创建命名管道 (WCF) 所需的最低操作系统权限 [英] Minimum OS Permissions required to create named pipe (WCF)

问题描述

我有一个在登录用户的上下文中运行的 exe.exe 使用 WCF 使自己成为命名管道服务器(它将被多个客户端调用).

I have an exe that runs under the context of the logged-in user. The exe uses WCF to make itself a named pipe server (it will be called by multiple clients).

用户是否需要特定的权限才能让 exe 能够创建命名管道?我已经尝试以具有相当少权限的用户身份运行(即仅在本地用户组中)，这工作正常 - 但我担心当我部署到客户端站点时，用户可能会以某种方式受到限制意味着命名管道创建不起作用.

Does the user need a specific permission for the exe to be able to create the named pipe? I've tried running as a user with fairly minimal permissions (i.e. just in the local Users group), and this works fine - but I'm concerned that when I deploy to the clients site, the users may be limited in some way that means the named pipe creation doesn't work.

推荐答案

本地登录用户无需特殊权限即可使用 netNamedPipe 绑定设置 WCF 服务的服务端.

No special permissions are required for a locally logged on user to set up the service end of a WCF service using the netNamedPipe binding.

但是，您确实需要担心客户端是否可以找到并连接到该服务.这有两个方面:

However, you do need to worry about whether the clients can find and connect to the service. There are two aspects to this:

1. 客户端必须在不是由网络登录(例如在 Web 应用程序中模拟远程用户)建立的安全上下文中运行.这是因为 WCF 拒绝访问属于 NETWORK USERS 组成员的任何登录.
2. 如果您在 Vista 或 Windows7 上运行，并且您希望在登录用户会话之外运行的客户端可以访问该服务，则该服务 exe 将需要以 SeCreateGlobalPrivilege 特权运行.这是因为 WCF 服务需要将管道名称发布到共享内存对象，以便客户端能够找到它:如果 WCF 服务堆栈可以在全局命名空间(对所有登录会话可见)中创建此共享内存对象，它就会这样做.但是如果它没有必要的权限，它会在本地命名空间中创建共享内存对象(仅在同一登录会话中可见).将 WCF 服务部署为 Windows 服务是让它以该权限运行的唯一简单方法，从而对其会话外的客户端可见.

1. The clients must be running in a security context which is not established by a network logon (such as impersonation of a remote user in a web application). This is because WCF denies access to any logon which is a member of the NETWORK USERS group.
2. If you are running on Vista or Windows7, the service exe will need to be running with the privilege SeCreateGlobalPrivilege if you want the service to be accessible to clients running outside the logged on user's session. This is because the WCF service needs to publish the pipe name to a shared memory object to enable clients to find it: if the WCF service stack can create this shared memory object in the Global namespace (visible to all logon sessions), it will. But if it does not have the necessary privileges, it creates the shared memory object in the Local namespace (visible only within the same logon session). Deploying the WCF service as a Windows service is the only easy way to get it running with this privilege and thus visible to clients outside its session.

更多详情这里 如果您有兴趣.

More details here if you are interested.

这篇关于创建命名管道 (WCF) 所需的最低操作系统权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！