Run KeyView with Reduced Privileges

KeyView, by default, runs as the same user and has the same privileges as the application that calls it. When you run KeyView in-process this cannot be changed. When you run KeyView out-of-process, you can choose to run the out-of-process server as a different user with reduced privileges. This feature might be useful if your application has to run with elevated privileges, but you want to run KeyView with limited privileges.

To run the out-of-process server with reduced privileges on Windows

  • Use KVStructInit() to initialize a KV_SET_OOP_USER structure and provide the username, password, and domain of the user to run the out-of-process server as. Pass this structure to fpSetConfig(), using the option KVFLT_SETOOPUSERWIN.

    This step logs on the user and creates a window station and desktop for the user. KeyView does not store the credentials passed to fpSetConfig. The out-of-process server process then restarts and runs as the specified user. Whenever you restart the out-of-process server after this, it starts as the specified user, unless the option is disabled or you specify a different user by calling fpSetConfig again.

    NOTE: The main application needs sufficient privileges to start a process as another user. For example, add the user running the main application to the Administrators group, grant the Replace a process level token right in addition to the rights that the Administrators group has by default, and run the application with elevated privileges. If your application does not run with these privileges then the call to fpSetConfig fails.

To run the out-of-process server with reduced privileges on Linux or MacOS

  • Use KVStructInit() to initialize a KV_SET_OOP_USER structure and provide the user ID and group ID to use to run the out-of-process server. Pass this structure to fpSetConfig(), using the option KVFLT_SETOOPUSERUNIX.

    After the out-of-process server process has been created, it changes user and group to those specified, by passing uid to setreuid(), and gid to setregid(). If the current effective user is root, the out-of-process server also removes supplementary group IDs, by using setgroups(). After this step is completed, the real, effective, and saved user IDs are set to uid, and the real, effective, saved, and supplementary group IDs are all set to gid.

    The out-of-process server process then checks to ensure that an attacker cannot regain additional privileges. The out-of-process server attempts to change to the root user and group, and then attempts to change to the original user and group. If either of these succeed, the out-of-process server process terminates immediately.