Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Alternative Permissions for StartInfo

I have a service (normally run as NetworkService) that retrieves process information using StartInfo. It works fine.

But a client wants to run the service as a restricted user. (a reasonable request)

According to MS docs StartInfo can only be used by a "fully trusted" user. Is there an alternative way to get most of the information from StartInfo without being "fully trusted" or to configure a restricted user that is "fully trusted" with respect to process info?

like image 877
Justin Alexander Avatar asked Nov 06 '22 03:11

Justin Alexander


1 Answers

It sounds like you're confusing two orthogonal security systems: Windows user security and .NET code access security (CAS). While use of the System.Diagnostics.Process class requires CAS full trust, it does not require administrator user permissions, and is quite feasible for a non-admin/restricted user to run a fully trusted (wrt CAS) application.

That said, the operating system also imposes limits on what non-admin users may do with processes, particularly processes that are not running under their own accounts. Depending on what your code is trying to do with the processes, it may or may not be feasible to run your service under an account that does not have effective administrator permissions.

like image 126
Nicole Calinoiu Avatar answered Nov 09 '22 03:11

Nicole Calinoiu