Security problem when dynamically creating directories

[Eran Kampf]

I am trying to dynamically create directories in my ASP.NET application (I
am using Server.MapPath("/")+"test" as the folder)
and I am getting a DirectoryNotFoundException saying "Could not find a part
of the path "D:\".
My site is hosted on a public ISP that for obvious security reasons does not
allow my read access above my wwwroot folder which seems to be a problem
when trying to create directories...

Is there any way to solve this?

 

[Sahil Malik]

Certain ISPs won't let you touch the filesystem even in the wwwroot. Your
only option is to pretty much stick with the ISPs rules, be a good boy and
create your directories only within wwwroot.

Actually create them in a subdirectory within wwwroot, so that you can limit
write access control to only that subdir (and no code lives there).

- Sahil Malik
You can reach me thru my blog at
http://www.dotnetjunkies.com/weblog/sahilmalik

 

[Eran Kampf]

The following error is when trying to create a subdirectory udner wwwroot
which is fine with the ISP....
It seems that the problem occurs because of ISP security above the wwwroot
level.

By the way,
The ISP support guy tried creating a directory using old asp (FileSystem
object) and had no problems...

 

[YK]

Hi Eran,

If you are sure that you can write to wwwroot using the old ASP approach
(possibly through FileSystemObject), you can try enable impersonation for
your ASP.NET application. In fact, the default ASPNET account needs to
impersonate the client (or another account with higher access privilege on
wwwroot) in order for the file system to honour the NTFS permission.

Thanks,
YK

 

[Nicole Calinoiu]

Eran,

Server.MapPath("/") will return the path to the site root, which is not
necessarily the root folder of your application. You should have better
luck with Server.MapPath(null). In addition, the value returned may not
have a trailing backslash. To ensure proper path generation, use
Path.Combine rather than simple concatenation. e.g.:
System.IO.Path.Combine(Server.MapPath(null), "test").

If the above still doesn't work, have you tried simply writing the output
from Server.MapPath to an ASPX page so that you can view the value? Is the
returned value a path on which the execution context user should have
adequate permissions to perform the operations that you are attempting?

HTH,
Nicole

 

[Eran Kampf]

The path I am trying to create is correct.
I checked the knowledge base and I think the problem is due to the fact that
D is a mapped network drive while the asp.net worker process is a local user
that has no network access and thus cannot access the network drive.

If that is true then
1. How creating a directory with old ASP FileSystem object works fine?
2. How come creating\reading\writing files in existing directories work
fine?

 

[Nicole Calinoiu]

The path I am trying to create is correct.
I checked the knowledge base and I think the problem is due to the fact
that D is a mapped network drive while the asp.net worker process is a
local user that has no network access and thus cannot access the network
drive.

If it's a mapped network drive, and you're trying to create directories
within you application folder, is your application folder running from this
mapped drive? If not, could you please provide the directory mapping for
your application and the target folders?

If that is true then
1. How creating a directory with old ASP FileSystem object works fine?

For starters, it's most likely using a different user context.

2. How come creating\reading\writing files in existing directories work
fine?

Without more information, all I could possibly do is make some rather wild
guesses. <g> It would really help if you could provide a relevant code
extract, indicating the line on which the exception is thrown and the
complete exception details.