Impersonation

A thread can temporarily act as another principal by installing an impersonation token. The primary token is preserved; only that one thread sees the new identity, only until it reverts. This page covers what impersonation is, why it exists, and how a server uses it to act on behalf of a client.

Every impersonation token carries one of four levels — Anonymous, Identification, Impersonation, or Delegation — bounding how far the impersonated identity may travel. The level is set by the client before connecting, not by the server. This page covers what each level permits and the most common gotcha each one produces.

When a server impersonates a client, the kernel decides what level the server actually ends up with by running two independent gates. The identity gate asks "is the server allowed to impersonate this user?". The integrity ceiling asks "may the impersonation token's integrity exceed the server's own?". This page covers both gates and the silent downgrade behaviour they produce.

When a client connects to a server over a Unix socket, the kernel captures the client's identity onto the socket so the server can later impersonate it. This page covers the capture mechanism, the difference between getting a peer token and installing it, the transports that do and do not support peer capture, and identity cascading across local IPC.