流程开始和模拟

Question

I have problem with starting processes in impersonated context in ASP.NET 2.0.

I am starting new Process in my web service code. IIS 5.1, .NET 2.0

[WebMethod]
public string HelloWorld()
{
    string path = @"C:\KB\GetWindowUser.exe";
    ProcessStartInfo startInfo = new ProcessStartInfo();
    startInfo.WorkingDirectory = Path.GetDirectoryName(path);
    startInfo.FileName = path;
    startInfo.UseShellExecute = false;
    startInfo.CreateNoWindow = true;
    startInfo.ErrorDialog = false;
    startInfo.RedirectStandardOutput = true;
    startInfo.RedirectStandardError = true;
    Process docCreateProcess = Process.Start(startInfo);

    string errors = docCreateProcess.StandardError.ReadToEnd();
    string output = docCreateProcess.StandardOutput.ReadToEnd();
}

The "C:\\KB\\GetWindowUser.exe" is console application containing following code:

static void Main(string[] args)
{
    Console.WriteLine("Windows: " + WindowsIdentity.GetCurrent().Name);
}

When I invoke web service without impersonation, everything works fine.

When I turn on impersonation, following error is written in "errors" variable in web service code:

Unhandled Exception: System.Security.SecurityException: Access is denied.\\r\\n\\r\\n at System.Security.Principal.WindowsIdentity.GetCurrentInternal(TokenAccessLevels desiredAccess, Boolean threadOnly)\\r\\n at System.Security.Principal.WindowsIdentity.GetCurrent()\\r\\n at ObfuscatedMdc.Program.Main(String[] args)\\r\\nThe Zone of the assembly that failed was:\\r\\nMyComputer

Impersonated user is local administrator and has access to C:\\KB\\GetWindowUser.exe executable.

When I specify window user explicitly in ProcesStartInfo properties Domain, User and Password, I got following message: http://img201.imageshack.us/img201/5870/pstartah8.jpg

Is it possible to start process with different credentials than ASPNET from asp.net (IIS 5.1) ?

Answer 1

You have to put privileged code into the GAC (or run in Full trust).

The code in the GAC must assert the XXXPermission, where XXX is what ever permission you are requesting, be it impersonation, access to the harddrive or what have you.

You should revert the assert immediately afterwords.

You should make sure that the API on your DLL that you put in the GAC has no opportunities for abuse. For example, if you were writing a website for letting users backup the server via a command line application, your API should old expose a method like "BackUp()" and not "LaunchAribitraryProcess(string path)"

The web.config file must have impersonation set up as well, or you will run into NTFS permission problems as well as CAS.

Here is the complete explanation .

Answer 2

You might also try wrapping your code inside

using (Impersonator person = new Impersonator("domainName", "userName",
"password")
{
    // do something requiring special permissions
}

as mentioned in http://www.devnewsgroups.net/group/microsoft.public.dotnet.framework.windowsforms/topic62740.aspx

Answer 3

What exactly are you trying to do? I can't quite see what the point of your code is in creating a different executable. It looks rather odd. Perhaps it would be more helpful to state the busines problem you are trying to solve first.

Answer 4

It looks like you're trying to have the IIS service impersonate a user with higher privileges than the service itself (in this case, an administrator). Windows blocks this as a security hole, since at that point you're basically begging someone to take over your system. There may be a way to work around this limitation, but don't do that--it's for your own good.

Instead, have IIS impersonate a user with limited permissions, who has exactly the rights that you need it to have. Eg create a user account that owns only the folders that you want your web service to write to, or whatever other combination of rights is appropriate. If impersonating a limited user, you won't see this error code, but should still be able to call the benign executable you have here.