Should the Network Service Account receive temp file permissions by default? - asp.net

Recently I was working with generating a PDF from Crystal Reports through a webform. It was failing, which I determined to be caused by the permissions settings on the c:\windows\temp dir. I gave the Network Service account full access to this folder, which promptly fixed the issue. But is there a reason the Network Service account didn't have these permissions by default?
Rick Strahl asks this question here. It sounds like there shouldn't be any issues with doing this, but Rick wasn't clear on why the default is set that way.
Web Server is Windows Server 2003

These days, the default option will tend to be the more secure one. I don't think there's any other reason.
I've had the same issue as you, and in my environment just gave the permission and moved on.
This post suggests it is the fault of Crystal Reports, which is explicitly referencing %WINDIR%\Temp instead of using an API such as Path.GetTempPath(). In fact I have seen Path.GetTempPath() return %WINDIR%\Temp when running under the Network Service account on Windows 2003.

This post on creating temp files has comments that support using the windows temp folder.
An msdn article on using the Network Service account states that "if your ASP.NET application needs to use files or folders in other locations, you must specifically enable access" This tells me that the default restriction to the temp folder isn't because the temp folder was singled out, but that all other locations besides the IIS root folder are restricted by default.

%windows%\temp is not for general temp'ing and barfing around. It is crystal clear that Crystal Reports is abusing that directory. This happens a lot when developers are too lazy to boot up their machines with anything but an admin account.
Every user (including Network Service) has their own temp space, with full access rights, under Documents & Settings. Winners don't act like CR, and use their own temp spaces.
In short, there is nothing wrong with default permissions on win\temp. I believe it is simply meant for Windows' internal workings. (Then again, it would be much better for everyone concerned, if that directory never existed in the first place.)

Related

ASP.NET app cannot see files

I have an ASP.NET web app (VS 2017 Framework 4.5) that works fine in development. When I deploy to the web server and try to reference a file like this:
PdfBitmap tiffImage = new PdfBitmap(item.TIFPageLocation);
It returns a "Can't find file error". I even set up an if File.Exists() test and had the same result.
The file is a reference to another server like this: \\myserver\myvolume1\00\12\7A\00127A90.TIF.
When I run this path on the web server in WinExplorer it finds and open the TIF image in the default viewer. However the web app cannot see it for some reason.
This is likely some permissions issue but I'm not sure where.
Any ideas?
Thanks
Carl
Yes, this is likely a permissions issue. Your web app will probably be running under an account that has limited rights (almost certainly without the rights to access anything on the domain).
You either need to:
a) elevate their rights (be very careful with this)
b) run your site under a new user context created specifically for this site with rights to reach the other server
c) put your images somewhere easier to access.
Check your folder permission it should not have read access cross check that it's worked for me
It was the account the app pool identity was associated with. That need to be set properly.

Unable to get temp directory for .NET web site hosted in Azure App Service

We're working on validating our Loupe service to run as an Azure App Service and have run into a showstopper we can't figure out. Anything that attempts to resolve a temp directory fails with the exception:
mscorlib : System.IO.IOException
The directory name is invalid.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.__Error.WinIOError()
at System.IO.Path.InternalGetTempFileName(Boolean checkHost)
The stack trace has this within the .NET method for generating a temp file name. This stack trace is common to pretty much all the areas we get the failure. For a bit it seemed that if we forced the site to restart and/or forced the underlying App Service Plan to rescale it would go away until we next updated the site but no longer.
Since the only search results we could find said this error happens when impersonation is enabled and the user the site's impersonating doesn't have access to the IIS App Pool user's temp directory we've dug into that. First, we can confirm from our logging that the thread is not impersonating at the time the failed request is made. Second, just for fun we added this to the web.config to be doubly sure:
<system.web>
<identity impersonate="false"/>
</system.web>
All to no avail. If this was a generic problem with Azure App Services then I would presume it would break many systems, so I have to conclude we've done something fascinating and wrong to cause it.
This might not be the exact answer you're looking for but it might help point you in the right direction.
I had similar issues a while back using the Azure App Services. I found that accessing the local file system was somewhat problematic. Sometimes it worked fine and other times it didn't.
Eventually, I discovered that when an Azure App Service is instantiated, it doesn't always use the same drive letters for the system behind it. In some cases, this can cause the environment variables to be blatantly incorrect. They "think" they are set properly, but that's not always the case.
Generating a temp filename will use that environment variable for the path and if it's set to C: but the machine has a D: drive instead, if will fail. The C: drive doesn't exist and therefore the path to the temp file can't exist either.
To identify if this is the problem, you need to enable RDP so you can log into it directly. https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-role-enable-remote-desktop
It's the only way I was able to eventually figure it out.
If you open up the Kudu instance for your App Service Web App you'll be able to see what the local Temp directory is on the Managed VM underneath. You can access Kudu by going to "Advanced Tools" on the App Service blade in the Azure Portal, or by navigating to the https://{web app name}.scm.azurewebsites.net domain for your Web App.
Once in Kudu, click on Environment in the top navigation. The Temp directory is usually D:\local\Temp and that path is stored in the "TEMP" environment variable made accessible to your Web App.

