We Keep Coding

NT AUTHORITY\Local Service is not listed in the Access Control List of a directory

I'm having this issue where I'm trying to check if NT\Authority Local Service has read\execute permissions on a directory (folder). The product that I work on REQUIRES that the folder the user is installing to has read\execute permissions set for Local Service.
The problem is that when I get the Access Control List (ACL) recursively (groups-within-groups), Local Service is not listed so I can't check if he has permissions to that folder or not.
By default, Local Service does not have read/execute permissions to user profiles (My Documents, Desktop, etc...) but I won't know if Local Service has access to other directories the user chooses to install to.
NOTE: Local Service DOES have access to Program Files, even though it is NOT listed in the ACL. Is it hidden somewhere else?
This is a short snippet on how I'm pulling the ACL:
GroupPrincipal groupPrincipal =
GroupPrincipal.FindByIdentity(principalContext, identityReferenceValue);
// GetMembers(true) is recursive (groups-within-groups)
foreach (var member in groupPrincipal.GetMembers(true)) {
if (member.SamAccountName.Equals("LOCAL SERVICE")) {
foundLocalService = true;
break;
}
}
Is there any other way I should be doing this? (Other than adding an access rule for Local Service on that directory)
Is Local Service just not listed in Directories ACL's?
Any help would be greatly appreciated.

It's notoriously difficult to calculate "effective permissions" for an account. But the simple answer to your question is that you will likely want to look for either on of:
The local Users group, sometimes shown as BUILTIN\Users or COMPUTERNAME\Users, or
Authenticated Users, sometimes shown as NT AUTHORITY\Authenticated Users.
Authenticated Users is one of the well-know SIDs. It is "a group that includes all users whose identities were authenticated when they logged on.". As long as you can prove who you are, you are included in Authenticated Users. The SID for this is always S-1-5-11 on every Windows computer.
However, it's not really considered a real group. To find it when adding permissions to a folder, you have to have "Built-in security principals" selected under "Select this object type":
The local Users group contains Authenticated Users by default. On my computer, I actually see both Users and Authenticated Users in the default permissions on the file system.
That's what you will most likely see, and that's likely all that matters.
But that's not the only way. You could see Everyone (S-1-1-0), which includes every user, authenticated or not.
Or, it could be a file or folder that has the LOCAL SERVICE account as the owner.
Or, there could be a local group that was created manually and LOCAL SERVICE was added to.
One way to get a more authoritative list of what you can look for is to run this under the LOCAL SERVICE account:
whoami /groups
That will tell you every group in the authentication token, which is every group that you are considered a member of for authentication purposes.
But you can't just open a command prompt as LOCAL SERVICE. So one way to do this is to open the Task Scheduler and create a task that runs under LOCAL SERVICE, with the action of:
Program: cmd
Arguments: /c "whoami /groups > C:\temp\localservice.txt"
Then run the task and, when it's done, look at C:\temp\localservice.txt. It will have a table of group names and their SIDs that you can look for.

Retrieving the actual user account that started a process

I am trying to retrieve the user account under which a process has been started. So far i have not found any answers that retrieve the good information. All of them return the string of the username which is not the account. I have tried WMI and Diagnostic all with the same results which are half correct.
Let's say i start notepad twice.
First one i open it with the account : \MyDomain\Franck
Second on i open it with the account : \MyComputer\Franck
Then use either WMI or Diagnostics and both return username "Franck" and i have not way to know if it's running under the local user or the domain one.
One way could be to use Diagnostics
var procs = Process.GetProcessesByName("Notepad").ToList();
var notepad1 = procs[0].StartInfo.Environment["Username"];
var notepad2 = procs[1].StartInfo.Environment["Username"];
Both return Franck but one is the domain account and the other is the local.

tasklist /v gives the relevant info that you are interested in, i.e., the user name with the domain name.
The official documentation does not show any sample outputs.
tasklist
Displays a list of currently running processes on the local computer or on a remote computer.
/v Displays verbose task information in the output.
You can use it together with /fo csv option to get the result and parse it.
This answer from SuperUser has screen shots showing the output.
You can run this command as a separate process from your application similar to this, but passing the other parameters.

If you want the name of the domain that contains the user's account, then you're looking for UserDomain Environment Variable
If you want which domain controller authenticated the client's logon request, then you're looking for LogonServer Environment Variable
var procs = Process.GetProcessesByName("Notepad").
var userDomain = procs[0].StartInfo.Environment["UserDomain"];
var logonServer = procs[0].StartInfo.Environment["LogonServer"];
Values on my windows machine (local user):
userDomain: "LAPTOP-DDK137L8"
logonServer: "\\LAPTOP-DDK137L8"
So from this you should be able to determine if it's running under the local user or the domain one.

