了解IIS6权限,ACL和身份-如何限制访问? [英] Understanding IIS6 permissions, ACL, and identity--how can I restrict access?
问题描述
当ASP.NET应用程序在Windows 2003 Server中以模拟方式在IIS6.0下运行时,哪个用户帐户与确定文件读取/写入/执行访问特权相关?在两种情况下,我试图了解对授予/撤销的访问权限.我认为最相关的用户可能是应用程序池"中指定的身份,但这似乎不是全部.
When an ASP.NET application is running under IIS6.0 in Windows 2003 Server with impersonation, what user account is relevant for deciding file read/write/execute access privileges? I have two scenarios where I am trying to understand what access to grant/revoke. I thought the most relevant user is probably the identity specified in the Application Pool, but that doesn't seem to be the whole story.
第一个问题涉及通过System.Diagnostics.Process.Start()执行本地批处理文件-当AppPool设置为IWAM_WIN2K3WEB用户时,我无法执行此操作,但是如果将其设置为Network,则可以正常工作服务身份.我当然要确保IWAM用户对该文件具有执行权限.
The first issue concerns executing a local batch file via System.Diagnostics.Process.Start()--I can't do so when the AppPool is set to IWAM_WIN2K3WEB user, but it works fine if it is set to the Network Service identity. I of course made sure that the IWAM user has execute rights on the file.
第二个涉及写入本地硬盘驱动器上的文件-我希望能够通过文件夹属性通过访问控制列表来防止这样做,但是即使我设置了全部文件夹中的用户为已读"(根本没有用户/组为写"),我们的ASP.NET仍会写出文件,没有问题.如果没有写访问权限怎么办?
The second involves writing to a file on the local hard drive--I'd like to be able to prevent doing so via the access control list via folder properties, but even when I set up all users in the folder as "read" (no users/groups with "write" at all), our ASP.NET still writes out the file no problem. How can it if it doesn't have write access?
Google搜索会发现点点滴滴,但不会涉及全部内容.
Google search turns up bits and pieces but never the whole story.
推荐答案
与[..]文件读取/写入/执行访问相关的用户帐户
what user account is relevant for [..] file read/write/execute access
通常:应用程序/页面始终以用户帐户运行.
As a rule: Always the user account the application/page runs under.
IWAM帐户非常有限.我认为它没有启动外部进程的权限.此时文件访问权限是无关紧要的.
The IWAM account is pretty limited. I don't think it has permissions to start an external process. File access rights are irrelevant at this point.
如果用户帐户(在您的情况下为Network Service)拥有文件(即已创建文件),则即使未明确允许,它也可以对该文件执行任何操作.检查谁拥有您的文件.
If a user account (Network Service in your case) owns a file (i.e. has created it), it can do anything to this file, even if not explicitly allowed. Check who owns your file.
Process Monitor 是一个很好的跟踪工具像这样的微妙之处.
Process Monitor from Microsoft is a great tool to track down subtleties like this one.
这篇关于了解IIS6权限,ACL和身份-如何限制访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
