IIS 7.5应用程序池标识权限不分配给文件夹,但应用程序仍然可以写入其文件夹? [英] IIS 7.5 App Pool Identity permission not assigned to folder, but application still can write to its folder?
问题描述
我们已经把现有的应用程序到一个新的R2服务器与IIS 7.5。
We've put an existing application to a new R2 server with IIS 7.5.
现在一切正常了,应用程序可以写入它的文件夹...但是我们想知道新的IIS如何...带有它创建每个应用程序的新的虚拟用户,所以它做的IIS应用程序池标识故事这一个。
Now everything works, and application can write to it's folders...but we are wondering how...new IIS comes with IIS Application Pool Identity story which creates a new virtual user for each application, and so it has done for this one.
这是在文档中表示,该用户必须以一切工作被分配到文件夹...但是对我们来说这不是?!仍然它的工作原理,通过该用户的应用程序可以访问?
It is stated in documentation that this user must be assigned to folders in order for everything to work...but in our case it's not?! And still it works, the application via that user has access?
某处在论坛上有人提到,这是因为在完全信任运行的应用程序可以写任何东西任何地方...但是,这没有意义? CAS在我所知道的不处理?
Somewhere on the forums someone mentioned that this is because applications running under Full trust can write anything anywhere...but that doesn't make sense? CAS in what I know does not handle this?
所以,IIS 7.5下如何与它自己池中的应用程序都在该文件夹的安全设置,它没有写权限?
So under IIS 7.5 how can an application with it's own pool have write permissions which it doesn't under security settings of the folder?
弗拉丹
推荐答案
修改
虽然我觉得我的概述如下是如何信任水平发挥到ASP.NET文件系统访问了很好的讨论,我觉得正确的答案原来的问题发布<一个href=\"http://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access\">here (是的,我不得不reask这个问题,添加了一点点更多信息)。基本上, AppPoolIdentity 用户也是用户组的成员,那就是用户如何写不同文件系统的区域。
While I feel what I outlined below is a good discussion of how trust levels play into file system access in ASP.NET, I feel the correct answer to the original question is posted here (yes, I had to reask this question with a little more information added). Basically, the AppPoolIdentity user is also a member of the Users group, and that is how that user can write to different areas of the file system.
原单答案
在IIS 7.5中创建一个新的应用程序池,AppPoolIdentity用户添加到 IIS_IUSRS 组。该集团拥有获得所有必要的文件和系统资源,使一个帐户,当加入到这个组,可以无缝地作为一个应用程序池标识(1)。在 IIS_IUSRS 组都有(外保护的文件夹,如C的写入权限绝大多数的文件系统:\\,C:\\用户,C:\\ Windows等)。不幸的是,我无法找到任何方式来明确地看到 IIS_IUSRS 组有权访问使用Windows资源管理器(修改给定文件夹:岗位上面提到概述了如何看这个访问)。然而,这种访问可以含蓄地试图写入该文件夹(这将导致一个前给予否认文件夹访问)。 IIS_IUSRS 组看到System.UnauthorizedAccessException的
When you create a new Application Pool in IIS 7.5, the AppPoolIdentity user is added to the IIS_IUSRS group. This group has "access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity" (1). The IIS_IUSRS group has permissions to write to the vast majority of the file system (outside of protected folders like C:\, C:\Users, C:\Windows, etc.). Unfortunately, I was unable to find any way to explicitly see that the IIS_IUSRS group has access to a given folder using Windows Explorer (edit: the post referenced above outlines how to "see" this access). However, this access can be seen implicitly by granting DENY access to the IIS_IUSRS group on a folder before attempting to write to that folder (which will cause a System.UnauthorizedAccessException).
在.NET信任级别也玩成权限。在IIS 7.5中,IIS AppPoolIdentity用户有权访问写入应用程序默认情况下运行的,如果Web应用程序是满的,高或中等信任下运行的文件夹中。当完全或高度信任下运行时,IIS AppPoolIdentity用户在默认情况下可以写入比像C文件夹以外的任何文件夹:\\,C:\\ Windows或C:\\用户(除非用户被授予那些文件夹特定的访问)。在中等信任级别中,IIS AppPoolIdentity用户仍然可以写入默认Web应用程序文件夹,但试图写入以下异常任何其他文件夹的结果:
The .NET Trust Levels also play into permissions. In IIS 7.5, the IIS AppPoolIdentity user has access to write to the folder the application is running out of by default if the web application is running under Full, High or Medium trust. When running under Full or High trust, the IIS AppPoolIdentity user by default can write to any folder other than folders like C:\, C:\Windows, or C:\Users (unless the user is granted specific access to those folders). At Medium trust level, the IIS AppPoolIdentity user can still write to the web application folder by default, but trying to write to any other folder results in the following exception:
System.Security.SecurityException:
申请类型的权限
System.Security.Permissions.FileIOPermission,
mscorlib程序,版本= 4.0.0.0,
文化=中立,
公钥= b77a5c561934e089'
失败了。
System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
试图写在低或最小的信任级别的任何文件时,会发生同样的异常。
The same exception occurs when trying to write to ANY file at Low or Minimal trust levels.
这是不是你想全部或高度信任下运行时访问一个文件的AppPoolIdentity用户没有访问时收到同样的错误。在这种情况下引发的异常是 System.UnauthorizedAccessException的,类似的消息:
This is not the same error you receive when trying to access a file the AppPoolIdentity user does not have access to when running under Full or High trust. The exception thrown in that case is a System.UnauthorizedAccessException, with a message similar to:
System.UnauthorizedAccessException的:
访问路径C:\\ test.txt的'是
被拒绝。
System.UnauthorizedAccessException: Access to the path 'C:\test.txt' is denied.
在中,低或最低信任级别CAS接管并拒绝访问该文件的创建方法,无论文件夹的权限。
At Medium, Low, or Minimal Trust Levels CAS takes over and denies access to the file creation methods, regardless of folder permissions.
简短的说,如果你想确保你的Web应用程序不能写入不是Web应用程序文件夹以外的任何文件夹,您需要设置在中等信任或更低来运行应用程序。如果这样做,那么你需要进行测试,以确保没有任何功能的应用需要执行需要比中等信任更大。
The short story is that if you want to make sure your web application cannot write to any folders other than the web application folder, you need to set the application to run under Medium trust or lower. If you do so, then you need to test to make sure that there are no functions the application needs to perform that require greater than Medium trust.
参考文献:
1 - <一个href=\"http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/\">http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/
2 - <一个href=\"http://technet.microsoft.com/en-us/library/dd163542.aspx\">http://technet.microsoft.com/en-us/library/dd163542.aspx
这篇关于IIS 7.5应用程序池标识权限不分配给文件夹,但应用程序仍然可以写入其文件夹?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
