[Mono-aspnet-list] Impersonation for special pathes
mabra at manfbraun.de
mabra at manfbraun.de
Fri Dec 3 15:17:39 EST 2010
Much thanks, a good note!
Additionally, I am too new to linux development, to
make that running ;-)
On the other side, I am at the border to create my
own daemon, which could easyly run as root. I can
they communicate with it via remoting;The latter
is known to me. In this case, the web run unprived
and rules are to define, which call/who may call
the daemon .
From: mono-aspnet-list-bounces at lists.ximian.com
[mailto:mono-aspnet-list-bounces at lists.ximian.com] On Behalf Of Robert
Sent: Friday, December 03, 2010 4:12 PM
To: mono-aspnet-list at lists.ximian.com
Subject: Re: [Mono-aspnet-list] Impersonation for special pathes
On 03.12.2010 15:46, mabra at manfbraun.de wrote:
> Hi !
> Thanks;Just not what I've expected ... :-(
> I am too new to linux programming to understand
> the big picture :-(
> Naturally, running apache/mod_mono as root
> is completely indiscutable.
> So, I'll create a helper daemon and make
> IPC to it via remoting.
Note that I did not tell you the whole truth.
If you're planning to develop an *impersonation* daemon in managed
code, then you're basically entering a world of pain ;)
Unix' setuid functions are process-wide. This means that
you can't safely implement a threaded deamon (like one that
serves as a .NET remoting server).
You may want to try setfsuid which is allegedly thread-local,
but this is pretty an "unknown territory" for the Mono runtime.
> Thanks anyway,
> -----Original Message-----
> From: mono-aspnet-list-bounces at lists.ximian.com
> [mailto:mono-aspnet-list-bounces at lists.ximian.com] On Behalf Of Robert
> Sent: Friday, December 03, 2010 12:49 PM
> To: mono-aspnet-list at lists.ximian.com
> Subject: Re: [Mono-aspnet-list] Impersonation for special pathes
> On 02.12.2010 21:02, mabra at manfbraun.de wrote:
>> Hi All !
>> To allow some system near function, I need a prived user.
>> With windows, I use imperonation in asp.net, defined
>> in the 'web.conf', under special 'location' tags.
>> Is this just the same way with mono/linux [so far
>> I would currently not know any method to impersonate
>> in code].
> Mono does not support impersonation because it would be
> pretty limiting and insecure under Unix.
> Under Unix only root is permitted to impersonate. Since
> Apache workers and thus mod-mono-server (the ASP.NET host) are
> running under an unprivileged user account, impersonation
> is simply impossible. Running Apache workers as root is not
> Mono-aspnet-list mailing list
> Mono-aspnet-list at lists.ximian.com
Mono-aspnet-list mailing list
Mono-aspnet-list at lists.ximian.com
More information about the Mono-aspnet-list