I have a web application running on IIS. Instead of using a database it reads and writes to a couple of XML files. I currently store these files in the Application Data folder in windows. This folder (\Documents and Settings\All Users\Application Data in win 2003) however requires at least "Power Users" privileges to write!
Reads are OK and are granted to everyone but writes are not allowed as long as your not in the one of the more privileges groups on the system. Why is this so? Is there a better place for a application to write to and one that does require me to add the user of the application pool to a more privileged group?
My second question is that if I have file that just needs reading. Can I then read this directly for the folder where I have my web application deployed (say a folder in "Program Files") or should I at all times use the Application Data folder?
The idea here is that this files sometimes need manual change and using the folder where the web application runs from would basically make more since to normal users I think (especially on win 2008 where the Application Data is hard to find).
Reads are OK and are granted to everyone but writes are not allowed as long as your not in the one of the more privileges groups on the system. Why is this so?
You don't want to allow just anyone to write to the file system via a web application.
Using ASP .NET, people usually use the APP_Data folder to store data files that need read/write access to an account such as Network Service.
Related
Is there a possibility to move App_Data catalog in ASP .net application? I want it to be stored at C:. I tried to change path in my Web.Config file, but all the time i get a different errors, like access to the path is denied (I have copied all the permission to my new App_data folder).
If you are attempting to store something in a specific directory like C:\, you'll need to make sure that IIS have the appropriate permissions to handle performing these actions (as generally it will only be able to access the directory of the application and IIS' root directory).
If you are debugging your application locally, you might ensure that you are running Visual Studio with Administrative Rights (i.e. Right-click > Run as Administrator) as the process spawned from it will likely not be able to access directories that would otherwise require it.
Otherwise, you can check the permissions on one of the following roles, which will vary depending on which version of IIS you are using and ensure that it has the proper permission(s) :
IIS_IUSRS
IIS APPPOOL\DefaultAppPool
NETWORK_SERVICE
Generally speaking, it's not a good idea to give root access to your applications. If you are going to be using this in any kind of production manner (outside of a quick and dirty utility application running on your local machine), you should consider using a sub-directory from within your application and referencing the files from there (i.e. drop the files you are attempting to access in your Project and access them relative to your application).
I have an existing ASP.NET website that I would like to port to Azure within my free trial.
I would like the migration to be as painless as possible. The application uses log4net and NHibernate, plus it needs to share data with an application supposed to run on a virtual server.
Two questions can be asked as 1
How do I configure paths in Web.config to access a shared drive?
I need to configure the paths into which logs will be stored and, most important, I have to specify where the application will read the files written by the daemon that will run on my Azure Linux VM.
When both the app and the daemon ran on the same server (yes, I had Mono running fine) I just had to choose a shared local directory.
I'm not sure I'm totally understanding the scenario, but I'll try to give you a few options.
One - Windows Azure Web Sites (currently in Preview) could be a great option for your ASP.NET site. Of course, it depends what needs your site has. But, you can write your log4net files with web site and using NHibernate too.
Two - Web roles work great for situations like this. You would likely have to change some code to use blob storage for persistant file storage. You could use Windows Azure drives as a way to get a persistent location for log files. Windows Azure drives don't have a pre-determined drive letter, so you'd want to use the API to get to that. That may, or may not, be a good option for your situation. With web roles you could also write the log4net files to local storage and use Windows Azure diagnostics to transfer them periodically to blob storage. Just another way to persist the files.
Three - Using Windows Azure Virtual Machines (currently in Preview) you could write the log files to a data disk, which is backed by blob storage.
In the end, if you have files you need to share across instances and/or roles, then leveraging blob storage is likely your best option.
i wanted to use SQLite with .net application. It only works if the DLL and the Database file are in the BIn folder and the permissions of BIN are set to read / Write.
Is that a security risk ?
Yes, it's a security risk, and what's more, every time a file in the Bin folder is updated, it will cause your application to restart. So you put the database file in the App_Data folder.
Yes, allowing read/write permission for the IIS worker process to the bin folder would allow anyone that can gain adequate permissions to your system (running as the generally low-privilege account running IIS) can now change your application binaries.
If indeed SqLite poses that requirement (but I would tend to agree with Michael P's comment), I would not use it under IIS. Whether you should use it depends on the security risk you expect your application to be at and the cost of a security breech (managing your stamp collection vs managing credit card data).
I do suspect that SqLite will allow you to place your data file in App_Data, where such data belongs. In fact, the answer to the question below outlines how to do just that:
How do I reference the Sqlite db file in the App_Data folder for my ASP.NET Web Application?
It only works if the DLL and the Database file are in the BIn folder
Well that sounds like a blocker. There is a free commercially licensed Microsoft SQL Server CE. It fits perfectly and securely into ASP.NET. Runs as DLL with database in single file up to 4GB. The limitation is file size and no stored procedures capabilities.
I have an ASP.NET web application that runs on a windows server 2003 server.
there is a form that reads and writes data to an xml file inside the application's directory.
I always grant the NETWORK SERVICE user full control on my application folder so that it can read and write to the xml file.
I put the application on another windows server 2003 server and did the same steps above but i was getting an Access denied exception on the form that reads and writes to the xml.
I did some search and found that if you grant the user ASPNET full control to the directory it would work, I did that and it worked fine.
my question is: what is the difference between granting full control permissions to NETWORK SERVICE and ASPNET users ?
and what can be the difference between the two servers that caused this issue ?
thanks
In all cases, you need to grant the application pool's user account the appropriate access. Application pools were introduced with IIS6. Before IIS6, the .NET application ran under the user account configured in the machine.config file so you would look there to determine the user that needs access.
Network Service is assigned to application pools by default. It sounds like someone set it up differently on one of the servers.
Ideally, you should not be using either account.
You should create a low privilege account that only has access to the resources you need for each web application you have. Add the new account to the IIS_WPG user group. Then create an application pool for each application and set it to run as the user you created specifically for it.
See this article (TechNet) for directions on changing the identity of the app pool.
The configuration I described is now the default in Server 2008 R2/Win 7 (source).
Unfortunately, because someone changed the default configuration on your second server, there is no way for us to tell you what the differences between the two accounts are.
What you will need to do (or have your IT department do) is compare the permissions each account has on the local machine. This will be tedious. However, if you can run powershell, you can use this article to write a script to list out the permissions for each account and compare them.
Good luck finding the differences.
Writing to a file is not working after hosting the web application, whereas they were working while developing and testing in my localhost on debug mode. What could be the problem in writing to a file after hosting? Is there any special permission that should be given to the folders/file?
Without knowing the OS version or the code you're trying to use, I'd say the most likely culprit is permissions. The ASP.NET user (which varies based on version of Windows) needs write access to the folder you're trying to write to. This is likely not enabled by your host.
Yes, you will need read, write, and modify permissions to the directory you wish to write to. You need to ensure that the account under which ASP.NET is running has those rights set up.