Folder write access rights issue.

[Sachin Chavan]

Hi,

I have an asp.net application which is having 2 more folders namely error
log and app data, apart from normal virtual folder contents. I use app data
folder for storing all user specific info in a xml file and error log to
write error log to it.

But by default, write access is not allowed, so I am not able to write to
these files.

Please, let me know how to configure write access only for folders app data
and error log and for which user I mean aspnet or IUSR. These folders are
hosted on windows 2003 sever machine.

Please, guide me.

Thanks,
Sachin Chavan.

 

[Dominick Baier [DevelopMentor]]

Hi,

so you are using FileStream e.g. to write to these folders??

On Windows 2003 - NETWORK SERVICE is the default worker process identity
for ASP.NET/IIS

you can check this in the IIS MMC snapin

this account needs the DACLs on these directory (read/write).

 

[Sachin Chavan]

Hi Dominick,

I am using StreamWriter to write these files. Also what I forgot to mention
in my previous mail is, the code for writing these files is in seperate class
libraries and not in the same asp.net dll.

So, I guess since these are class libraries and not a asp.net code behind
dll, they might be running under different user or may be under currently
logged in user account and not under aspnet user.

These dlls are in the same bin directory as the asp.net code behind dll.

So under what account will they run under?

The solution u suggested says to give write access to these folders for the
"NETWORK SERVICE" user. This means any malicious user can curroupt these
files, right?

Hence, I am looking for a solution in which I can run the helper dlls that
write to these files under account other than apnet thus i will be giving
write access only to this user.
In this way I can avoid giving write access to aspnet user and make these
folders more secure.

Thanks,
Sachin.

 

[Dominick Baier [DevelopMentor]]

If you load these assemblies from your asp.net application they will run
under the same account as the asp.net app - that NETWORK SERVICE by default

If you are concerned - put the writable folder outside your web root - then
it cannot be accessed via the browser but is accessible via the APIs.

Running the libary in a different security context, requires some extra work.

in 1.1. people often used the approach to offload the work in a COM+ component
that can be run under a different account
in 2.0 you can achieve the same using secure remoting (without the automatic
hosting you get in COM+)

 

[Sachin Chavan]

Ya I came across one post saying the same while searching some solution for
this problem.

But though it said, I have to use com+ for that there was no sample example
on that from which I can have an Idea about how to do it and what
configurations to do in IIS to make this work.

It will be great if you can mail me any such link.

Once more, Thanks for ur valuable guidance.

Regards,
Sachin Chavan.

 

[jeanbdenis]

I am having a similar problem while impersonating with a domain user.
I can creat a file and write that file to a specified folder ( the file
written is a batch file) however I cannot execute that file. when
running under the aspnet account it gets executed however when
impersonated it does not get executed. Any help would be much
appreciated.
Thank you

 

[Sachin Chavan]

Hello Jean,

I am not an expert on this, so plz ingnore this, if this doesnt work out.

What I think is, the user to whom ur impersonating ur identity, is not
having read & excecute permission on the bat file u want to execute. So, try
giving read & execute permission to this perticular user on ur bat file and
try again.

Hope this works out.


Sachin Chavan.