Process start and Impersonation

后端 未结 4 1332
轻奢々
轻奢々 2021-02-09 09:09

I have problem with starting processes in impersonated context in ASP.NET 2.0.

I am starting new Process in my web service code. IIS 5.1, .NET 2.0

[WebMe         


        
相关标签:
4条回答
  • 2021-02-09 09:22

    It looks like you're trying to have the IIS service impersonate a user with higher privileges than the service itself (in this case, an administrator). Windows blocks this as a security hole, since at that point you're basically begging someone to take over your system. There may be a way to work around this limitation, but don't do that--it's for your own good.

    Instead, have IIS impersonate a user with limited permissions, who has exactly the rights that you need it to have. E.g. create a user account that owns only the folders that you want your web service to write to, or whatever other combination of rights is appropriate. If impersonating a limited user, you won't see this error code, but should still be able to call the benign executable you have here.

    0 讨论(0)
  • 2021-02-09 09:33

    What exactly are you trying to do? I can't quite see what the point of your code is in creating a different executable. It looks rather odd. Perhaps it would be more helpful to state the busines problem you are trying to solve first.

    0 讨论(0)
  • 2021-02-09 09:33

    You might also try wrapping your code inside

    using (Impersonator person = new Impersonator("domainName", "userName",
    "password")
    {
        // do something requiring special permissions
    }
    

    as mentioned in http://www.devnewsgroups.net/group/microsoft.public.dotnet.framework.windowsforms/topic62740.aspx

    0 讨论(0)
  • 2021-02-09 09:37

    You have to put privileged code into the GAC (or run in Full trust).

    The code in the GAC must assert the XXXPermission, where XXX is what ever permission you are requesting, be it impersonation, access to the harddrive or what have you.

    You should revert the assert immediately afterwords.

    You should make sure that the API on your DLL that you put in the GAC has no opportunities for abuse. For example, if you were writing a website for letting users backup the server via a command line application, your API should old expose a method like "BackUp()" and not "LaunchAribitraryProcess(string path)"

    The web.config file must have impersonation set up as well, or you will run into NTFS permission problems as well as CAS.

    Here is the complete explanation.

    0 讨论(0)
提交回复
热议问题