在使用Mono运行的C＃应用​​程序改变目前的Linux用户？ [英] Change current Linux user in a C# application running with Mono?

问题描述

我开发一个Linux系统的库（CLI组装）。我想为库的用户切换当前有效用户和组的方法。主要的原因是，以提供接入控制（某些动作仅由特定的用户允许的），其次，以使文件系统的修改为特定的用户。

I am developing a library (CLI assembly) for a Linux system. I want to provide a method for users of the library to switch the current effective user and group. The primary reason is to provide access control (certain actions only allowed by certain users), and secondarily to enable modification of file system as a certain user.

我已确定了两个可能的方法：

I have identified two possible approaches:

1。启动单以root身份和P / Invoke的libc的例程像个seteuid等

已经通过设置在/ usr /斌/单声道的S位，然后执行此从我的图书馆设置回有效用户（单声道运行时启动后IE）会导致单崩溃终止时：

Having implemented this by setting the s bit of /usr/bin/mono and then setting back effective user from my library (i.e. after the Mono run-time is started) causes a crash in Mono when it terminates:

ERROR:handles.c:1940:_wapi_handle_update_refs: assertion failed: (thr_ret == 0)

Native stacktrace:

mono2 [0x8bb6c]
  /lib/libc.so.6(__default_rt_sa_restorer_v2+0) [0x4020a5a0]
  /lib/libc.so.6(gsignal+0x40) [0x4020920c]

按道理我的理解可能有改变单的有效用户，因为它是管理多个资源的问题，它可能会导致这样的问题等等。

Logically I understand there may be issues with changing the effective user of Mono as it is managing a number of resources, and it may cause problems doing so.

2。在本地处理守护程序认证和不改变单声道的有效用户

我不知道是否有这方面的任何现成的，现成解决方案，但概念我想有一个守护进程以root权限运行，该库将与沟通（例如，通过POSIX消息队列）进行身份验证。守护进程以root权限运行，能够读取/ etc / shadow中。单声道的有效用户将不会改变，但我的图书馆将跟踪其同等用户的进程正在运行的。不幸的是这种做法不会让库访问文件系统作为一个不同的用户。

I'm not sure if there are any off-the-shelf solutions for this, but conceptually I'm thinking to have a daemon running as root, which the library will communicate with (for example through POSIX message queues) to perform the authentication. The daemon is running as root to be able to read /etc/shadow. The effective user of Mono will not be changed, but my library will keep track of which "equivalent user" the process is running as. Unfortunately this approach will not allow the library to access the file system as a different user.

问

我是坚持了第二个选项，或者是有一些方法来真正改变一个单进程的有效用户？

Am I stuck with the second option, or is there some way to actually change effective user of a Mono process?

感谢您！

推荐答案

在我的盒子下面的工作：）

The following works on my box :)

编辑＃1：这应该是作为root执行。 http://msdn.microsoft.com/en-us/library/w070t6ka.aspx：（摘自片段）

EDIT #1: This should be executed as root. (Snippet taken from : http://msdn.microsoft.com/en-us/library/w070t6ka.aspx)

using System;
using System.Security.Permissions;
using System.Security.Principal;

public class ImpersonationDemo
{
// Test harness. 
// If you incorporate this code into a DLL, be sure to demand FullTrust.
[PermissionSetAttribute(SecurityAction.Demand, Name = "FullTrust")]
public static void Main (string[] args)
{
    try {
        // Check the identity.
        Console.WriteLine ("Before impersonation: " + WindowsIdentity.GetCurrent ().Name);

        // Impersonate a user
        using (WindowsIdentity newId = new WindowsIdentity("Your user name"))
        using (WindowsImpersonationContext impersonatedUser = newId.Impersonate())
        {
            // Check the identity.
            Console.WriteLine ("After impersonation: " + WindowsIdentity.GetCurrent ().Name);
        }

        // Releasing the context object stops the impersonation 
        // Check the identity.
        Console.WriteLine ("After closing the context: " + WindowsIdentity.GetCurrent ().Name);
    } catch (Exception ex) {
        Console.WriteLine ("Exception occurred. " + ex.Message);
    }
}
}

这篇关于在使用Mono运行的C＃应用​​程序改变目前的Linux用户？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！