Connect to MySQL database w/ C# as non-root user?

Let me start by saying I'm completely new to databases, but have been reading through the MySQL tutorial they have.
Right now, I'm trying to make an app that allows unprivileged users (non-root) to connect and do some commands on a database through a C# GUI app. The users will login to the database using windows authentication.
Now, I was able to to make a quick GUI where the person running the program can connect to the database on a local host using "root" and get whatever content is in it.
My question is, how exactly do I allow users to connect w/ non-root privileges? The only things I've been able to find all deal w/ using the connection string w/ "root" as the user.
Edit: The database is already made. I won't personally be able to connect to it as a root user and give other users permissions.

You could use the grant syntax, as root to grant permissions to other users. E.g.:
GRANT ALL PRIVILEGES ON mydatabase.* TO pfinferno

Some important concepts too are the rows in the table shown here:
select user,host,password from mysql.user where user='pfinferno';
Important takeaways, users can have multiple hostnames or wildcard. Each have their own rights and passwords. Though the password from the above is hashed, at least you can quickly eyeball it so see if all the passwords match (such as root with 3 accounts).
The host column is populated by the following values, mostly:
Specimen A:
localhost
127.0.0.1
%
common names such md21.newyork.comcastbusiness.net and the like
The % value is the wildcard. It is for flexibility, but it can be highly dangerous when used with users like 'root'#'%'. Keeping root as the 1st two only in Specimen A is highly advised. Also, the first two are quite different in different tools. What I recommend is having a root user row for the first two, and keeping the passwords the same. There are pros and cons to this approach. But remember that when you can't connect that something else out there was relying on the connection, be it an agent, phpmyadmin, a tool, the my.conf settings, etc. You will be revisiting this a lot.
In the example given by Mureinik it grants privileges to the user with the wildcard host = %. This means it is banking on a user created as such. Note that it is typical to have user accounts setup that way. Though there is nothing restricting you to locking it down tighter.
When a user attempts to connect to the server, the user he is ultimately connected as can be resolved to a different user/host combo, as can be seen in the case where there is no localhost (host) user or common-name, but rather one with a host value of wildcard %. This can be seen with this query:
Specimen B:
select current_user(),user();
The latter is the user presented by the connection attempt, the former is the one that was resolved and actual. The implications can cause one to waste days in debugging, as can be seen in these forums. Some people can't connect for days, I am serious.
Specimen C:
create user 'pfinferno'#'localhost' identified by 'thePassword';
create user 'pfinferno'#'127.0.0.1' identified by 'thePassword';
create user 'pfinferno' identified by 'thePassword';
create user 'pfinferno'#'md21.newyork.comcastbusiness.net' identified by 'thePassword';
-- note #3 above is same as 'pfinferno'#'%'
Now granted, the host name may be wildcard for normal users, and host name may be localhost and 127.0.0.1 for root only. But in the attempt to lock down security, admins often create user accounts based on hostname coming in (such as Specimen C, line 4), and vary security with grants based on that. Managing it can be a bit overwhelming. So they often just say screw it, I will create the wildcard user. That may be fine for a new user, say Susie, but for Secimen C line 4, if that is who you are coming in, you can have grants on line 3 user that you won't pick up. So the resolving of what user your are actuallity (See Specimen B), goes from most specific hostname to fallback to more general, until it finds one such as wildcard.
Unfortunately, users don't connect with hostname specified per se, they just are what they are. They try to connect. So you don't say hey I want to be this thing #hostname, you just are what you are. You are 'pfinferno'#'md21.newyork.comcastbusiness.net', but may fallback to wildcard.
If users are dropped in Specimen C except for wildcard %, well you better have the grants that went with them that you expect, because you are now a new user.
Try to limit the use of wildcards on the grant statement to not do *.* as in the lazy approach, which would just grant rights to all databases and tables. In Mureinik's example, it was for all tables in one database. Not too shabby. Try to fine tune rights, such as granting SELECT privileges on tables or not at all, to users that don't need them. Be careful with WITH GRANT OPTION as seen on the net with cut and paste from it. If you use it, you just granted the user rights to grant other users rights.
SSH Tunnels
