Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IIS 7.5 App Pool Identity permission not assigned to folder, but application still can write to its folder?

Tags:

asp.net

iis

We've put an existing application to a new R2 server with IIS 7.5.

Now everything works, and application can write to it's folders...but we are wondering how...new IIS comes with IIS Application Pool Identity story which creates a new virtual user for each application, and so it has done for this one.

It is stated in documentation that this user must be assigned to folders in order for everything to work...but in our case it's not?! And still it works, the application via that user has access?

Somewhere on the forums someone mentioned that this is because applications running under Full trust can write anything anywhere...but that doesn't make sense? CAS in what I know does not handle this?

So under IIS 7.5 how can an application with it's own pool have write permissions which it doesn't under security settings of the folder?

Vladan

like image 918
Vladan Strigo Avatar asked Nov 24 '10 14:11

Vladan Strigo

People also ask

How do you check application pool identity read access to the physical path?

Go to IIS Manager > Application Pools > Your domain's specific Application Pool > Advanced Settings. In Identity: click to change > Custom Account > Set > Enter User credentials from step 2, click OK and exit all.

1 Answers

EDIT:

While I feel what I outlined below is a good discussion of how trust levels play into file system access in ASP.NET, I feel the correct answer to the original question is posted here (yes, I had to reask this question with a little more information added). Basically, the AppPoolIdentity user is also a member of the Users group, and that is how that user can write to different areas of the file system.

ORGINAL ANSWER:

When you create a new Application Pool in IIS 7.5, the AppPoolIdentity user is added to the IIS_IUSRS group. This group has "access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity" (1). The IIS_IUSRS group has permissions to write to the vast majority of the file system (outside of protected folders like C:\, C:\Users, C:\Windows, etc.). Unfortunately, I was unable to find any way to explicitly see that the IIS_IUSRS group has access to a given folder using Windows Explorer (edit: the post referenced above outlines how to "see" this access). However, this access can be seen implicitly by granting DENY access to the IIS_IUSRS group on a folder before attempting to write to that folder (which will cause a System.UnauthorizedAccessException).

The .NET Trust Levels also play into permissions. In IIS 7.5, the IIS AppPoolIdentity user has access to write to the folder the application is running out of by default if the web application is running under Full, High or Medium trust. When running under Full or High trust, the IIS AppPoolIdentity user by default can write to any folder other than folders like C:\, C:\Windows, or C:\Users (unless the user is granted specific access to those folders). At Medium trust level, the IIS AppPoolIdentity user can still write to the web application folder by default, but trying to write to any other folder results in the following exception:

System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

The same exception occurs when trying to write to ANY file at Low or Minimal trust levels.

This is not the same error you receive when trying to access a file the AppPoolIdentity user does not have access to when running under Full or High trust. The exception thrown in that case is a System.UnauthorizedAccessException, with a message similar to:

System.UnauthorizedAccessException: Access to the path 'C:\test.txt' is denied.

At Medium, Low, or Minimal Trust Levels CAS takes over and denies access to the file creation methods, regardless of folder permissions.

The short story is that if you want to make sure your web application cannot write to any folders other than the web application folder, you need to set the application to run under Medium trust or lower. If you do so, then you need to test to make sure that there are no functions the application needs to perform that require greater than Medium trust.

References:

1 - http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/

2 - http://technet.microsoft.com/en-us/library/dd163542.aspx

like image 139
rsbarro Avatar answered Oct 08 '22 03:10

rsbarro
Sign in to Comment

Related questions

Running Phantomjs using C# to grab snapshot of webpage
Posting data to asp.net Web API
EF Core and big traffic leads to max pool size was reached error
Why microsoft made JavaScriptSerializer obsolete prior to .net 3.5 SP1 and again active after that?
What are best practices for ASP.NET application deployment
Is it possible to recycle IIS application pools without losing user sessions?
jQuery modal dialog with postbacks in ASP.NET
Chrome showing "canceled" on successful file download (200 status)
how to deny user to access sub folders and file?
How to allow CORS for ASP.NET WebForms endpoint?
How to send multipart/form-data to ASP.NET Core Web API?
How Do You Communicate Service Layer Messages/Errors to Higher Layers Using MVP?
How can I protect my ASP.Net Source Code From My Developers
DOM Exception: INVALID_CHARACTER_ERR (5) [closed]
What does "cannot be marshaled by the runtime marshaler" mean?
Identity cookie loses custom claim information after a period of time
Does .NET Task.Result block(synchronously) a thread [duplicate]
How do you prevent the IIS default site web.config file being inherited by virtual directories?
How to decide which is right, WebForms or MVC when doing ASP.NET
Home Automation Library [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!