Asp.net writing server side file

Needed to write a server text file as the output of a business process initiated by ASP.net app.
The text file writing code is in a library file using standard stream code
All worked OK in IDE.
Publish and it falls over trying to write file. IIS is reluctant to write to the file system.
Much rummaging around and hair pulling finally led to a solution. It is not pretty and only applicable in a situation where you have control over the Webserver.
Just saw your answer.
It doesn't need to be inside your inetpub or wwwroot directory for that matter, it could be anywhere, as long as security permissions are set correctly for the user under which the application is running as.
But this is actually desired. If not just imagine the consequences of allowing write access anywhere.
Also, there's no need for the virtual directory. You could create a directory like C:\ProcessOutput, and grant permissions accordingly and it should work just fine.
Another option, would be to have a service account created, and impersonate as that user within your application only for when you need to write that output file.
Solution was:
Create a physical directory on the webserver with the physical path of:
c:\inetpub\wwwroot\mywebapp\myOutputFileDirectory
Make a virtual directory that points at the directory.
Using windows explorer give write permission to the physical directory to IIS_IUSRS.
Use a physical path of c:\inetpub\wwwroot\mywebapp\myOutputFileDirectory in your Streamwriter code
Maybe the virtual path could point to somewhere more sensible across the LAN if you get the security sorted but I am sufficiently battered to accept this small crumb with gratitude.

Deployed binaries getting locked during SDL Tridion 2011 SP1 publishing

I have the following scenario:
I publish a page which contains multiple binaries which is then received by an HTTP Receiver and Deployed using an in-process Deployer all hosted in IIS in a dedicated application pool running as the Local Service user.
The Page is stored in the Broker Database, and the binaries are published to the local file system using a path like "D:\Binaries\Preview".
The preview folder is shared to a domain user as a read only share at something like \machinename\PreviewBinaries so that the binaries can be displayed using the web application.
Nine time out of ten everything works fine, but occasionally publishing fails, and it seems to be because the binaries can not be overwritten due to them being locked by another process. I have used ProcessMon and other tools to try and establish what might be locking these files (to no avail). Sometimes I can manually delete the images, and then publishing works again. If I restart IIS on the server I can always delete the files and publish.
Does anyone have any suggestions on what processes could be locking these images? Has anyone seen this issue before? Could there be any issues that I am publishing to a share? Or could SiteEdit 2009 possibly be locking these files as it only seems to occur on our preview server and live (no SiteEdit) seems fine.
Thanks in advance
If you're on Windows 2008, you can try and delete the file from disk. It will then tell you what process has locked the file. But given that restarting IIS unlocks the file, it seems quite likely that it is IIS that keeps a lock on them.
I don't see how SiteEdit 2009 could cause a lock on these files. Given that you can have your preview server on another box, SiteEdit only talks to that server through HTTP. It never accesses the files on the preview server directly and not even through a CD API. Just regular requests to your web server, just like a visitor would.
Again, not a direct answer but I wanted to share this anyway:
I've seen a similar situation where I published Pages to the Broker Database and Binaries to the file system. When I changed the Identity of the Application Pool to Network Service this problem disappeared, and I haven't looked into it further.
OK, well it seems the offending code was in the Presentation Framework we are using. The framework used Response.TransmitFile(binaryPath) to asynchronously transmit the binaries to the clients. It seems that this puts a temporary lock handle on the binaries (even when they are on a read only share).
We have removed this line of code, and modified the application to server binaries in another way (we now rewrite the path so that IIS can transmit the files directly). This seems to have solved the issue, and improved site performance.
Thanks for all your suggestions, it helped me rule out all the things that were not causing the issue, so I was able to find the root cause.
Are there any Anti-virus or indexing services running. These tend to take very short-lived locks at just the moment you don't want them to. Particularly with Anti-virus, this is typically just as one process relinquishes its lock and just before your other process tries to take one. If this is the issue, then setting up some exclusion directories should help.
I see you have used Process Monitor, but have you tried Sysinternals Process Explorer? "Find->Find Handle or Dll" is pretty useful for this kind of thing. Or if you prefer a command line tool, Sysinternals aslo make handle.exe, which dumps everything out for you.