One reason you might not want to use Secimen A host = % wildcard (other than the obvious We are Risk Averse) is that
create user 'pfinferno'#'localhost' identified by 'thePassword';
is perfect for SSH Tunnels. You would be connecting through a cryptographically secure channel with PKI, and present yourself as if you are # localhost. This drastically reduces security exposure.
Why Can't I Connect?
Hopefully the below visual with little commentary can show why I named this section as I did.
drop user 'pfinferno'#'localhost';
drop user 'pfinferno'#'127.0.0.1';
drop user 'pfinferno'#'%';
drop user 'pfinferno'#'md21.newyork.comcastbusiness.net';
flush privileges; -- some say this is not necessary, I have found otherwise
create user 'pfinferno'#'localhost' identified by 'thePassword';
create user 'pfinferno'#'127.0.0.1' identified by 'thePassword';
create user 'pfinferno' identified by 'thePassword';
create user 'pfinferno'#'md21.newyork.comcastbusiness.net' identified by 'thePassword';
...
select user,host,password from mysql.user where user='pfinferno';
grant all on so_gibberish.* to 'pfinferno'#'%'; -- grant all rights on so_gibberish db
flush privileges; -- some say this is not necessary, I have found otherwise
Look at some grants.
show grants for 'pfinferno'#'localhost'; -- sandboxed. Can just log in and sit there
+-----------------------------------------------------------------------------------------+
| Grants for pfinferno#localhost |
+-----------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'pfinferno'#'localhost' IDENTIFIED BY PASSWORD '*74692AE70C53...' |
+-----------------------------------------------------------------------------------------+
show grants for 'pfinferno'#'127.0.0.1'; -- sandboxed. Can just log in and sit there
same as above
show grants for 'pfinferno'; -- wildcard % user, has all rights on so_gibberish;
+-----------------------------------------------------------------------------------------+
| Grants for pfinferno#% |
+-----------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'pfinferno'#'%' IDENTIFIED BY PASSWORD '*74692AE70C53...' |
| GRANT ALL PRIVILEGES ON `so_gibberish`.* TO 'pfinferno'#'%' |
+-----------------------------------------------------------------------------------------+
Note above that GRANT USAGE means at least you have the rights to log in and sit (sandboxed). But the wildcard %user also has all rights on so_gibberish db in its entirety.
Now I go to mysql prompt via mysql -u pfinferno -pthePassword
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
+--------------------+
mysql> select current_user(),user();
+---------------------+---------------------+
| current_user() | user() |
+---------------------+---------------------+
| pfinferno#localhost | pfinferno#localhost |
+---------------------+---------------------+
The attempted user (user()) was resolved to the same (current_user()). I was sandboxed, able to do basically nothing, except select now() til bored to death.
mysql> use so_gibberish;
ERROR 1044 (42000): Access denied for user 'pfinferno'#'localhost' to database 'so_gibberish'
quit mysql CLI as that user.
Now
drop user 'pfinferno'#'localhost';
drop user 'pfinferno'#'127.0.0.1';
drop user 'pfinferno'#'md21.newyork.comcastbusiness.net';
I just dropped three out of four of my pfinferno users
Go to mysql prompt via mysql -u pfinferno -pthePassword
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| so_gibberish |
+--------------------+
mysql> select current_user(),user();
+----------------+---------------------+
| current_user() | user() |
+----------------+---------------------+
| pfinferno#% | pfinferno#localhost |
+----------------+---------------------+
mysql> use so_gibberish;
Database changed
This shows that # the CLI (or any program) from any host, that the attempt to connect is first as presented by user and then as resolved to actual ( see the output from user() and current_user(), respectively).
So, perhaps oddly, as I dropped users, the EFFECTIVE RIGHTS increased as the user was resolved to a different one. This can be the subject of hours/days/weeks of debugging. Users can have no clue who they are really logged in as (resolved to), or why they can't, as each, by the way, can have a different password ! This is especially true with user root with several rows in mysql.user ... and considering that probably 50% of all mysql users connect with it, initially, as developers. Just a guestimate.

Well, first of all, you have to realize that this "root" (from MySQL) is different from the "root" user (from your computer).
When you log on MySQL database (as root firstly), you can create another user with least privileges. (Creating user: https://dev.mysql.com/doc/refman/5.1/en/create-user.html)
After that, you can give (grant) some privileges to this specific user. (Granting privileges: https://dev.mysql.com/doc/refman/5.1/en/grant.html)
You can, for instance, allow that some user will only select data from the tables. Another user can insert/update. And so on.
So, in your application, you can specify another user instead of root, as you can normally see.

