0

The scenario is that I am running a service as admin.

We have a callout that runs custom code ( think scripting ). It uses codedom compiling to create an assembly and create a type and invoke a method (based on code).

I want to temporarily drop admin privileges for the duration of the callout and then restore them afterwards.

Crono
  • 10,211
  • 6
  • 43
  • 75
Derek
  • 7,615
  • 5
  • 33
  • 58
  • So, what's stopping you? – Tarec Feb 20 '14 at 15:57
  • I have no idea how to do this. I am imagining creating a class that implements IDisposable and drops elevation in the constructor and restores it in the destructor but I don't know what the calls are to drop elevation and restore it. I guess I might need to know the current "state" of elevation to be able to restore it later. – Derek Feb 20 '14 at 15:59
  • Could you invoke the callout from a separate process (which is started from the service)? If it is possible, see http://stackoverflow.com/q/1173630. – AlexD Feb 20 '14 at 16:05
  • I do run in a separate app domain BUT that app domain does the compilation and the execution. I'm going to guess that the compilation requires rights that the execution does not. For example: I compile my dlls to disk. So I want to lower elevation around the duration of the call where I am actually invoking code. – Derek Feb 20 '14 at 16:23
  • If you can compile EXE instead of DLL, then you perhaps can launch it and de-elevate (see previous link). – AlexD Feb 20 '14 at 16:31
  • 1
    What normally happens, from a Windows perspective, is you have an binary that has lower elevation and that calls another binary that needs temporarily-higher elevation. in .NET, you can create a "sandbox" to run code in a lower elevation, but that has to run in a different AppDomain. – Peter Ritchie Feb 20 '14 at 16:48

2 Answers2

0

I don't think you can "drop" privileges in the way you describe; your service is running as a user, and that user is allowed a certain amount of access. You can ask Windows to temporarily grant you more permissions (which is what UAC is all about) but you can't ask it to give you less!

I would create a second user in the system for the purposes of running the scripts (with an appropriately lower level of access) and impersonate that user for the duration of the custom code.

[edit] Turns out I don't know what I'm talking about. According to this link, UAC is implemented in the reverse manner, by creating a restricted set of permissions and running the code in that context.

http://weblogs.asp.net/kennykerr/archive/2006/09/29/Windows-Vista-for-Developers-1320-Part-4-1320-User-Account-Control.aspx

MarcE
  • 3,586
  • 1
  • 23
  • 27
0

I ended up running the code in a sandboxed application domain as described in the link:

How to: Run Partially Trusted Code in a Sandbox

http://msdn.microsoft.com/en-us/library/bb763046%28v=vs.100%29.aspx

Derek
  • 7,615
  • 5
  • 33
  • 58