Where to put a new ASP.NET website?

Where's the best place for a production asp.net application? I mean a place that we need less permission manipulation on folders and probably the experts choice.
under C:\inetpub\wwwroot or C:\inetpub or elswhere ?
In development/test phases I usually put it under C:\inetpub\wwwroot and create a new web application without setting bindings. But on production version with binding I'm not sure where's the right place.
You can put it anywhere you like, they key thing is to ensure that the app pool it is running under is set to run as a low privileged user (like NT AUTHORITY\NETWORK SERVICE), then ensure that user has Read (and possibly Browse if you want it) permissions on the folder you put your web app in. Very seldom (if ever) will the user need Write or Modify permissions on the folder.
and on a new system I had a lot of problem to modify batch files, setting permissions
Setting permissions should not be a problem, you should set the same basic permissions i mentioned above for the user you want to run the app pool as. You can use PowerShell or WMI for this, and you should use the same permissions no matter what folder you install in to.
You could always wrap all this up into an installer, then it can be as simple as hitting Next.. Next... Finish... in an installer wizard to set up your website on any machine. Doing this in an installer also gives you some certainty that nothing has been missed.
Personally I have a 'Development' folder on my D: drive which is then subdivided into different categories depending on the work. I generally don't use inetpub directory and any permission issues I come across I just set directly onto the relevant folder within my own development structure.
On production environments I've used in the past, we've generally done the same thing. Mainly to help backup scenarios really, but also because there's no strict need to use the default IIS directories - you're free to structure things how you like.
Personally, I always create a new folder (in the root of a drive) called WebSites. I then make sure it has the appropriate permissions for the website process(es) (aka App Pools).
eg.
C:\
|_WebSites
|_www.Foo.com
|_www.Bah.com
It also makes it easier to manage because you don't have to hunt through the folder structures to find any/all websites.
But technically, it can be (more or less) anywhere - just needs to have the correct permissions set.
Bonus Answer
I also remove the Default Website from IIS .. which in effect means I can also delete c:\inetpub\wwwroot.
You can put the website any where on the server hard disk, Just make sure it is a secure folder and also I recommend to don't put it in the same OS drive, in case it failed and you needed to formate it.
C:\inetpub\wwwroot and C:\inetpub are just the default places nothing more.
Really depends on how the production server is configured and how operations likes to operate over there. Typically we setup a second "data" drive on servers for a few reasons:
a) Back in the old days, there were a lot of cannonical attacks where the attacker would try to navigate from c:\inetpub to c:\winnt\cmd.exe. Putting things on a different drive prevented this sort of thing.
b) Recovery -- if the OS gets hosed, you can pretty easily reinstall/reimage or move the data disks to another box and get things stood up fast.
c) Typically is lots easier to do things like swap the non-os disk in case you need more disk space or faster disks or whatever.
Basically, off the OS drive is a good idea. Though virtualization and modern deployment tools make lots of this matter less.

Resources