在运行 Mono 的 C# 应用程序中更改当前 Linux 用户? [英] Change current Linux user in a C# application running with Mono?

问题描述

我正在为 Linux 系统开发一个库(CLI 程序集).我想为图书馆的用户提供一种切换当前有效用户和组的方法.主要原因是提供访问控制(某些操作只允许特定用户)，其次是允许以特定用户身份修改文件系统.

I am developing a library (CLI assembly) for a Linux system. I want to provide a method for users of the library to switch the current effective user and group. The primary reason is to provide access control (certain actions only allowed by certain users), and secondarily to enable modification of file system as a certain user.

我已经确定了两种可能的方法:

I have identified two possible approaches:

1.以 root 身份启动 Mono 并 P/invoke libc 例程，如 seteuid 等

通过设置/usr/bin/mono 的 s 位然后从我的库中设置有效用户(即在 Mono 运行时启动后)实现这一点，会导致 Mono 在终止时崩溃:

Having implemented this by setting the s bit of /usr/bin/mono and then setting back effective user from my library (i.e. after the Mono run-time is started) causes a crash in Mono when it terminates:

ERROR:handles.c:1940:_wapi_handle_update_refs: assertion failed: (thr_ret == 0)

Native stacktrace:

mono2 [0x8bb6c]
  /lib/libc.so.6(__default_rt_sa_restorer_v2+0) [0x4020a5a0]
  /lib/libc.so.6(gsignal+0x40) [0x4020920c]

从逻辑上讲，我理解更改 Mono 的有效用户可能会出现问题，因为它正在管理大量资源，并且这样做可能会导致问题.

Logically I understand there may be issues with changing the effective user of Mono as it is managing a number of resources, and it may cause problems doing so.

<强>2.在本机守护进程中处理身份验证，而不更改 Mono 有效用户

我不确定是否有任何现成的解决方案，但从概念上讲，我正在考虑让一个守护进程以 root 身份运行，库将与之通信(例如通过 POSIX 消息队列)到执行身份验证.守护进程以 root 身份运行，以便能够读取/etc/shadow.Mono 的有效用户不会改变，但我的库将跟踪进程作为哪个等效用户"运行.不幸的是，这种方法不允许库以其他用户身份访问文件系统.

I'm not sure if there are any off-the-shelf solutions for this, but conceptually I'm thinking to have a daemon running as root, which the library will communicate with (for example through POSIX message queues) to perform the authentication. The daemon is running as root to be able to read /etc/shadow. The effective user of Mono will not be changed, but my library will keep track of which "equivalent user" the process is running as. Unfortunately this approach will not allow the library to access the file system as a different user.

问题

我是否坚持第二个选项，或者有什么方法可以真正改变 Mono 进程的有效用户?

Am I stuck with the second option, or is there some way to actually change effective user of a Mono process?

谢谢！

推荐答案

以下适用于我的盒子:)

The following works on my box :)

编辑 #1: 这应该以 root 身份执行.(摘自:http://msdn.microsoft.com/en-us/图书馆/w070t6ka.aspx)

EDIT #1: This should be executed as root. (Snippet taken from : http://msdn.microsoft.com/en-us/library/w070t6ka.aspx)

using System;
using System.Security.Permissions;
using System.Security.Principal;

public class ImpersonationDemo
{
// Test harness. 
// If you incorporate this code into a DLL, be sure to demand FullTrust.
[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
public static void Main (string[] args)
{
    try {
        // Check the identity.
        Console.WriteLine ("Before impersonation: " + WindowsIdentity.GetCurrent ().Name);

        // Impersonate a user
        using (WindowsIdentity newId = new WindowsIdentity("Your user name"))
        using (WindowsImpersonationContext impersonatedUser = newId.Impersonate())
        {
            // Check the identity.
            Console.WriteLine ("After impersonation: " + WindowsIdentity.GetCurrent ().Name);
        }

        // Releasing the context object stops the impersonation 
        // Check the identity.
        Console.WriteLine ("After closing the context: " + WindowsIdentity.GetCurrent ().Name);
    } catch (Exception ex) {
        Console.WriteLine ("Exception occurred. " + ex.Message);
    }
}
}

这篇关于在运行 Mono 的 C# 应用程序中更改当前 Linux 用户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！