Can Domain name and host computer name be same

Recently I was trying to find answer to question "How to determine if current logged in user is part of domain or not"
On Stackoverflow I found pretty decent answers for the above which involved usage of
using System.Security.Principal;
using System.DirectoryServices.AccountManagement;
But I also see a simple solution saying
System.Environment.UserDomainName; - gives name of the current user's domain name.
System.Environment.MachineName; - gives name of the machine.
If above two are not the same means the user is part of domain returned by UserDomainName
Fair enough, also confirmed by this link from MSDN
Now the question is what if the "Domain name" and "Machine name" are identical?
or
Is it possible that a machine with the exact same name as domain name can join the domain?
If this is true, is there any possibilities to counter check this by adding something to this simple solution

I bet you the current logged on user does not have a distingished name if he or she isn't logged on to a domain. Use GetUserNameEx with the EXTENDED_NAME_FORMAT type NameFullyQualifiedDN (1).
If you get a value back then you know the current user is logged on to a domain. Though, Calling this function might block your program unexpectedly for a period of time. You probably want to call this function in a asynchronous fashion as it might atempt to connect to some Active Directory service and just eventually fail or timeout.
An yet more resilient way to accomplish this would be to look up the account SID and check whether the EqualPrefixSid can compare it with the machine. If this is the case, then you know the current account is local to the machine (i.e. not in a domain). This does not involve crossing the network and waiting for a timeout, so it's a more direct approach. Interestingly, it also implies that if the machine name is the same as the user domain, Windows would have to assume that the domain you want to logon on to is the local machine and it should therefore be almost impossible to logon to the actual domain if the machine name really is the same as the domain.

User Login technique C# Win App

HI,
I am doing ERP solution in C#(2.0) windows application and SQL2005 Database.The network application communicate through Database.I used normal technique for user login and logout, keeping a status bit.My problem is that when my application interrupted with any other reason user status might not change.That will cause the user can't login at next time.How can I solve this problem? Could you give any new technique for user manipulation?

How about keeping track of user logins by maintaining a session for each login? The quick-and-dirty solution is to then offer an option to have them login from a "new location" and invalidate the old session. Then when you go to perform an operation, first check if the session is still valid.
The better implementation is to keep the session alive and specify a timeout. (i.e. if the session is x-minutes old, invalidate it.) Then you won't see "phantom logins" from old orphaned connections - they automatically expire.

If your intention is to disallow sharing of one username on different computers, after logging with valid password, log the unique token on that computer to staff.last_logged_at = #unique_token. On logout, set staff.last_logged_at = ''. This way even if the computer was interrupted(program crash due to virus, or accidentally pressed the reset button of the computer, etc, hence last_logged_at was not reset to '') the user can still logged in, just check if the token of the computer the user is currently logging in is same with last_logged_at. If it is the same, he/she can still logged on.
If some user tried to login using the username of other user, just check if the machine token of some user's computer is the same with the other user's last_logged_at, if it is not equal, disallow logging in, it means two users share the same password.
Now the scenario if the computer crashes really hard (processor melts, hard disk crash, OS needs reinstalling, etc). User must be allowed to use other computers. Make an administrative module that can reset the last_logged_at of the user.
For #unique_token, just use anything that is unique and permanent on a computer, let's say MAC address, or hash anything on OS settings.
pseudo code:
Logging In:
if (select count(*) from staff where staff_name = #staff_name and password = 'correct' and (last_logged_at = '' or last_logged_at = #unique_token) ) <> 0 then then
-- allow login
update staff set last_logged_at = #unique_token where staff_name = #staff_name
else if (select count(*) from staff where staff_name = #staff_name and password = 'correct' and last_logged_at <> #unique_token) <> 0 then then
-- disallow login
throw exception "You cannot use the same user name on two or more computers. Contact the administrator if you have any concerns"
else
-- disallow login
throw exception "Wrong password"
end if
Logging Out:
update staff set last_logged_at = '' where staff_name = #staff_name

There are two common answers here:
if you try to log in, and are already logged in, offer to break (reset) the existing login
use a polling/timeout - i.e. have the app call a method every 2 minutes (for example) that updates a "last heard from"; if you haven't heard from somebody in 5 minutes (for example), then clear the flag

Why limit the number of times a user can login? In Windows it is common to start multiple instances of an application.
I must admit, I my Windows App there is also a part only one user is allowed. To see if other users are connected I use something like the polling algorithm from Marc. With an option to force the entry.
An update of the lock record once every minute, or two minutes is not that resource intensive (unless you have thousands of users).