security issue IIS7.5 / IIS APPPOOL\user not authorized but has full control?

Question

It seems I have a strange issue with security:

I have a website with the following folders:

• inetpub\wwwroot
• inetpub\wwwroot\readyfordownload

The IIS APPPOOL\Classic user has full access to this 'readyfordownload' folder.

Now I have a console APP that creates a zipfile in the readyfordownload folder. This is done from a c# classlib. Strangely enough, the IIS APPOOL cannot access this file, even though it has full control over the folder. Also, the classlib first creates an xlsx file that is later added to the zip. The APPPOOL user does have access to the xlsx file.

If I run the same function in the C# classlib from a code behind in the website, the same zipfile is created and the IIS APPPOOL user CAN access the file....

Any ideas?

zip is created like this (not the actual code, but it is the same) http://dotnetzip.codeplex.com/

  using (ZipFile zip = new ZipFile())
 {
     // add this map file into the "images" directory in the zip archive
             zip.AddFile("test.xlsx");
     zip.Save("MyZipFile.zip");

}

OS is windows 2008 R2 web server ZIP library is Dotnetzip (Ionic)

Update: I am most interested in why the ZIPfile does not get the rights and the xlsx file does....

Answer 1

Have you tried setting the FileAccessSecurity explicitly? Maybe the files are not inheriting the ACL from the directory.

Answer 2

the apppool user can access the xlsx file because your console creates it directly under readyfordownload folder.

the zip file on the other hand is first created in a temp folder and then copied to your folder. This means that the file permissions are wrongly set on the file.

1. Make sure IIS_IUSR and DefaultAppPool users have access on your wwwroot.

2. As scottm suggested change your console code to give permissions to the IUSR and DefaultAppPool users on the zip file. Your code should read like:

       using (ZipFile zip = new ZipFile())
       {
           // add this map file into the "images" directory in the zip archive
           zip.AddFile("test.xlsx");
           zip.Save("MyZipFile.zip");
   
           var accessControl = File.GetAccessControl("MyZipFile.zip");
   
           var fileSystemAccessRule = new FileSystemAccessRule(
                                       @"BUILTIN\IIS_IUSRS",
                                       FileSystemRights.Read | FileSystemRights.ReadAndExecute,
                                       AccessControlType.Allow);
   
           var fileSystemAccessRule2 = new FileSystemAccessRule(
                                       @"IIS AppPool\DefaultAppPool",
                                       FileSystemRights.Read | FileSystemRights.ReadAndExecute,
                                       AccessControlType.Allow);
   
           accessControl.AddAccessRule(fileSystemAccessRule);
           accessControl.AddAccessRule(fileSystemAccessRule2);
   
           File.SetAccessControl(path, accessControl);
       }