Hello Joe,
ok
in general it is dangerous to give the WP write access to the web
directory.
think of this scenario: you somehow manage to pipe data in that
directory - e.g. text with an .aspx extension - afterwards one can
execute the file over the browser..
so in a shared hosting environment i can understand that the ISP sees
security implications - it would better to have a writable dir
outside of the web root.
this all is only possible if the ISP has separate appPools for the
app - which they normally don't do - because a lot of WPs suck memory
and cpu out of the web server..
but still then it is hard to really isolate apps on a web server -
the temp directory is just an example that came to my mind which is
often overlooked by ISPs -
usually IIS_WPG has modify on the whole directory tree...this was not
really related to the question but i thought i throw it in
but
this allows to download the compiled assemblies of other apps on the
server - so much for isolation...
in general the only way to effectively isolate apps in a shared
environmen in partial trust - if PT is in place i would have no
problems opening up directories for a customer - assuming the ISP
understands policy....
hope that clarifies it a bit...
a POC for the temp dir problem:
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Configuration" %>
<%@ Import Namespace="System.IO" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
protected string tempDirectory
{
// get the location of the temp directories, if not specifically
// configured, take the default location
get
{
CompilationSection comp = (CompilationSection)
WebConfigurationManager.GetWebApplicationSection
("system.web/compilation");
if (!string.IsNullOrEmpty(comp.TempDirectory))
return comp.TempDirectory;
else
return Path.Combine
(HttpRuntime.AspInstallDirectory, "Temporary ASP.NET
Files");
}
}
// traverse sub-folders
protected void _treeView_OnPopulate(object sender, TreeNodeEventArgs
e)
{
string path = e.Node.Value;
foreach (string directory in Directory.GetDirectories(path))
{
string name = Path.GetFileName(directory);
TreeNode n = new TreeNode(name, e.Node.Value + "\\" + name);
n.PopulateOnDemand = true;
e.Node.ChildNodes.Add(n);
}
}
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
TreeNode node = new TreeNode("temp dir", tempDirectory);
node.PopulateOnDemand = true;
_treeView.Nodes.Add(node);
}
}
protected void _treeView_SelectedNodeChanged(object sender, EventArgs
e)
{
_lstFiles.Items.Clear();
foreach (string f in
Directory.GetFiles(_treeView.SelectedNode.Value))
{
_lstFiles.Items.Add(f);
}
}
// download the selected file
protected void _btnDownload_Click(object sender, EventArgs e)
{
Response.AddHeader("Content-Type", "binary/octet-stream");
Response.AddHeader(
"Content-Disposition", string.Format("attachment; filename={0}",
Path.GetFileName(_lstFiles.SelectedValue)));
Response.WriteFile(_lstFiles.SelectedValue);
Response.End();
}
</script>
<html xmlns="
http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Download Assemblies of other Applications</title>
</head>
<body>
<form id="form1" runat="server">
<div>
ASP.NET Temp Directory;
<asp:TreeView ExpandDepth="0" runat="server" ID="_treeView"
OnTreeNodePopulate="_treeView_OnPopulate"
OnSelectedNodeChanged="_treeView_SelectedNodeChanged" />
<br />
Files:
<br />
<asp:ListBox runat="server" ID="_lstFiles" Height="150px" />
<br />
<asp:Button runat="server" ID="_btnDownload" Text="Download"
OnClick="_btnDownload_Click" />
</div>
</form>
</body>
</html>
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Security certainly can't be any worse with a .NET app than with an
ASP app that uses the same deployment model. .NET doesn't elevate
privileges or anything like that.
If they are using 2003, then they could potentially create a
separate app pool for your app (which is a good idea in general from
a hosting perspective). If they did that, they could run your app
pool under its own identity in order to help keep the apps isolated.
Based on what I think Dominick was getting at, I don't think this
solves the problem of access to the temp asp.net files directory,
but from what I understand, it should allow your scenario securely.
I could definitely be wrong though, so we'll see what D. has to say
when he gets up tomorrow.
Joe K.
message
Thanks Joe. This helps.
Just to clarify a point. The reference to the ASPNET user was from
me. I develop on Win 2000 so I forgot to include the NETWORK
SERVICE user in my description. In fact I believe they are using
Win 2003.
I think it fair to say that security would be better for a .net
site than for their current other asp sites.
Mike
:
The other thing that is interesting is that the OP mentions the
use
of
the
ASPNET account. That would seem to indicate that they are using
Windows
2000 instead of 2003. That seems like a questionable thing to be
doing
for
a professional hosting company.
If they were using 2003, they could put the application in its own
app
pool
and set that up to run with a specific identity easily. The app
would be
isolated from the other apps on the server at the process level.
That approach seems to make much more sense to me.
Joe K.
"Dominick Baier [DevelopMentor]"
Hello Mike,
if the account has the needed ACLs - yes of course - this is
possible
give that a try:
can you programmatically read from:
C:\WINDOWS\Microsoft.NET\Framework\vXXX\Temporary ASP.NET Files
this is where ASP.NET compiles the page assemblies to and copies
all
other
needed assemblies
if you can read from this directory you can compromise every
ASP.NET
app
on the server
The only effective way of isolation applications is to use
partial
trust.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
How secure is the .net framework in a shared hosting enviroment?
I am discussing running a .net application with a hosting
company and they are reluctant to allow the aspnet user account
write access to a folder within my site. They are saying that
this is insecure. I believe that they are wrong but would like a
more informed opinion.
Is it possible for one site to access files from another site
using .net?
Is there a better way of allowing an application to write to a
folder than giving the aspnet user write access?
