创建命名管道(WCF)所需的最低操作系统权限
[英]Minimum OS Permissions required to create named pipe (WCF)
问题描述
I have an exe that runs under the context of the logged-in user. 
我有一个在登录用户的上下文下运行的exe。 The exe uses WCF to make itself a named pipe server (it will be called by multiple clients). exe使用WCF使自己成为命名管道服务器(它将由多个客户端调用)。
Does the user need a specific permission for the exe to be able to create the named pipe? 用户是否需要exe的特定权限才能创建命名管道? I've tried running as a user with fairly minimal permissions (ie just in the local Users group), and this works fine - but I'm concerned that when I deploy to the clients site, the users may be limited in some way that means the named pipe creation doesn't work. 我尝试以相对最小的权限(即仅在本地Users组中)作为用户运行,并且这很好 - 但是我担心当我部署到客户端站点时,用户可能会以某种方式受到限制表示命名管道创建不起作用。
1 个解决方案
解决方案1
15 已采纳 2010-11-29 17:34:53
No special permissions are required for a locally logged on user to set up the service end of a WCF service using the netNamedPipe binding. 本地登录用户无需使用netNamedPipe绑定来设置WCF服务的服务端的特殊权限。
However, you do need to worry about whether the clients can find and connect to the service. 但是,您需要担心客户端是否可以找到并连接到该服务。 There are two aspects to this: 这有两个方面:
- The clients must be running in a security context which is not established by a network logon (such as impersonation of a remote user in a web application). 客户端必须在安全上下文中运行,该安全上下文不是由网络登录建立的(例如模拟Web应用程序中的远程用户)。 This is because WCF denies access to any logon which is a member of the NETWORK USERS group. 这是因为WCF拒绝访问任何作为NETWORK USERS组成员的登录。
- If you are running on Vista or Windows7, the service exe will need to be running with the privilege SeCreateGlobalPrivilege if you want the service to be accessible to clients running outside the logged on user's session. 如果您在Vista或Windows7上运行,如果您希望在登录用户会话之外运行的客户端可以访问服务,则需要使用SeCreateGlobalPrivilege权限运行服务exe。 This is because the WCF service needs to publish the pipe name to a shared memory object to enable clients to find it: if the WCF service stack can create this shared memory object in the Global namespace (visible to all logon sessions), it will. 这是因为WCF服务需要将管道名称发布到共享内存对象以使客户端能够找到它:如果WCF服务堆栈可以在全局命名空间中创建此共享内存对象(对所有登录会话可见),它将会。 But if it does not have the necessary privileges, it creates the shared memory object in the Local namespace (visible only within the same logon session). 但是如果它没有必要的权限,它会在Local命名空间中创建共享内存对象(仅在同一个登录会话中可见)。 Deploying the WCF service as a Windows service is the only easy way to get it running with this privilege and thus visible to clients outside its session. 将WCF服务部署为Windows服务是使其具有此权限的唯一简便方法,因此对于其会话之外的客户端是可见的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.