安全问题 IIS7.5 / IIS APPPOOL\用户未授权但具有完全控制权?
我似乎有一个奇怪的安全问题:
我有一个包含以下文件夹的网站:
- inetpub\wwwroot
- inetpub\wwwroot\readyfordownload
IIS APPPOOL\Classic 用户具有对此“readyfordownload”文件夹的完全访问权限。
现在我有一个控制台应用程序,可以在readyfordownload文件夹中创建一个zip文件。这是通过 ac# classlib 完成的。奇怪的是,IIS APPOOL 无法访问该文件,即使它具有对该文件夹的完全控制权。此外,classlib 首先创建一个 xlsx 文件,稍后将其添加到 zip 中。 APPPOOL 用户确实有权访问 xlsx 文件。
如果我从网站后面的代码在 C# 类库中运行相同的函数,则会创建相同的 zip 文件,并且 IIS APPPOOL 用户可以访问该文件......
有什么想法吗?
zip 是这样创建的(不是实际的代码,但它是相同的) http://dotnetzip.codeplex.com/
using (ZipFile zip = new ZipFile())
{
// add this map file into the "images" directory in the zip archive
zip.AddFile("test.xlsx");
zip.Save("MyZipFile.zip");
}
操作系统是 windows 2008 R2 Web 服务器 ZIP 库是 Dotnetzip (Ionic)
更新:我最感兴趣的是为什么 ZIPfile 没有获得权限而 xlsx 文件却......
It seems I have a strange issue with security:
I have a website with the following folders:
- inetpub\wwwroot
- inetpub\wwwroot\readyfordownload
The IIS APPPOOL\Classic user has full access to this 'readyfordownload' folder.
Now I have a console APP that creates a zipfile in the readyfordownload folder. This is done from a c# classlib. Strangely enough, the IIS APPOOL cannot access this file, even though it has full control over the folder. Also, the classlib first creates an xlsx file that is later added to the zip. The APPPOOL user does have access to the xlsx file.
If I run the same function in the C# classlib from a code behind in the website, the same zipfile is created and the IIS APPPOOL user CAN access the file....
Any ideas?
zip is created like this (not the actual code, but it is the same)
http://dotnetzip.codeplex.com/
using (ZipFile zip = new ZipFile())
{
// add this map file into the "images" directory in the zip archive
zip.AddFile("test.xlsx");
zip.Save("MyZipFile.zip");
}
OS is windows 2008 R2 web server
ZIP library is Dotnetzip (Ionic)
Update: I am most interested in why the ZIPfile does not get the rights and the xlsx file does....
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
您是否尝试过显式设置 FileAccessSecurity ?也许文件没有从目录继承 ACL。
Have you tried setting the FileAccessSecurity explicitly? Maybe the files are not inheriting the ACL from the directory.
应用程序池用户可以访问 xlsx 文件,因为您的控制台直接在 readyfordownload 文件夹下创建该文件。
另一方面,zip 文件首先在临时文件夹中创建,然后复制到您的文件夹中。这意味着文件的文件权限设置错误。
确保 IIS_IUSR 和 DefaultAppPool 用户有权访问您的 wwwroot。
正如 scottm 建议的那样,更改控制台代码以向 IUSR 和 DefaultAppPool 用户授予 zip 文件的权限。您的代码应如下所示:
the apppool user can access the xlsx file because your console creates it directly under readyfordownload folder.
the zip file on the other hand is first created in a temp folder and then copied to your folder. This means that the file permissions are wrongly set on the file.
Make sure IIS_IUSR and DefaultAppPool users have access on your wwwroot.
As scottm suggested change your console code to give permissions to the IUSR and DefaultAppPool users on the zip file. Your code should read like:
检查 Windows EventLog 中的相关错误。有关详细信息,请使用ProcessMonitor,以便您可以查看权限是否存在问题。
Check Windows EventLog for related errors. For detailed info use ProcessMonitor, so you can see if there is a problem with permissions.
使用“高级安全设置属性页”配置文件夹的安全性。 (选择属性-->安全)。另请注意,应用程序池可以模拟用户,以便应用程序可能无法使用应用程序池的身份来服务请求。默认情况下,模拟可能不起作用。您必须在网络配置中明确设置它。例如
斯里万塔·斯里·阿拉温达
Configure the security of the folder using “advanced securty setting property page”. (Select properties--> security). Also note that the application pool can impersonate the user so that the application may not be serving the request with the identity of the app pool. By default impersonation may not work. You have to set it explicitly in the web config. E.g.
<identity impersonate="true" />or<identity impersonate="true" userName="domain\user" password="password" />Sriwantha Sri Aravinda