Can I start another application from a driver code? The code is written in C and compiled with DDK.
I don't think so. Instead:
You can have a service which sends down a DeviceIoControl to the device.
The device then keeps (doesn't complete) the associated IOCTL
When the device wants to launch the application, then it completes the IOCTL
When the service notices that its DeviceIoControl has been completed, then it starts the other application
A service could launch an application but I don't know whether it can launch it on the user's desktop. If you want the launched application to interact with the logged-in end-user user then, instead of having a service as described above, it would be better to put the DeviceIoControl functionality in a (visible or invisible) application, which is started automatically in the user's workstation when the user logs in.
If you do this then beware assuming that there is only one logged-in user (there may be many, on a Citrix/terminal server).
Related
I'm pretty new to Kerberos. I'm testing the Single Sign On feature using Kerberos. The environment: Windows clients (with Active Directory authentication) connecting to an Apache server running on Linux machine. The called cgi script (in Perl) connects to a DB server using the forwarded user TGT. Everything works fine (I have the principals, the keytab files, config files and the result from the DB server :) ). So, if as win_usr_a on Windows side I launch my CGI request, the CGI script connects to the remote DB and queries select user from dual and it gets back win_usr_a#EXAMPLE.COM.
I have only one issue I'd like to solve. Currently the credential cache stored as FILE:.... On the intermediate Apache server, the user running the Apache server gets the forwarded TGTs of all authenticated users (as it can see all the credential caches) and while the TGTs lifetime are not expired it can requests any service principals for those users.
I know that the hosts are considered as trusted in Kerberos by definition, but I would be happy if I could limit the usability of the forwarded TGTs. For example can I set the Active Directory to limit the forwarded TGT to be valid only to request a given service principal? And/Or is there a way to define the forwarded TGT to make it able to be used only once, namely after requesting any service principal, become invalid. Or is there a way the cgi script could detect if the forwarded TGT was used by someone else (maybe check a usage counter?).
Now I have only one solution. I can define the lifetime of the forwarded TGT to 2 sec and initiate a kdestroy in the CGI script after the DB connection is established (I set that the CGI script can be executed by the apache-user, but it cannot modify the code). Can I do a bit more?
The credential caches should be hidden somehow. I think defining the credential cache as API: would be nice, but this is only defined for Windows. On Linux maybe the KEYRING:process:name or MEMORY: could be a better solution as this is local to the current process and destroyed when the process is exited. As I know apache create a new process for a new connection, so this may work. Maybe KEYRING:thread:name is the solution? But - according to the thread-keyring(7) man page - it is not inherited by clone and cleared by execve sys call. So, if e.g. Perl is called by execve it will not get the credential cache. Maybe using mod_perl + KEYRING:thread:name?
Any idea would be appreciated! Thanks in advance!
The short answer is that Kerberos itself does not provide any mechanism to limit the scope of who can use it if the client happens to have all the necessary bits at a given point in time. Once you have a usable TGT, you have a usable TGT, and can do with it what you like. This is a fundamentally flawed design as far as security concerns go.
Windows refers to this as unconstrained delegation, and specifically has a solution for this through a Kerberos extension called [MS-SFU] which is more broadly referred to as Constrained Delegation.
The gist of the protocol is that you send a regular service ticket (without attached TGT) to the server (Apache) and the server is enlightened enough to know that it can exchange that service ticket to itself for a service ticket to a delegated server (DB) from Active Directory. The server then uses the new service ticket to authenticate to the DB, and the DB see's it's a service ticket for win_usr_a despite being sent by Apache.
The trick of course is that enlightenment bit. Without knowing more about the specifics of how the authentication is happening in your CGI, it's impossible to say whether whatever you're doing supports [MS-SFU].
Quoting a previous answer of mine (to a different question, focused on "race conditions" when updating the cache)
If multiple processes create tickets independently, then they have no
reason to use the same credentials cache. In the worst case they would
even use different principals, and the side effects would be...
interesting.
Solution: change the environment of each process so that KRB5CCNAME
points to a specific file -- and preferably, in an
application-specific directory.
If your focus in on securing the credentials, then go one step further and don't use a cache. Modify your client app so that it creates the TGT and service tickets on-the-fly and keeps it private.
Note that Java never publishes anything to the Kerberos cache; it may either read from the cache or bypass it altogether, depending on the JAAS config. Too bad the Java implementation of Kerberos is limited and rather brittle, cf. https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/jdk_versions.html and https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/jaas.html
How to open a desktop application(like Nuke) through browser.
for example: RV software have a url protocol. we can use that (rvlink://).
I think this is what you're looking for:
https://support.shotgunsoftware.com/hc/en-us/articles/219031308-Launching-applications-using-custom-browser-protocols
Note that this is asking your operating system to "launch the thing registered with the requested custom browser protocol". Similarly you can have a hyperlink mailto:/// which opens the email application registered on the users computer. rvlink:/// is registered by RV as one of these custom browser protocols during it's installation.
