Re: CGI XPSP2 IIS5.1 - can't write a local file from CGI .exe
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 11/04/04
- Next message: David Wang [Msft]: "Re: Server side includes?"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 Unique ID generation"
- In reply to: Larry W: "CGI XPSP2 IIS5.1 - can't write a local file from CGI .exe"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 4 Nov 2004 03:56:44 -0800
Well, you just need to give the identity that is doing the read/write
operation in the CGI access to read/write in the appropriate folders. And
since you control all the configuration, you should know the right identity.
Since you do not, I suggest you first revert all your random permissions
changes back to the original state before you really screw up the server.
Now, the identity depends on how you configured IIS. Please read all the
possible options since you have a lot of configuration choices.
If Anonymous access is enabled, then it is the configured Anonymous user
(default is IUSR_Machine, but you can customize this yourself -- so please
make your best judgement on what it is). Keep in mind that if you
customized anonymous user identity AND you gave the wrong credentials,
Anonymous access will be broken, by-design -- you screwed up the anonymous
user credentials so IIS cannot use it to serve anonymous requests.
If Anonymous is not enabled and some other Authentication method is enabled,
then it is likely the login user that is using the browser, assuming the
machine running the browser and machine running IIS have access to the same
user database like Active Directory or the local SAM. Otherwise, no
authentication is selected and you'll always get 401.2.
If the vdir is pointing to a UNC share, then it is either pass-through
authentication (whatever identity you've impersonated from the above steps),
or a specific UNC username/password that you specified in configuration for
the vdir. Realize that with scenarios involving any machine other than the
web server (like the UNC server), successful pass-through authentication
depends on whether the authentication is "delegatable" (privileged security
operation whereby two other machines choose to trust credentials given by
YOU, a third party, by means of either mutual trust in the same Active
Directory or implicit trust. In other words, Basic authentication is
implicit trust since it passes the username/password from client to
server... so the server can easily re-use those credentials to access
resources, at the cost of the user losing control over WHO can impersonate
them. Meanwhile, Integrated Windows authentication requires the machines to
mutually trust the same Active Directory which also configures whether
delegation is allowed on the server -- so there is implicit control of who
can re-use the user's credentials to access resources).
Finally, if you have CreateProcessAsUser set to FALSE, then the identity
running the CGI is NOT any of the impersonated identity (what we talked
about above) but rather the process identity, which is LocalSystem.
Or, you can use File Mon from www.sysinternals.com to pragmatically see what
identity is getting access denied.
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Larry W" <LarryW@discussions.microsoft.com> wrote in message news:B4EE88C8-ABA0-4423-96C5-BF7252DF989A@microsoft.com... I am trying to use a CGI .exe program that needs to write a graphics file to a local directory, such as images. Trying to open the file for writing fails. I wrote a simple test program that verifies the behavior. I suspect that it is a permissions issue, since I can open a file for reading from the same directory in my test program. I have set the permissions on the images directory to read and write. I have even added the Users group to the IUSR_<machine> account. What do I need to change to be able to write a file from the CGI program? Thanks.
- Next message: David Wang [Msft]: "Re: Server side includes?"
- Previous message: David Wang [Msft]: "Re: IIS 6.0 Unique ID generation"
- In reply to: Larry W: "CGI XPSP2 IIS5.1 - can't write a local file from CGI .exe"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
