在父网站的文件夹结构的应用程序的程序池permisions [英] Application's AppPool permisions on parent Site folder structure

问题描述

对ApplicationHost.config上下文

 ＆LT;！ - 应用程序池 - ＆GT;
＆LT;添加名称=网站 - 内联网自动启动=真managedRuntimeVersion =V4.0/＆GT;
＆LT;添加名称=应用程序 -  App1的自动启动=真managedRuntimeVersion =V4.0/＆GT;
＆LT;添加名称=应用程序 -  App2的自动启动=真managedRuntimeVersion =2.0/＆GT;＆LT;！ - 网站 - ＆GT;
＆所述;网站名称=内部网ID =1serverAutoStart =真＆GT;
    ＆lt;应用路径=/applicationPool =网站 - 内联网＆GT;
        ＆LT; virtualDirectory路径=/physicalPath =D：\\网络\\网站\\内联网/＆GT;
    ＆LT; /用途＆gt;
    ＆lt;应用路径=/应用程序/ App1的applicationPool =应用程序 - 程序App1＆GT;
        ＆LT; virtualDirectory路径=/physicalPath =D：\\网络\\ APPS \\ App1的/＆GT;
    ＆LT; /用途＆gt;
    ＆lt;应用路径=/应用程序/ App2的applicationPool =应用程序 -  App2的＆GT;
        ＆LT; virtualDirectory路径=/physicalPath =D：\\网络\\ APPS \\ App2的/＆GT;
    ＆LT; /用途＆gt;
＆LT; /网站＆GT;
 

正如你所看到的，我有一个网站有自己的CLR 4.0应用程序池和认同，它承载两个独立的应用程序，每个都有自己的应用程序池和身份。所有这三个都沙箱到不同的文件系统位置。

的NTFS权限AppPoolIdentity帐户

权限必须考虑到每个AppPoolIdentity在其各自的文件夹（例如 IIS程序池\\网站 - 内联网需要在读/执行权限D： \\网络\\网站\\联网）。

在这一点上，应用程序App1不应该能够读取/执行文件，在它的父站点的物理文件夹结构。反之亦然，托管网站内联网应该不能够App1的物理文件夹结构中读取/执行的文件。 是我的理解是正确的？的

在我访问的子应用程序（例如的http：//联网/应用/ APP1 ）我得到了一个服务器错误，指出它无法读取父站点的的web.config 文件，因为没有足够的权限。

如果我承认了应用程序的标识帐户阅读父站点的物理文件夹结构（前/执行权限 IIS程序池\\应用程序 - 程序App1 进入 D：\\网络\\网站\\联网）的问题解决了。

问题（S）

1. 为什么孩子应用程序需要读取的web.config 或从父网站的任何其他文件？

   注意：我的父站点的web.config已经打破使用＆LT子应用程序/ VDIR继承;位置路径=。 inheritInChildApplications =false的方式＆gt; 技术




2. 由于这个身份帐户通过在多个文件夹性质写入权限 - <一个href=\"http://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions\">IIS AppPoolIdentity和文件系统的写访问权限 - 不这样引入安全风险？例如，不能任何儿童的应用程序现在可能写入父站点的App_Data文件夹或其他地方？

解决方案

有关＃1，子文件夹/应用程序在默认情况下继承父文件夹的web.config设置。我假设ASP.NET不会试图访问这些父web.config文件中前检查你的元素。对我来说很有意义，虽然这不是你想要的东西。

有关＃2，不要太肯定有。如果您的应用程序池标识是用户的一个成员（作为您的参考答案的状态），那么它也有读访问了很多地方，但不能写太多。什么提问说，有我就不会去了。不知道孩子写父文件夹。你应该能够阻止适当的文件系统权限（记住无论你的组应用程序池的身份的成员）。所以我不知道我从来没有过这种配置。

ApplicationHost.config Context

<!-- App Pool -->
<add name="Site - Intranet" autoStart="true" managedRuntimeVersion="v4.0" />
<add name="App - App1" autoStart="true" managedRuntimeVersion="v4.0" />
<add name="App - App2" autoStart="true" managedRuntimeVersion="v2.0" />

<!-- Site -->
<site name="Intranet" id="1" serverAutoStart="true">
    <application path="/" applicationPool="Site - Intranet">
        <virtualDirectory path="/" physicalPath="D:\Web\Sites\Intranet" />
    </application>
    <application path="/Apps/App1" applicationPool="Application - App1">
        <virtualDirectory path="/" physicalPath="D:\Web\Apps\App1" />
    </application>
    <application path="/Apps/App2" applicationPool="Application - App2">
        <virtualDirectory path="/" physicalPath="D:\Web\Apps\App2" />
    </application>
</site>

As you can see, I have one Site with its own 4.0 CLR app pool and identity, which hosts two separate Applications, each with their own app pools and identities. All three are sandboxed into separate file system locations.

NTFS Permissions for AppPoolIdentity Accounts

Permissions must be given to each AppPoolIdentity on its respective folder (ex. IIS AppPool\Site - Intranet needs Read/Execute permissions on D:\Web\Sites\Intranet).

At this point, Application App1 should not be able to read/execute files in it's parent Site's physical folder structure. And vice versa, the hosting Site Intranet should not be able to read/execute files within App1's physical folder structure. Am I understanding that right?

When I visit a child application (ex http://intranet/apps/app1) I get a server error stating that it cannot read the parent Site's web.config file due to insufficient permissions.

If I grant the Application's identity account read/execute permissions on the parent Site's physical folder structure (ex. IIS AppPool\App - App1 access to D:\Web\Sites\Intranet) the issue is resolved.

Question(s)

1. Why does the child Application need to read web.config or any other files from the parent site?

   Note: My parent site's web.config is already breaking child app/vdir inheritance using the <location path="." inheritInChildApplications="false"> technique.

2. Given that this identity account has by nature Write permissions on many folders - IIS AppPoolIdentity and file system write access permissions - doesn't this introduce a security risk? For instance, couldn't any child application now potentially write to the parent Site's App_Data folder or elsewhere?

解决方案

For #1, child folders/apps inherit the web.config settings of their parent folders by default. I would assume that ASP.NET doesn't check your element before trying to access those parent web.config files. Makes sense to me though it's not what you would want.

For #2, not too sure there. If your app pool identity is a member of users (as your references answer states) then it does have read access to lots of places, but not write to too many. I wouldn't go by what the questioner says there. Not sure about the child writing to parent folders. You should be able to block that with appropriate file system permissions (keeping in mind whatever groups your app pool identity is a member of). I've never had this config so I'm not sure.

这篇关于在父网站的文件夹结构的应用程序的程序池permisions的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！