Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

The right use of <identity impersonate="true"/>

In my Website, Users who has logged in are able to change their profile pictures, and this process includes saving the uploaded image to a folder in the website's root directory.

When I tested it, I received an Error that I should grant access to this specific folder using permissions.

I do not have control over the Control Panel, the one who does said that he did grant the Images folder a READ and WRITE permissions to Others.

After Testing it again, once again the same error, so I edited web.config and included:

<identity impersonate="true"/>

And now everything seems to work perfectly. BUT, what did I just do here? Is there any security risk? Did I grant anonymous access to my website for everyone?

like image 381
Ali Bassam Avatar asked Jul 29 '13 12:07

Ali Bassam


People also ask

What is identity impersonate?

Impersonation is the process of executing code in the context of another user identity. By default, all ASP.NET code is executed using a fixed machine-specific account. To execute code using another identity we can use the built-in impersonation capabilities of ASP.NET.

How do you use impersonate?

How to use Impersonate in a sentence. I agree that a genuine Guide would never impersonate anyone. Attempting to impersonate any person by using forged headers or other identifying information is prohibited. Putting information out there on social networks can allow someone to take that information and impersonate you.

Where do you write identity impersonate true in web config?

In the application's Web. config file, set the impersonate attribute in the identity element to true. Set the NTFS access control list (ACL) for the ManagerInformation directory to allow access to only those identities that are in the Windows Manager group and any required system accounts.

What is impersonate user C#?

The term "Impersonation" in a programming context refers to a technique that executes the code under another user context than the user who originally started an application, i.e. the user context is temporarily changed once or multiple times during the execution of an application.


2 Answers

BUT, what did I just do here?

You are now running your website under the identity of the client user.

Is there any security risk?

That would depend on the permissions that this account has on the server. Usually it is bad practice to run a website with accounts that have lots of privileges. Ideally you should configure your website to run under an account that you explicitly grant privileges to the required folders.

The problem with your approach is that if another user that doesn't have access to the specified folder visits your website, it won't work for him. If on the other hand this is expected behavior then you are probably fine by impersonating user identities.

Did I grant anonymous access to my website for everyone?

No, this has nothing to do with authentication.

like image 58
Darin Dimitrov Avatar answered Oct 01 '22 15:10

Darin Dimitrov


What you have done is given user rights to work under logged in user.

And there is a security risk for making impersonate true.

If you are on production, I would recommend you to read this article http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

"Using impersonation in the web.config allows you to override whatever identity was configured for the Application Pool the app is running under - it's just a more fine grained method to control identity ( on the app level vs. the ApplicationPool level), so you could have two apps run on the same AppPool, but one of them uses impersonation to use another identity." courtesy: App pool identity versus impersonation identity?

like image 34
Nipun Ambastha Avatar answered Oct 01 '22 13:10

Nipun Ambastha