以编程方式授予本地用户权限以使用 .Net 启动服务 [英] Programmatically grant local user rights to start a service with .Net

问题描述

我想在我的应用程序中实现一个更新服务(这样用户在安装服务后不需要管理员权限来更新我的应用程序，就像谷歌或 Mozilla 做他们的更新一样)，我想我找到了一个好方法用 WCF 做到这一点.

I want to implement an update service in my application (so users don't need admin rights to update my app once the service is installed, much like Google or Mozilla do their updates), and I think I found a good way to do this with WCF.

我有一个 WCFServiceLibrary 项目，其中包含 ServiceContract 和核心功能(下载/安装更新)和一个 Windows 服务项目，它将 WCFServiceLibrary 实现为 Windows服务.此外，还有一个 Visual Studio 安装程序 - 安装服务和我的应用程序的项目，它应该能够使用 NamedPipes 启动/停止/与服务通信.

I have a WCFServiceLibrary-Project which contains the ServiceContract and the core functionality (download/install updates) and a Windows Service-Project which implements the WCFServiceLibrary as a Windows Service. Additionally, there is a Visual Studio Installer-Project which installs the service and my application, which should be able to start/stop/communicate with the service using NamedPipes.

服务配置为使用 LocalSystem-Account 手动启动.现在，当安装服务时，我可以使用 services.msc(可能已提升)启动/停止它，但当我使用 net start Servicename(错误 5:拒绝访问)或我的应用程序尝试它时，它告诉我本地用户可能没有启动/停止服务的权限.

The service is configured to start manually with the LocalSystem-Account. Now when the service is installed, I can start/stop it using services.msc (probably elevated), but not when I try it with net start Servicename (Error 5: Access denied) or with my application, which tells me that the local users probably don't have the permission to start/stop the service.

我需要以更高的权限运行该服务才能执行更新安装，因此我想授予本地用户在第一次安装服务期间或启动我的服务的权限服务第一次启动时(因为我也可以在安装过程中触发).

I need the service to run with higher permissions in order to perform the installation of updates, so I would like to give local users permission to start my service either during the first installation of the service or when the service starts for the first time (since I can trigger that also during installation).

但是，我将如何使用 VB.NET(或 C#)完成此操作?我发现了一些使用 advapi32.dll 的 API-Calls 的示例，但看起来权限不能通过此更改.

However, how would I accomplish this with VB.NET (or C#)? I found some examples using API-Calls of advapi32.dll, but it didn't looks like the permission can be changed with this.

所以，长话短说，以下是我正在寻找的内容的摘要:

So, long story short, heres a summary of what I'm looking for:

• 授予组本地用户"权限以启动我的服务，最好的方法是在安装期间(也许在 Visual Studio 安装程序项目中使用自定义操作?或在 Windows 服务项目中的 ServiceInstaller-Class?)或第一次服务启动(Windows 服务项目中的 OnStart-Event)
• 该服务不得以本地用户权限运行，因为它会错过安装更新​​所必需的提升权限.
• 我无法通过 GPO/本地策略分配权限，因为用户不在我们公司内，而是在世界各地.出于同样的原因，我不能假设他们可以让管理员在每次更新时提升他们.
• 如果可能，我想避免命令行调用(如通过命令行分配权限，因为这些很可能依赖于操作系统)
• 另一种解决方案是将服务配置为自动并在安装后启动它，但我不喜欢我的服务一直运行的想法，因为它只在我的主应用程序启动时才需要.
• 这很可能不是文件权限问题.每个人、系统和服务人员都可以完全访问 services 文件夹和其中的文件.

这里已经有不同的类似问题了，但没有一个对这个问题给出明确的答案.一位用户可能使用 WiX-Installer 完成此操作，但我想保留 Visual Studio 安装程序项目，因为它非常直接且易于使用.

There are already different similar questions here, but none did give a clear answer to this problem. One user probably did it using the WiX-Installer, but I would like to keep the Visual Studio Installer Project since it's pretty straight forward and easy to use.

推荐答案

经过更多的谷歌搜索并试图找到一个干净"的解决方案后，我已经放弃并现在使用 Process.Start 执行 sc.exe 并在安装后设置新的权限.

After a bit more of googling and trying to find a "clean" solution, I've given up and using now Process.Start to execute sc.exe and set new Permissions after Installation.

这是我的 ServiceInstaller-Class，对于任何好奇的人:

Here's my ServiceInstaller-Class, for anyone curious:

[VB.NET]

Imports System.ComponentModel
Imports System.Configuration.Install
Imports System.ServiceProcess

<RunInstaller(True)>
Public Class SvcInstaller
    Inherits Installer

    Dim svcprocinst As ServiceProcessInstaller
    Dim svcinst As ServiceInstaller

    Public Sub New()
        svcprocinst = New ServiceProcessInstaller
        svcprocinst.Account = ServiceAccount.LocalSystem
        svcinst = New ServiceInstaller
        svcinst.ServiceName = "KrahMickeySvc"
        svcinst.DisplayName = "Mickey-Service"
        svcinst.Description = "This Service is used by KRAH Mickey for application updates and maintenance"
        Installers.Add(svcprocinst)
        Installers.Add(svcinst)

    End Sub

    Private Sub SvcInstaller_AfterInstall(sender As Object, e As InstallEventArgs) Handles Me.AfterInstall

        'Set new permissions acc. to Security Descriptor Definition Language (SDDL)
        'Source: https://blogs.msmvps.com/erikr/2007/09/26/set-permissions-on-a-specific-service-windows/
        'Keeping the source DACL and just adding RP,WP and DT (Start/Stop/PauseContinue) to IU (Interactive User)

        Dim DACLString As String = "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRCRPWPDT;;;IU)(A;;CCLCSWLOCRRC;;;SU)"
        process.Start("sc.exe", $"sdset {svcinst.ServiceName} ""{DACLString}""")


    End Sub

End Class

这篇关于以编程方式授予本地用户权限以使用 .Net 启动服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！