[Mono-aspnet-list] Impersonation for special pathes
robertj at gmx.net
Fri Dec 3 10:12:21 EST 2010
On 03.12.2010 15:46, mabra at manfbraun.de wrote:
> Hi !
> Thanks;Just not what I've expected ... :-(
> I am too new to linux programming to understand
> the big picture :-(
> Naturally, running apache/mod_mono as root
> is completely indiscutable.
> So, I'll create a helper daemon and make
> IPC to it via remoting.
Note that I did not tell you the whole truth.
If you're planning to develop an *impersonation* daemon in managed
code, then you're basically entering a world of pain ;)
Unix' setuid functions are process-wide. This means that
you can't safely implement a threaded deamon (like one that
serves as a .NET remoting server).
You may want to try setfsuid which is allegedly thread-local,
but this is pretty an "unknown territory" for the Mono runtime.
> Thanks anyway,
> -----Original Message-----
> From: mono-aspnet-list-bounces at lists.ximian.com
> [mailto:mono-aspnet-list-bounces at lists.ximian.com] On Behalf Of Robert
> Sent: Friday, December 03, 2010 12:49 PM
> To: mono-aspnet-list at lists.ximian.com
> Subject: Re: [Mono-aspnet-list] Impersonation for special pathes
> On 02.12.2010 21:02, mabra at manfbraun.de wrote:
>> Hi All !
>> To allow some system near function, I need a prived user.
>> With windows, I use imperonation in asp.net, defined
>> in the 'web.conf', under special 'location' tags.
>> Is this just the same way with mono/linux [so far
>> I would currently not know any method to impersonate
>> in code].
> Mono does not support impersonation because it would be
> pretty limiting and insecure under Unix.
> Under Unix only root is permitted to impersonate. Since
> Apache workers and thus mod-mono-server (the ASP.NET host) are
> running under an unprivileged user account, impersonation
> is simply impossible. Running Apache workers as root is not
> Mono-aspnet-list mailing list
> Mono-aspnet-list at lists.ximian.com
More information about the Mono-aspnet-list