[Mono-list] Impersonating users with mod_mono
Robert Jordan
robertj at gmx.net
Sat Apr 19 08:07:36 EDT 2008
Johann MacDonagh wrote:
> So far, I think that a combination of using <identity
> impersonation="true"> in my web.config, along with mod_authnz_external
> and pwauth *might* do the trick, but I have no idea. This can be done
> easily in IIS, but does anyone have an idea if this will work with
> OpenSUSE?
It will not work.
Mod_authnz_external & pwauth do not impersonate the apache worker
process. Even if mod_authnz_external would do it (a security nightmare
IMHO), mod-mono-server, the managed companion of mod_mono, would still
run as the apache user because it's running in a separate process.
This means that you must run mod-mono-server as root if you want to
be able to setuid (impersonate in MS speech), but this is not
recommended for several reasons:
- the runtime did not receive a security audit regarding setuid.
- some parts of the runtime don't cope well with setuid (the IO-layer).
- the thread pool (heavily used by ASP.NET and its servers) is
definitely not setuid safe because it potentially preforks threads
under indefinite uids.
Robert
More information about the Mono-list
mailing list