Write permission for a specific folder in web.config - asp.net

My question is preaty simple. Is there any way to give current user (IIS User, in this case, ASP NET USER) permission to write to a specific folder location (folder inside our web application) using web.config? Because, it's getting boring to ask to the web hoster to gain access to a specific folder each time we want to do a file uploader on a website.
I know it's maybe preaty simple to find an answer using google, but it keeps returning me how to write INTO web.config instead of permission to write into web.config FOR a specific folder. In addition, I'm french so my english is not at the top.

No. If that was possible, you could write an application which, when deployed on a server, would allow you to write to any directory on the disk despite write access being denied by the administrator.

You can easily grant permissions for a local user (e.g. the user that the IIS worker process/app pool is running as) to a folder anywhere on your filesystem actually through rights permissions in Windows itself but this does not allow for doing this through the web.config file itself. Please give us a description of what you're trying to do specifically and there may be a better solution. The solution I mentioned above could be a bit of a security risk but it depends on the needs and situation.

So, from what I understand .NET (and web.config) don't really control write permissions.
You'll need to either expose the folder from a filesystem and/or webserver level to allow people access (though this may be somewhat of a security issue depending on your scenario). Or another possibility would be to create a simple web-page that allows uploading files to the directory.

Related

Properly secure IIS 7 read/write folder

I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.

asp.net log files permissions

Our asp.net app writes errors to a text log file in the web sites root folder. This has lead to all sorts of permission problems, different flavors of IIS and windows allow different things by default.
So what I am wondering is there a location somewhere in Windows where all types of users can write a file without any extra permissions that will also work for all IIS and flavors of windows?
I am thinking of the ApplicationData folder, but did this exist in Server 2003 ?
Thanks,
AJ
The easiest solution would be to use the App_Data subfolder of your web application for this. By default it's not viewable from the web, so Internet clients won't be able to read the logs.
Depending on your deployment method, you might have to change the permission to allow write access to this folder (to the user under which your web application is running).
Alternatively, there is a place where every user can write to: It's that user's temporary folder, which you can access through Path.GetTempPath. This, however, does not sound like a suitable location for log files.
You should always first think about wwwroot folder (%systemdrive%\inetpub\wwwroot) because it has the required permission.
The permission you need is to set a full control for IIS_IUSRS
Edit: you can simply give Everyone Full Control (not recommended at all) but this solves most of ntfs permissions issues with IIS

What File permissions should I set when hosting an ASP.NET project in IIS 7?

I'm looking for a guide on how to set file permissions for hosting an ASP.NET project in IIS 7.
Full access rights for all files in the project directory to everyone works, but I guess this is not a good idea?
Thanks for your help in advance!
Take a look at the "In Practice" part of my answer to this question:
What are all the user accounts for IIS/ASP.NET and how do they differ?
You should prefer to use "Application Pool Identity" on with IIS7:
Application Pool Identities
IIS 7 has some pretty good security around the \inetpub directory already. When adding a site the default id that the worker processes execute under already have all of the permissions necessary.
The only real reason to change these is if you are allowing file uploads to be saved to disk. At which point you are better off creating a directory outside of your site structure and using a virtual directory to point to it.
However, some applications like DotNetNuke, require the worker process to have read/write permissions on the site files themselves, including the web.config. This is generally a very bad idea.

System.UnauthorizedAccessException: Access to the path is denied

No matter what I do such as give Network Service and the ASP.NET account full rights to the folder that contains the image, I am still getting this error for a System.IO.File.Move. Anyone know what other accounts I may be missing here? Network Service is the account running the app pool under which this site runs on and I gave Network Service full rights to the entire folder.
I've tried everything. I gave Network Service and the machinename\aspnet full permissions to the folder that contains this .jpg. I'm testing this code and this move on localhost...my developer machine.
Have you tried using SysInternals FileMon now part of Process Monitor. You can use it to watch for the file access events or the access denied event.
It might be because you write into some other folder that is not under the ASP.NET application (eg %TEMP% folder or something). In this case the account used is IUSR_MACHINENAME which represents anonymous user.
You either need to impersonate, use another folder or give write privileges to IUSR_XXX (which I don't think is a good idea) to deal with that.
On the machine hosting the shared drive, make sure to set things up under both these tabs:
Sharing -> Permissions
Security
Most of us deal with the Security tab for getting IIS stuff working, but it was the former that was giving me the same issue with the .MoveTo() method. (It could read, just not move).
To further complicate matters, I also had the directory shared as multiple names - make sure to check the permissions for each shared name.

ASP/ASP.NET Best way to handle write permissions?

Say you have public ASP.NET (and Classic ASP) applications on IIS with a script/page that needs to write or update html files in a specific folder that is located within the web publishing folder tree.
What is the proper way to handle this and exactly how do you do it? (i.e. set directory permissions in IIS or windows explorer)
My main concern is that I want to let the ASP/ASP.NET apps write to a folder, but I don't want regular http users to be able to put files into it directly via HTTP PUT.
You'll want to set your NTFS permissions as follows:
IUSR_<MachineName> - The anonymous user should only have READ access
Network Service (or App Pool identity) - READ and WRITE access
With these permissions, you can most likely safely remove the Everyone and Authenticated Users accounts from the ACL as well.
More info:
http://support.microsoft.com/kb/815153
Don't enable writing in IIS--that only speaks to HTTP PUT, not underlying filesystem permissions. Then do what gattaca said.

Resources