Run KeyView with Reduced Privileges
KeyView, by default, runs as the same user and has the same privileges as the application that calls it. When you run KeyView in-process this cannot be changed. When you run KeyView out-of-process, you can choose to run the out-of-process server as a different user with reduced privileges. This feature might be useful if your application has to run with elevated privileges, but you want to run KeyView with limited privileges.
To run the out-of-process server with reduced privileges on Windows
-
Use
KVStructInit()
to initialize a KV_SET_OOP_USER structure and provide the username, password, and domain of the user to run the out-of-process server as. Pass this structure to fpSetConfig(), using the optionKVFLT_SETOOPUSERWIN
.This step logs on the user and creates a window station and desktop for the user. KeyView does not store the credentials passed to
fpSetConfig
. The out-of-process server process then restarts and runs as the specified user. Whenever you restart the out-of-process server after this, it starts as the specified user, unless the option is disabled or you specify a different user by callingfpSetConfig
again.NOTE: The main application needs sufficient privileges to start a process as another user. For example, add the user running the main application to the Administrators group, grant the Replace a process level token right in addition to the rights that the Administrators group has by default, and run the application with elevated privileges. If your application does not run with these privileges then the call to
fpSetConfig
fails.
To run the out-of-process server with reduced privileges on Linux or MacOS
-
Use
KVStructInit()
to initialize a KV_SET_OOP_USER structure and provide the user ID and group ID to use to run the out-of-process server. Pass this structure to fpSetConfig(), using the optionKVFLT_SETOOPUSERUNIX
.After the out-of-process server process has been created, it changes user and group to those specified, by passing
uid
tosetreuid()
, andgid
tosetregid()
. If the current effective user is root, the out-of-process server also removes supplementary group IDs, by usingsetgroups()
. After this step is completed, the real, effective, and saved user IDs are set touid
, and the real, effective, saved, and supplementary group IDs are all set togid
.The out-of-process server process then checks to ensure that an attacker cannot regain additional privileges. The out-of-process server attempts to change to the root user and group, and then attempts to change to the original user and group. If either of these succeed, the out-of-process server process terminates immediately.