以编程方式授予本地用户权限以使用.Net启动服务
[英]Programmatically grant local user rights to start a service with .Net
问题描述
I want to implement an update service in my application (so users don't need admin rights to update my app once the service is installed, much like Google or Mozilla do their updates), and I think I found a good way to do this with WCF. 
我想在我的应用程序中实现更新服务(因此,用户在安装该服务后就不需要管理员权限来更新我的应用程序,就像Google或Mozilla进行更新一样),我认为我找到了一种执行此操作的好方法与WCF。
I have a WCFServiceLibrary -Project which contains the ServiceContract and the core functionality (download/install updates) and a Windows Service-Project which implements the WCFServiceLibrary as a Windows Service. 我有一个WCFServiceLibrary -Project,其中包含ServiceContract和核心功能(下载/安装更新),还有一个Windows Service-Project ,该项目将WCFServiceLibrary实现为Windows Service。 Additionally, there is a Visual Studio Installer -Project which installs the service and my application, which should be able to start/stop/communicate with the service using NamedPipes. 此外,还有一个Visual Studio Installer -Project,用于安装服务和我的应用程序,该应用程序应该能够使用NamedPipes启动/停止/与服务通信。
The service is configured to start manually with the LocalSystem-Account. 该服务配置为使用LocalSystem-Account手动启动。 Now when the service is installed, I can start/stop it using services.msc (probably elevated), but not when I try it with net start Servicename (Error 5: Access denied) or with my application, which tells me that the local users probably don't have the permission to start/stop the service. 现在,当安装了服务时,我可以使用services.msc(可能已提升)启动/停止它,但是当我使用net start Servicename(错误5:访问被拒绝)或我的应用程序尝试它时,则不能启动/停止它,这告诉我本地用户可能没有启动/停止服务的权限。
I need the service to run with higher permissions in order to perform the installation of updates, so I would like to give local users permission to start my service either during the first installation of the service or when the service starts for the first time (since I can trigger that also during installation). 我需要该服务以更高的权限运行才能执行更新的安装,因此我想授予本地用户在服务的首次安装期间或服务首次启动时启动我的服务的权限(因为我也可以在安装过程中触发它。
However, how would I accomplish this with VB.NET (or C#)? 但是,如何用VB.NET(或C#)完成此操作? I found some examples using API-Calls of advapi32.dll, but it didn't looks like the permission can be changed with this. 我发现了一些使用advapi32.dll的API调用的示例,但似乎无法使用此权限来更改权限。
So, long story short, heres a summary of what I'm looking for: 因此,长话短说,以下是我所寻找的摘要:
- Grant Group "Local Users" permission to Start my Service, best approach either during installation (Maybe with Custom Actions in Visual Studio Installer Project? Or in the ServiceInstaller-Class in the Windows Service-Project?) or the first time the service starts (OnStart-Event in Windows Service Project) 授予组“本地用户”权限以启动我的服务,这是安装过程中的最佳方法(可能是在Visual Studio Installer项目中使用“自定义操作”?还是在Windows Service-Project中的ServiceInstaller-Class中?)或首次启动服务( Windows Service Project中的OnStart-Event)
- The service must not run with local user rights, since it would miss elevated privileges then which would be necessary to install updates. 该服务不能以本地用户权限运行,因为它会错过提升的特权,这将是安装更新所必需的。
- I can't assign permissions through GPO/Local Policy since the users are not within our company, but all around the world. 我无法通过GPO /本地策略分配权限,因为用户不在我们公司内部,而是在世界范围内。 For the same reason I cannot assume that they can get an admin to elevate them everytime an update comes out. 出于同样的原因,我不能认为每次更新发布时他们都可以让管理员提升他们。
- I would like to avoid commandline calls if possible (as in assign permissions through command line, since those are most likely os-dependent) 我想尽可能避免使用命令行调用(如通过命令行分配权限,因为它们最有可能依赖于操作系统)
- Another solution would be to configure the Service as Automatic and Start it after install, but I don't like the idea that my service runs all the time since its only needed when my main application starts up. 另一个解决方案是将“服务”配置为“自动”并在安装后启动它,但是我不喜欢我的服务一直运行的想法,因为只有当我的主应用程序启动时才需要它。
- Its most likely not a file permission issue. 它最有可能不是文件许可问题。 EVERYONE, SYSTEM and SERVICE got FULL ACCESS to the services folder and files in it. 每个人,系统和服务都可以完全访问services文件夹和其中的文件。
There are already different similar questions here, but none did give a clear answer to this problem. 这里已经存在不同的类似问题,但是没有一个问题能给出明确的答案。 One user probably did it using the WiX-Installer, but I would like to keep the Visual Studio Installer Project since it's pretty straight forward and easy to use. 一个用户可能是使用WiX-Installer来完成的,但是我想保留Visual Studio Installer项目,因为它非常简单易用。
1 个解决方案
解决方案1
0 2018-02-13 09:10:40
After a bit more of googling and trying to find a "clean" solution, I've given up and using now Process.Start to execute sc.exe and set new Permissions after Installation. 经过更多的谷歌搜索并尝试找到一种“干净”的解决方案之后,我放弃了,现在使用Process.Start执行sc.exe并在安装后设置新的权限。
Here's my ServiceInstaller-Class, for anyone curious: 这是我的ServiceInstaller-Class,适合所有好奇的人:
[VB.NET] [VB.NET]
Imports System.ComponentModel
Imports System.Configuration.Install
Imports System.ServiceProcess
<RunInstaller(True)>
Public Class SvcInstaller
Inherits Installer
Dim svcprocinst As ServiceProcessInstaller
Dim svcinst As ServiceInstaller
Public Sub New()
svcprocinst = New ServiceProcessInstaller
svcprocinst.Account = ServiceAccount.LocalSystem
svcinst = New ServiceInstaller
svcinst.ServiceName = "KrahMickeySvc"
svcinst.DisplayName = "Mickey-Service"
svcinst.Description = "This Service is used by KRAH Mickey for application updates and maintenance"
Installers.Add(svcprocinst)
Installers.Add(svcinst)
End Sub
Private Sub SvcInstaller_AfterInstall(sender As Object, e As InstallEventArgs) Handles Me.AfterInstall
'Set new permissions acc. to Security Descriptor Definition Language (SDDL)
'Source: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
'Keeping the source DACL and just adding RP,WP and DT (Start/Stop/PauseContinue) to IU (Interactive User)
Dim DACLString As String = "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWPDT;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
process.Start("sc.exe", $"sdset {svcinst.ServiceName} ""{DACLString}""")
End Sub
End Class
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.