Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IIS 7.5 App Pool Identity permission not assigned to folder, but application still can write to its folder?

Tags:

asp.net

iis

We've put an existing application to a new R2 server with IIS 7.5.

Now everything works, and application can write to it's folders...but we are wondering how...new IIS comes with IIS Application Pool Identity story which creates a new virtual user for each application, and so it has done for this one.

It is stated in documentation that this user must be assigned to folders in order for everything to work...but in our case it's not?! And still it works, the application via that user has access?

Somewhere on the forums someone mentioned that this is because applications running under Full trust can write anything anywhere...but that doesn't make sense? CAS in what I know does not handle this?

So under IIS 7.5 how can an application with it's own pool have write permissions which it doesn't under security settings of the folder?

Vladan

like image 918
Vladan Strigo Avatar asked Nov 24 '10 14:11

Vladan Strigo


People also ask

How do you check application pool identity read access to the physical path?

Go to IIS Manager > Application Pools > Your domain's specific Application Pool > Advanced Settings. In Identity: click to change > Custom Account > Set > Enter User credentials from step 2, click OK and exit all.


1 Answers

EDIT:

While I feel what I outlined below is a good discussion of how trust levels play into file system access in ASP.NET, I feel the correct answer to the original question is posted here (yes, I had to reask this question with a little more information added). Basically, the AppPoolIdentity user is also a member of the Users group, and that is how that user can write to different areas of the file system.

ORGINAL ANSWER:

When you create a new Application Pool in IIS 7.5, the AppPoolIdentity user is added to the IIS_IUSRS group. This group has "access to all the necessary file and system resources so that an account, when added to this group, can seamlessly act as an application pool identity" (1). The IIS_IUSRS group has permissions to write to the vast majority of the file system (outside of protected folders like C:\, C:\Users, C:\Windows, etc.). Unfortunately, I was unable to find any way to explicitly see that the IIS_IUSRS group has access to a given folder using Windows Explorer (edit: the post referenced above outlines how to "see" this access). However, this access can be seen implicitly by granting DENY access to the IIS_IUSRS group on a folder before attempting to write to that folder (which will cause a System.UnauthorizedAccessException).

The .NET Trust Levels also play into permissions. In IIS 7.5, the IIS AppPoolIdentity user has access to write to the folder the application is running out of by default if the web application is running under Full, High or Medium trust. When running under Full or High trust, the IIS AppPoolIdentity user by default can write to any folder other than folders like C:\, C:\Windows, or C:\Users (unless the user is granted specific access to those folders). At Medium trust level, the IIS AppPoolIdentity user can still write to the web application folder by default, but trying to write to any other folder results in the following exception:

System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

The same exception occurs when trying to write to ANY file at Low or Minimal trust levels.

This is not the same error you receive when trying to access a file the AppPoolIdentity user does not have access to when running under Full or High trust. The exception thrown in that case is a System.UnauthorizedAccessException, with a message similar to:

System.UnauthorizedAccessException: Access to the path 'C:\test.txt' is denied.

At Medium, Low, or Minimal Trust Levels CAS takes over and denies access to the file creation methods, regardless of folder permissions.

The short story is that if you want to make sure your web application cannot write to any folders other than the web application folder, you need to set the application to run under Medium trust or lower. If you do so, then you need to test to make sure that there are no functions the application needs to perform that require greater than Medium trust.

References:

1 - http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis-7/

2 - http://technet.microsoft.com/en-us/library/dd163542.aspx

like image 139
rsbarro Avatar answered Oct 08 '22 03:10

rsbarro