security issue IIS7.5 / IIS APPPOOL\user not authorized but has full control?_问答_开发者

security issue IIS7.5 / IIS APPPOOL\user not authorized but has full control?

开发者 https://www.devze.com 2023-04-11 17:09 出处：网络

It seems I have a strange issue with security: I have a website with the following folders: inetpub\\wwwroot

It seems I have a strange issue with security:

I have a website with the following folders:

inetpub\wwwroot
inetpub\wwwroot\readyfordownload

The IIS APPPOOL\Classic user has full access to this 'readyfordownload' folder.

Now I have a console APP that creates a zipfile in the readyfordownload folder. This is done from a c# classlib. Strangely enough, the IIS APPOOL cannot access this file, even though it has full control over the folder. Also, the classlib first creates an xlsx file that is later added to the zip. The APPPOOL user does have access to the xlsx file.

If I run the same function in the C# classlib from a code behind in the website, the same zipfile is created and the IIS APPPOOL user CAN access the file....

Any ideas?

zip is created like this (not the actual code, but it is the same) http://dotnetzip.codeplex.com/

  using (ZipFile zip = new ZipFile())
 {
     // add this map file into the "images"开发者_开发技巧 directory in the zip archive
             zip.AddFile("test.xlsx");
     zip.Save("MyZipFile.zip");

}

OS is windows 2008 R2 web server ZIP library is Dotnetzip (Ionic)

Update: I am most interested in why the ZIPfile does not get the rights and the xlsx file does....

Have you tried setting the FileAccessSecurity explicitly? Maybe the files are not inheriting the ACL from the directory.

the apppool user can access the xlsx file because your console creates it directly under readyfordownload folder.

the zip file on the other hand is first created in a temp folder and then copied to your folder. This means that the file permissions are wrongly set on the file.

Make sure IIS_IUSR and DefaultAppPool users have access on your wwwroot.

As scottm suggested change your console code to give permissions to the IUSR and DefaultAppPool users on the zip file. Your code should read like:

    using (ZipFile zip = new ZipFile())
    {
        // add this map file into the "images" directory in the zip archive
        zip.AddFile("test.xlsx");
        zip.Save("MyZipFile.zip");

        var accessControl = File.GetAccessControl("MyZipFile.zip");

        var fileSystemAccessRule = new FileSystemAccessRule(
                                    @"BUILTIN\IIS_IUSRS",
                                    FileSystemRights.Read | FileSystemRights.ReadAndExecute,
                                    AccessControlType.Allow);

        var fileSystemAccessRule2 = new FileSystemAccessRule(
                                    @"IIS AppPool\DefaultAppPool",
                                    FileSystemRights.Read | FileSystemRights.ReadAndExecute,
                                    AccessControlType.Allow);

        accessControl.AddAccessRule(fileSystemAccessRule);
        accessControl.AddAccessRule(fileSystemAccessRule2);

        File.SetAccessControl(path, accessControl);
    }

Check Windows EventLog for related errors. For detailed info use ProcessMonitor, so you can see if there is a problem with permissions.

Configure the security of the folder using “advanced securty setting property page”. (Select properties--> security). Also note that the application pool can impersonate the user so that the application may not be serving the request with the identity of the app pool. By default impersonation may not work. You have to set it explicitly in the web config. E.g. <identity impersonate="true" /> or <identity impersonate="true" userName="domain\user" password="password" />

Sriwantha Sri Aravinda