Fog Creek Software
Discussion Board




Writing to DOCUMENT_ROOT on IIS

This weekend, while I was porting a UNIX app to Windows, I tripped and fell over my ignorance of the Windows XP security system.  I'm hoping that somebody here can help.

I have this nice little content management app that will update files on a website based on database content.  It's similar in concept to Moveable Type, without being anywhere so feature rich (I'm targeting a different kind of user).  The problem of course is that under Windows XP, for perfectly valid security reasons, the IIS User isn't allowed to write to files under DOCUMENT_ROOT, i.e. c:\inetpub\wwwroot. 

At the same time as I confirmed this, I also discovered that the ability to manipulate file permissions and ownership was sadly missing from the Windows XP explorer.  This left me in an awkward position, because I wasn't able to break the system security by changing write permissions to the folder.

The most sensible solution is probably to change the effective user ID that the application runs under, to one that is allowed to write to DOCUMENT_ROOT.  Regular users, for instance, are clearly allowed to write to DOCUMENT_ROOT.  The problem is that I don't really know how to write a setuid program using the WIN32 API.

I should mention that this application is written in C, so I do have access to the full API, and all of the resources that one would expect of a C program.

Clay Dowling
Monday, February 09, 2004

"At the same time as I confirmed this, I also discovered that the ability to manipulate file permissions and ownership was sadly missing from the Windows XP explorer."

I hate this. The "friendly mode" is turned on by default in XP Pro, but it can be turned off like this.

Open an Explorer window, then go to Tools | Options. Switch to the View tab, then scroll to the bottom of Advanced Settings and uncheck the box labeled "Use simple file sharing".

The simple file sharing mode effects both shares and security. While this can be turned off on XP Pro, it cannot be turned off on XP Home. Once this is turned off, then Explorer will give you back the full security settings you so richly deserve. :)

Brad Wilson (dotnetguy.techieswithcats.com)
Monday, February 09, 2004

You may be looking for API functions like LogonUser, CreateProcessAsUser, ImpersonateLoggedOnUser, and MSDN topics such as "Security" and "Authorization".

Christopher Wells
Monday, February 09, 2004

Actually, when you create the virtual directory in the Internet Services Manager control panel, under the Directory Security tab is the user your app runs as.

See this article for more info:
http://www.fogcreek.com/fogbugz/KB/howto/DetermineUser.html

Michael H. Pryor
Fog Creek Software
Monday, February 09, 2004

is this asp.net? if so, look up the 'impersonate' section of web.config.

are the users running on your windows network? (are they logged in to the domain)? if so, turn on Windows Authentication and disallow anonymous access, then they'll run as themselves, or something close to that.

mb
Monday, February 09, 2004

Thanks for the help everyone.  Michael's suggestion is really the one that I want.  The application was designed specifically to take advantage of the web server's security features, rather than try to implement it's own (I hate writing security systems). 

Clay Dowling
Monday, February 09, 2004

And there is also command line in XP (to one with UNIX roots it might looks empty but...)
cacls - will allow to play with permissions
There are several scripts for configuring IIS from command line (no personal expirience sorry) in %windir%\system32 and named iis*.vbs. Support /? for help

WildTiger
Monday, February 09, 2004

well using Windows permissions (no anonmyous access) is really the way to do it, but if your users do not have windows accounts, running as a particular user works fine.

mb
Monday, February 09, 2004

*  Recent Topics

*  Fog Creek Home