Using impersonation to allow writing to server directory?

[darrel]

I'm struggling with an odd permissions problem I have with one of my
functions. It takes a file, writes a directory, and then uploads some files
to it. This works. Once. Any subsequent attempt and writing new files to the
created directory results in an access denied error.

Thanks to a script by Keith Brown, I was able to determine who my
application was running as:

======================================================

Unmanaged Process Identity: mycomputerid\ASPNET
Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
Client Identity (HttpContext.User): [anonymous]

======================================================

The root folder I am writing too (and any child folder created by my script)
has the ASPNET user given full permissions. I don't have IUSER set up on any
of these folders.

Should I have IUSER set up with write permissions? Or is this where I should
consider using impersonation, and set up a new user just for writing to this
one parent directory? The one catch is that impersonation seems to be at an
application level...not an individual function level.

-Darrel

 

[Brock Allen]

This tells me you have <identity impersonate=true /> in your web.config.
This says to impersonate on the thread during execution the identity IIS
is using. IUSR_machine in your case, given that you must be allowing anonymous
access.

Ohh! You say it works once? This must mean you have the files left open?
Meaning, you've forgotten to close them, perhaps?

I'm struggling with an odd permissions problem I have with one of my
functions. It takes a file, writes a directory, and then uploads some
files to it. This works. Once. Any subsequent attempt and writing new
files to the created directory results in an access denied error.

Thanks to a script by Keith Brown, I was able to determine who my
application was running as:

======================================================

Unmanaged Process Identity: mycomputerid\ASPNET
Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
Client Identity (HttpContext.User): [anonymous]
======================================================

The root folder I am writing too (and any child folder created by my
script) has the ASPNET user given full permissions. I don't have IUSER
set up on any of these folders.

Should I have IUSER set up with write permissions? Or is this where I
should consider using impersonation, and set up a new user just for
writing to this one parent directory? The one catch is that
impersonation seems to be at an application level...not an individual
function level.

-Darrel

 

[darrel]

This says to impersonate on the thread during execution the identity IIS
is using. IUSR_machine in your case, given that you must be allowing anonymous
access.

Hmm...nope. No impersonation tag at all in my web.config file.

Ohh! You say it works once? This must mean you have the files left open?
Meaning, you've forgotten to close them, perhaps?

Maybe? That was my original thought. Here are the two key lines in my
function. The first creates the directory (if not created) and the second
saves the files.

system.IO.Directory.CreateDirectory(savePath)
postedFile.SaveAs(savePath & strUploadFileName)


The first time the function runs, the directory is created, and the is
uplaoded. It's after that that I get denied access. Do I need to 'release'
the new directory I create and the files I upload?

Also, here's the full function if it is of any help:

------------------------------------------------------------------

Private Sub uploadFile(fileToUpload as System.web.HttpPostedFile)
Dim saveVirtualPath As String = "/documents/forms/"
Dim savePath As String = Server.MapPath(saveVirtualPath)

if trim(secondaryCategoryDirectory) <> ""
savePath = savePath & fixName(primaryCategoryDirectory, "directory")
& "\" & fixName(secondaryCategoryDirectory, "directory")
else
savePath = savePath & fixName(primaryCategoryDirectory, "directory")
End If

if System.IO.Directory.Exists(savePath) then
'do nothing
else
response.Write("<p>CREATING DIRECTORY</p>")
system.IO.Directory.CreateDirectory(savePath)
End If

Dim strUploadFileName as string

'Make sure the path has a trailing slash
if Right( savePath, 1 ) <> "\" then savePath = savePath & "\"

Try

'Save some information from the upload and set up paths
Dim postedFile = fileToUpload 'fileUpload_DOC.PostedFile
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
strUploadFileName =
fixName(System.IO.Path.GetFileName(PostedFile.FileName), "file")

'clean up the filename
strUploadFileName = fixName(strUploadFileName, "file")

'save the file
postedFile.SaveAs(savePath & strUploadFileName)

Catch exc As system.Exception
div_updateLog.Visible = true
lbl_updateLog.text = label_changeConfirmations.text &
"<p><b>Failed</b> to upload the file <i>" & strUploadFileName & ": " &
exc.InnerException.Message & _
"<br/>Please contact the system Administrator for help.</p>"
End Try
End Sub

 

[Brock Allen]

Hmm...nope. No impersonation tag at all in my web.config file.

Hmm, perhaps in a parent web.config?

The first time the function runs, the directory is created, and the is
uplaoded. It's after that that I get denied access. Do I need to
'release' the new directory I create and the files I upload?

Hmm, no; CreateDirectory should be sufficient.

system.IO.Directory.CreateDirectory(savePath)
postedFile.SaveAs(savePath & strUploadFileName)

I'd debug just to make sure your filenames are correct. Also, consider using
Path.Combine to merge the directory name and the filename.

 

[darrel]

Hmm, perhaps in a parent web.config?

Nope.

I'd debug just to make sure your filenames are correct.

Yep. I've done all that...response.writing every single string out.

Also, I can upload fine to the root directory. It's only ones that my
application creates that the access denied error happens.

Also, consider using
Path.Combine to merge the directory name and the filename.

I'll try that!

Otherwise, I think I'm going to set up a new user 'formUploads' and then
have my application run as that user via impersonation. Does that sound like
a valid solution?

 

[Brock Allen]

Otherwise, I think I'm going to set up a new user 'formUploads' and

then have my application run as that user via impersonation. Does that
sound like a valid solution?

Well, it's still hard to tell what the exact problem is. I'd not want to
give advice without knowing for sure.

 

[darrel]

Well, it's still hard to tell what the exact problem is.

Hence my predicament. ;o)

-Darrel

 

[Brock Allen]

Heh... sorry that my last post wasn't too helpful