A few file upload questions

[Keith G Hicks]

asp.net 2.0

When I first set up the app I'm working on, it was not in teh inetpub
folder. Instead, VWD put it in the VS folder in My Documents. I was brand
new to all this when I started working on this project. At the time, I
created a page that allowed for uploading images. It's simple enough and was
working fine. Later on after some more reading, I discovered that I should
have my project in the inetpub folder to see it in IIS. So I did that and
most everything is fine. But now my file upload doesn't work. This is all on
my development machine so far (win2k pro sp4 so it's IIS 5). I checked the
permissions through IIS of the folder that I'm trying to upload to. It was
set as read only so I changed it so that the "write" box is now checked as
well. That didn't help. I still get a folder access denied error duiring the
upload attempt. What should I do to handle this? Everything I find online
deals with people who say "... it was working fine on my development machine
but when I put it up on a server for the web it stopped working..." That's
not my situation right now (although in a couple of weeks it might be mine
as well).

Second question is that it seems like it would be unsafe to open up a folder
to write access without soem other precautions. The folder is goign to store
images of people. I'm thiking that the safest thing to do would be to have a
temp folder that has write access so that the pictures can be uploaded there
and then I'd have to do something else programatically to move them to the
live read only for viewing pictures folder. I guess I'm looking for some
advice here on what's the most practical and safest way to handle this sort
of thing.

Thanks,

Keith

 

[Keith G Hicks]

OK. As far as the first question goes (I still would like help on the 2nd
one) - I changed the permissions on the folder security in Windows (not IIS)
to all "Everyone" write access and now it works. I even changed the
permission on the same folder in IIS back to where Write is unchecked. The
upload still works. So I guess I'm not clear on what the "write" checkbox in
IIS is doing. I'm also not sure WHO actually needs permission on that folder
from within Windows. Obviously setting it to "everyone" is overkill but that
was the easiest way for me to test it. How do I set it so that the user
that's logged into the web app can do an upload? Do I need to set up a user
in Windows that synchs up with whoever is logged into my asp.net app? I'm
using Forms authentication, not Windows (in the asp.net app). One thing I
don't understand is tha I'm the administrator on this development machine.
In Windows, I have full access to the folder in question. So how does that
line up with what's going on in IIS? I'm not really sure if I'm even asking
the right quesitons here so please be kind.

Thanks,

Keith

 

[Paul Shapiro]

I'm also new at asp.net, but I've been working on similar issues. Unless
your website is impersonating the browsing user, the user who does the
writing and therefore needs permissions on the folder where you're putting
the files is the user account that's running your website. The account
depends on which version of IIS you're running, and for some IIS versions it
also depends on the IIS process isolation level you set for the website. On
older IIS versions, for example, it used to be IUSR_MachineName or
IWAM_MachineName. It's sometimes identified as the Anonymous user. You can
perhaps find it by checking the documentation in your version of IIS
Manager, or searching on google.

I saw a suggested location for file uploads as a folder under the App_Data
built-in folder. Two main reasons: A) ASP.Net will not let a browser access
files under App_Data- it's a protected folder. So the only way anyone gets
to those files is if you either move the files to an accessible folder or
write a bit of code to stream the file to the user's browser. It leaves you
in good control of the files. B) If you deploy your site pre-compiled,
uploading a file to any folder NOT under App_Data will cause the site to
recompile. ASP.Net is watching the file system for any site changes, and it
doesn't know that your uploaded files don't count. But it doesn't watch
anything under App_data.
Paul Shapiro

 

[Keith G Hicks]

I found an "ASP.net machine account" in my Windows security (I'm guessing
that IIS added that when I installed IIS either that or one of the .net
frameworks did it - I'm far from a security expert so I really dont' know).
I added that to the permissions for the 2 folders in question and gave them
write permission inWindows. That did the trick so far.

So it sounds like I should move my 3 image upload folders under the App_Data
folder. I do recall seeing something about not recompiling if things are
under that folder but that was a while ago before I got into this side of
things.

I'm unclear about this line from what you wrote below:

"Unless your website is impersonating the browsing user, the user who does
the writing and therefore needs permissions on the folder where you're
putting the files is the user account that's running your website."

I don't know what you mean by a website impersonating the browser user. Are
you talking about this:
http://msdn2.microsoft.com/en-us/library/aa292118(VS.71).aspx? I need to
find a good place to get a clear general understanding of asp.net security.
I know how to set up users/roles/rules, etc but beyond that I'm very much a
novice. Any suggestions on where to get a good basic overview (not looking
for a 1000 page book!!!) would be great.

Thanks,

Keith

 

[Paul Shapiro]

For an Intranet site, you can set the application to impersonate the
browsing user's account. This is not the usual way of running, and wouldn't
work for an Internet site. Since you added the machine account to the folder
permissions and it's working now, your site must be running under the
machine account. So you're all set.

Someone with more experience will hopefully suggest security learning
resources. I have a (large) book recommended by others titled "ASP.Net 3.5
Unleashed" which I've found helpful in general, not specifically for
security.

 

[Keith G Hicks]

Thanks Paul. I appreciate your help.

Keith