[Mono-list] Impersonating users with mod_mono

Robert Jordan robertj at gmx.net
Sat Apr 19 08:07:36 EDT 2008

Johann MacDonagh wrote:
> So far, I think that a combination of using <identity  
> impersonation="true"> in my web.config, along with mod_authnz_external  
> and pwauth *might* do the trick, but I have no idea. This can be done  
> easily in IIS, but does anyone have an idea if this will work with  
> OpenSUSE?

It will not work.

Mod_authnz_external & pwauth do not impersonate the apache worker
process. Even if mod_authnz_external would do it (a security nightmare
IMHO), mod-mono-server, the managed companion of mod_mono, would still 
run as the apache user because it's running in a separate process.

This means that you must run mod-mono-server as root if you want to
be able to setuid (impersonate in MS speech), but this is not
recommended for several reasons:

- the runtime did not receive a security audit regarding setuid.
- some parts of the runtime don't cope well with setuid (the IO-layer).
- the thread pool (heavily used by ASP.NET and its servers) is
   definitely not setuid safe because it potentially preforks threads
   under indefinite uids.


More information about the Mono-list mailing list