How to start a native process with restricted permissions in .net and IIS
Question
I have a web application that runs on .NET and IIS, and I need to start a native process. However, this process is not fully trusted, so I need to restrict its access to the system, specifically:
- block all network access
- access to only certain directories in the system (configurable at runtime)
Things I can't use:
- .NET AppDomains (doesn't apply to native executables)
- runas separate user (IIS does not have permissions to run as a different user, and I haven't found any way to grant IIS these permissions)
- UAC on the process (the directory access must be configurable at runtime, and UAC doesn't seem to allow that)
Does anyone know of a way I can achieve this?
1 answers
solution1
0 ACCPTED 2014-01-08 19:40:49
Depending on exactly what the process does, one option is to have IIS signal the process to run rather than run it directly.
For example, you could create a simple Windows Service that receives a signal from IIS (by writing to a queue, setting a flag in the database, or any of the IPC mechanisms available on Windows) and then manages the lifecycle of the native process (starts it eg using Runas, awaits completion, sends the results back to IIS).
If the native process can be converted to a Windows Service, the intermediate "proxy" Windows Service could be avoided.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.