If you want more control you would need a process running on the user's machine that you interact with. For example that's the approach shotgun's competitor ftrack took leveraging a local process they call ftrack connect (http://ftrack-connect.rtd.ftrack.com/en/0.1.17/developing/tutorial/custom_applications.html)
If you want to run something completely custom you could take a look at running your own RPC. You would initiate the registered RPC command from the web application. Check out http://www.zerorpc.io/ or https://crossbar.io/ for some more information.
Good luck!
I spotted in an earlier response of yours that you're using Shotgun and it's launch in RV features. In which case - are you aware of Shotgun Toolkit?
https://support.shotgunsoftware.com/hc/en-us/articles/219039788-Toolkit-Home-Page
It provides app launching via the website, which it accomplishes via Shotgun desktop (a desktop app). It used to work via a browser method that chrome etc moved away from so now requires the desktop app hook.
There's actually a huge amount that SGTK does, though I think you might be able to disable everything except the app launching if you wanted. We've got it implemented across 4 locations here and it's pretty decent.
I am developing an application and decided Nagios3 for performing monitoring stuff. But I am stuck at two points. I am using check_http plug-in for monitoring load on my service api. Now I want to perform below tasks.
I need to set a threshold in check_http for performing some task after crossing that threshold. I tried below command
'check_command check_nrpe_1arg!check_service_api'
but it only tells me the load, not any threshold is set. while below one doesn't work.
'check_command check_service_api!100!200'
I need to send simple text message on some port(my application).
I am new to Nagios, so please help me figuring out the solution except email notification stuff.
There is a check command that you can download called "notify_sms" that integrates with an API server hosted by a company called Esendex. They charge for their service but it works well.
I use NLog's WebService target in Silverlight and run into a problem if the logging service is unavailable.
What happens is that all calls to the logging service hang for a long time until they time out.
This is firstly ugly and secondly problematic in the face of a request limit, which I have under my given circumstances. After the request limit is reached due to several pending logging requests, the application also fails to make requests that are not logging related.
Ideally I'd like a WebService target that sends the requests sequentially, but I can't configure it to do that, can I?
Since I have full control about the logging server I could also move to a different target, but I'd rather have a purely configuration-based solution.
Some time back I implemented a logging target like that for Silverlight. We were using Common.Logging for .NET and it did not support Silverlight. So, we ported part of Common.Logging to Silverlight and implemented a "logging service adapter" to send our logging messages to a logging service. I implemented a logging queue using the producer/consumer pattern. Maybe you will find it useful.
In the end, the project that I was working on when I implemented this didn't go anywhere, so this particular piece of code is not in use.
Using WCF service via async interface from worker thread, how do I ensure that events are sent from the client "in order"
I have one very weird question.
There are 2 Silverlight Client
1. Admin
2. User
Now, I want a scenario wherein the Admin Silverlight can initiate a function call on the User Silverlight.
Pretty much a newbie with SL so wonder if that would be possible.
I'd appreciate any help.
Thanks
I suppose the applications are not in the same browser / machine, and when you describe the usage pattern as admin and user, I take that there are probably more users than admins.
You might want to take a look at duplex bindings for WCF services - this is a web service binding that allows pushing notifications to clients from the server. When all clients establish such a channel, you can implement hub-and-spoke communication between clients.
This blog post gives a good receipt for getting started:
http://silverlightforbusiness.net/2009/06/23/pushing-data-from-the-server-to-silverlight-3-using-a-duplex-wcf-service/
If they are both in the same frame/browser, you could call JavaScript in the first using the HtmlPage API, which could interact with the second.
So:
Silverlight control -> injects JS into HtmlPage -> JS interacts with Silverlight control 2 (assuming this is possible, please correct me if wrong) -> Silverlight control responds.
If they are in separate windows or running "out of browser", I would expect it wouldn't work.
If the 2 instances are seperated (i.e., the admin is on one machine and the user is on another) there's no direct way to do it. However, you can rig it up with a publisher/subscriber style system.
Assumption: You have some sort of shared data store between the two, maybe a database or something.
Idea: You have the admin client write a request to this shared data store; an entry in a table, or a new file in a network share, or something. You have the user client app regularly scan this table/share for new entries, say every .5 seconds or so. When it sees the entry, it executes the requested operation, storing any return values back to the shared store. When the admin sees the return value, he knows the operation has been successfully executed.
There are a couple of options that I can think of.
You could implement some sort of remote procedure call via web services whereby one Silverlight app posts a request to call the method, and the other Silverlight regularly checks for method call requests.
If hosted on the same HTML page in a browser, you could use javascript to allow the two controls to interact.
However, direct communication between two Silverlight instances isn't supported, and while the suggestions may help to achieve something close to what you want, they don't provide a complete solution that will work in all scenarios.