficient privileges to start a process as another user. For example, add the user running the main application to the Administrators group, grant the “Replace a process level token” right in addition to the rights that the Administrators group has by default, and run the application with elevated privileges. If your application does not run with these privileges then the call to
fpSetConfig
will fail.
To run KVOOP with reduced privileges on Linux or MacOS
-
Use
KVStructInit()
to initialize a KV_SET_OOP_USER structure and provide the user ID and group ID to use for running KVOOP. Pass this structure to fpSetConfig(), using the optionKVFLT_SETOOPUSERUNIX
.After the KVOOP process has been created, it changes user and group to those specified, by passing
uid
tosetreuid()
, andgid
tosetregid()
. If the current effective user is root, supplementary group IDs are also removed, usingsetgroups()
. This means that once completed, the real, effective, and saved user IDs are set touid
, and the real, effective, saved, and supplementary group IDs are all set togid
.The KVOOP process then checks to ensure that an attacker cannot regain additional privileges. KVOOP attempts to change to the root user and group, and then attempts to change to the original user and group. If either of these succeed, the KVOOP process terminates immediately.