I have created an ASP.Net application using .Net framework 4.0. I need to save an xml file on any location on same server (if file not already exists) and want to access then after always. But I dont want to set write permission to any folder.
Is it possible to write a file to any location for Network service account without specifying write permission?
Does Network service account have default write permission to any location?
Thanks,
Jitendra Biyani
You should always be able to write to %TEMP%. (Call Path.GetTempPath())
However, you should not be writing files to disk if you can avoid it.
What are you trying to do?
Typically if I ever need to do something like this I run an application under a domain user account and grant permissions to the output folder just for that particular user.
Related
We have some requirements where we want to allow our clients/ users to download files/ folders from our file server via browser/ web.
We have a many different directories created on our file server which is mapped to different clients. Which means that, every client has its own directory on our server. We have a main (root) directory for every single client/user. Which means that, every client’s files/folder are created under their respective main directory.
The only thing we need be sure is, whenever our client make a request to access/ download file, first we need to validate their credential (username/password are stored in our SQL server DB) and then we need to allow only those folder which is mapped for specific folder. (The folder mapping is again stored in our SQL server DB)
Which means that, after applying the credential by user/clients, they can only access their directory/ files. They cannot access other’s files/ directory.
Would anybody please do let me know how would I achieve this? All the suggestions would be appreciated highly.
Thanks in advance.
Since different users need to be authorized to access different directories, you cannot expose your files directly on the web.
Build a simple login with a custome MembershipProivder. That will allow you to autenticate against your database.
Since you know which directories the user has access to, you can fetch a listing of files and folders and present it in a ListView to the user.
You can write a HttpHandler to check user authorization and then serve the files to them.
I am running IIS 7 and ASP.NET 4. It's an online charting application where one folder needs to have read/write access. Users don't upload anything into this folder directly; instead they configure chart settings and then ASP.NET generates the chart on the server and saves it as an image into that read/write folder. Users are redirected to download the image of the chart from that folder.
In order to allow IIS/ASP.NET to save an image into the folder, I give WRITE permission to IIS AppPool/ChartApp account.
But, I am worried to have write access on a folder that's open to HTTP. While there is no direct way to upload a file via my site into that folder, I am concerned that hackers will find a way to upload a script and then execute it. Are these valid concerns? Is there anything else I need to do to secure such a read/write folder?
Thanks.
The configuration is sound and a normal standard setup. As you point out, there is no way to upload a file unless you add one.
If your particularly paranoid about this, you can setup a new user account and use that account as the 'anonymous user' account (which is the credentials used by the common browsing user on your site), and ensure that account doesn't have write acccess while the AppPool account does. The anonymous user uses the AppPool identity by default.
What are all the user accounts for IIS/ASP.NET and how do they differ? has details on each different account type.
What I ended up doing is to use a different account to write the file. The code from this article worked well for impersionation. The account that writes the file has write permissions, and the "main" AppPool account is still read only.
My question is preaty simple. Is there any way to give current user (IIS User, in this case, ASP NET USER) permission to write to a specific folder location (folder inside our web application) using web.config? Because, it's getting boring to ask to the web hoster to gain access to a specific folder each time we want to do a file uploader on a website.
I know it's maybe preaty simple to find an answer using google, but it keeps returning me how to write INTO web.config instead of permission to write into web.config FOR a specific folder. In addition, I'm french so my english is not at the top.
No. If that was possible, you could write an application which, when deployed on a server, would allow you to write to any directory on the disk despite write access being denied by the administrator.
You can easily grant permissions for a local user (e.g. the user that the IIS worker process/app pool is running as) to a folder anywhere on your filesystem actually through rights permissions in Windows itself but this does not allow for doing this through the web.config file itself. Please give us a description of what you're trying to do specifically and there may be a better solution. The solution I mentioned above could be a bit of a security risk but it depends on the needs and situation.
So, from what I understand .NET (and web.config) don't really control write permissions.
You'll need to either expose the folder from a filesystem and/or webserver level to allow people access (though this may be somewhat of a security issue depending on your scenario). Or another possibility would be to create a simple web-page that allows uploading files to the directory.
I have an ASP.Net (2.0) application on an intranet that needs to impersonate the users Windows login, which it does by having
identity impersonate="true"
in the web.config file.
In a couple of places it needs to create a file in the Temp folder of the server (a text file in one instance and a Word doc in another instance) before sending the resulting file to the user, after which it is deleted from the Temp folder.
It runs into a permission problem, because the user that is being impersonated does not have permission to write to the server's hard drive.
I was hoping I could switch to the default IIS (or some other built in account) to do the file access functions.
Is that possible? If so, how? I can't create any new accounts on the server.
It is Windows Server 2003.
Thanks
Yes it is possible using the System.Security.Principal namespace, see http://support.microsoft.com/kb/306158 for an example.
Basically you switch to a context that has permissions by impersonating the appropriate user account, perform your file IO then undo the impersonation.
However the easier solution would be to grant write access to the users (or groups). Grant permissions to the domain account/group so you don't have to create local accounts on the server.
I already had problems like yours, then I changed my mind and started using memorystreams and immediately writing them to the response object (instead writing it to disk and after send to the client). This way I save on being concerned in deleting it after downloaded by user.
The simplest way is probably to give the 'Everyone' group write access to the temp folder
Say you have public ASP.NET (and Classic ASP) applications on IIS with a script/page that needs to write or update html files in a specific folder that is located within the web publishing folder tree.
What is the proper way to handle this and exactly how do you do it? (i.e. set directory permissions in IIS or windows explorer)
My main concern is that I want to let the ASP/ASP.NET apps write to a folder, but I don't want regular http users to be able to put files into it directly via HTTP PUT.
You'll want to set your NTFS permissions as follows:
IUSR_<MachineName> - The anonymous user should only have READ access
Network Service (or App Pool identity) - READ and WRITE access
With these permissions, you can most likely safely remove the Everyone and Authenticated Users accounts from the ACL as well.
More info:
http://support.microsoft.com/kb/815153
Don't enable writing in IIS--that only speaks to HTTP PUT, not underlying filesystem permissions. Then do what gattaca said.