[Mono-aspnet-list] Impersonation for special pathes

mabra at manfbraun.de mabra at manfbraun.de
Fri Dec 3 15:17:39 EST 2010


Hi !

Much thanks, a good note!
Additionally, I am too new to linux development, to
make that running ;-)

On the other side, I am at the border to create my
own daemon, which could easyly run as root. I can
they communicate with it via remoting;The latter
is known to me. In this case, the web run unprived
and rules are to define, which call/who may call
the daemon .

br++mabra


-----Original Message-----
From: mono-aspnet-list-bounces at lists.ximian.com
[mailto:mono-aspnet-list-bounces at lists.ximian.com] On Behalf Of Robert
Jordan
Sent: Friday, December 03, 2010 4:12 PM
To: mono-aspnet-list at lists.ximian.com
Subject: Re: [Mono-aspnet-list] Impersonation for special pathes

On 03.12.2010 15:46, mabra at manfbraun.de wrote:
> Hi !
>
> Thanks;Just not what I've expected ... :-(
> I am too new to linux programming to understand
> the big picture :-(
>
> Naturally, running apache/mod_mono as root
> is completely indiscutable.
>
> So, I'll create a helper daemon and make
> IPC to it via remoting.

Note that I did not tell you the whole truth.

If you're planning to develop an *impersonation* daemon in managed
code, then you're basically entering a world of pain ;)

Unix' setuid functions are process-wide. This means that
you can't safely implement a threaded deamon (like one that
serves as a .NET remoting server).

You may want to try setfsuid which is allegedly thread-local,
but this is pretty an "unknown territory" for the Mono runtime.

Robert


>
> Thanks anyway,
>
> br++mabra
>
> -----Original Message-----
> From: mono-aspnet-list-bounces at lists.ximian.com
> [mailto:mono-aspnet-list-bounces at lists.ximian.com] On Behalf Of Robert
> Jordan
> Sent: Friday, December 03, 2010 12:49 PM
> To: mono-aspnet-list at lists.ximian.com
> Subject: Re: [Mono-aspnet-list] Impersonation for special pathes
>
> On 02.12.2010 21:02, mabra at manfbraun.de wrote:
>> Hi All !
>>
>> To allow some system near function, I need a prived user.
>> With windows, I use imperonation in asp.net, defined
>> in the 'web.conf', under special 'location' tags.
>>
>> Is this just the same way with mono/linux [so far
>> I would currently not know any method to impersonate
>> in code].
>
> Mono does not support impersonation because it would be
> pretty limiting and insecure under Unix.
>
> Under Unix only root is permitted to impersonate. Since
> Apache workers and thus mod-mono-server (the ASP.NET host) are
> running under an unprivileged user account, impersonation
> is simply impossible. Running Apache workers as root is not
> recommended.
>
> Robert
>
> _______________________________________________
> Mono-aspnet-list mailing list
> Mono-aspnet-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-aspnet-list


_______________________________________________
Mono-aspnet-list mailing list
Mono-aspnet-list at lists.ximian.com
http://lists.ximian.com/mailman/listinfo/mono-aspnet-list




More information about the Mono-aspnet-list mailing list