Using impersonation to allow writing to server directory?

Discussion in 'ASP .Net' started by darrel, Jun 14, 2005.

  1. darrel

    darrel Guest

    I'm struggling with an odd permissions problem I have with one of my
    functions. It takes a file, writes a directory, and then uploads some files
    to it. This works. Once. Any subsequent attempt and writing new files to the
    created directory results in an access denied error.

    Thanks to a script by Keith Brown, I was able to determine who my
    application was running as:

    > ======================================================
    >
    > Unmanaged Process Identity: mycomputerid\ASPNET
    > Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
    > Client Identity (HttpContext.User): [anonymous]
    >
    > ======================================================


    The root folder I am writing too (and any child folder created by my script)
    has the ASPNET user given full permissions. I don't have IUSER set up on any
    of these folders.

    Should I have IUSER set up with write permissions? Or is this where I should
    consider using impersonation, and set up a new user just for writing to this
    one parent directory? The one catch is that impersonation seems to be at an
    application level...not an individual function level.

    -Darrel
     
    darrel, Jun 14, 2005
    #1
    1. Advertising

  2. darrel

    Brock Allen Guest

    This tells me you have <identity impersonate=true /> in your web.config.
    This says to impersonate on the thread during execution the identity IIS
    is using. IUSR_machine in your case, given that you must be allowing anonymous
    access.

    Ohh! You say it works once? This must mean you have the files left open?
    Meaning, you've forgotten to close them, perhaps?

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > I'm struggling with an odd permissions problem I have with one of my
    > functions. It takes a file, writes a directory, and then uploads some
    > files to it. This works. Once. Any subsequent attempt and writing new
    > files to the created directory results in an access denied error.
    >
    > Thanks to a script by Keith Brown, I was able to determine who my
    > application was running as:
    >
    >> ======================================================
    >>
    >> Unmanaged Process Identity: mycomputerid\ASPNET
    >> Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
    >> Client Identity (HttpContext.User): [anonymous]
    >> ======================================================
    >>

    > The root folder I am writing too (and any child folder created by my
    > script) has the ASPNET user given full permissions. I don't have IUSER
    > set up on any of these folders.
    >
    > Should I have IUSER set up with write permissions? Or is this where I
    > should consider using impersonation, and set up a new user just for
    > writing to this one parent directory? The one catch is that
    > impersonation seems to be at an application level...not an individual
    > function level.
    >
    > -Darrel
    >
     
    Brock Allen, Jun 14, 2005
    #2
    1. Advertising

  3. darrel

    darrel Guest

    > This tells me you have <identity impersonate=true /> in your web.config.
    > This says to impersonate on the thread during execution the identity IIS
    > is using. IUSR_machine in your case, given that you must be allowing

    anonymous
    > access.


    Hmm...nope. No impersonation tag at all in my web.config file.

    > Ohh! You say it works once? This must mean you have the files left open?
    > Meaning, you've forgotten to close them, perhaps?


    Maybe? That was my original thought. Here are the two key lines in my
    function. The first creates the directory (if not created) and the second
    saves the files.

    system.IO.Directory.CreateDirectory(savePath)
    postedFile.SaveAs(savePath & strUploadFileName)


    The first time the function runs, the directory is created, and the is
    uplaoded. It's after that that I get denied access. Do I need to 'release'
    the new directory I create and the files I upload?

    Also, here's the full function if it is of any help:

    ------------------------------------------------------------------

    Private Sub uploadFile(fileToUpload as System.web.HttpPostedFile)
    Dim saveVirtualPath As String = "/documents/forms/"
    Dim savePath As String = Server.MapPath(saveVirtualPath)

    if trim(secondaryCategoryDirectory) <> ""
    savePath = savePath & fixName(primaryCategoryDirectory, "directory")
    & "\" & fixName(secondaryCategoryDirectory, "directory")
    else
    savePath = savePath & fixName(primaryCategoryDirectory, "directory")
    End If

    if System.IO.Directory.Exists(savePath) then
    'do nothing
    else
    response.Write("<p>CREATING DIRECTORY</p>")
    system.IO.Directory.CreateDirectory(savePath)
    End If

    Dim strUploadFileName as string

    'Make sure the path has a trailing slash
    if Right( savePath, 1 ) <> "\" then savePath = savePath & "\"

    Try

    'Save some information from the upload and set up paths
    Dim postedFile = fileToUpload 'fileUpload_DOC.PostedFile
    Dim contentType As String = postedFile.ContentType
    Dim contentLength As Integer = postedFile.ContentLength
    strUploadFileName =
    fixName(System.IO.Path.GetFileName(PostedFile.FileName), "file")

    'clean up the filename
    strUploadFileName = fixName(strUploadFileName, "file")

    'save the file
    postedFile.SaveAs(savePath & strUploadFileName)

    Catch exc As system.Exception
    div_updateLog.Visible = true
    lbl_updateLog.text = label_changeConfirmations.text &
    "<p><b>Failed</b> to upload the file <i>" & strUploadFileName & ": " &
    exc.InnerException.Message & _
    "<br/>Please contact the system Administrator for help.</p>"
    End Try
    End Sub
     
    darrel, Jun 14, 2005
    #3
  4. darrel

    Brock Allen Guest

    > Hmm...nope. No impersonation tag at all in my web.config file.

    Hmm, perhaps in a parent web.config?

    > The first time the function runs, the directory is created, and the is
    > uplaoded. It's after that that I get denied access. Do I need to
    > 'release' the new directory I create and the files I upload?


    Hmm, no; CreateDirectory should be sufficient.

    > system.IO.Directory.CreateDirectory(savePath)
    > postedFile.SaveAs(savePath & strUploadFileName)


    I'd debug just to make sure your filenames are correct. Also, consider using
    Path.Combine to merge the directory name and the filename.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
     
    Brock Allen, Jun 14, 2005
    #4
  5. darrel

    darrel Guest

    > Hmm, perhaps in a parent web.config?

    Nope.

    > I'd debug just to make sure your filenames are correct.


    Yep. I've done all that...response.writing every single string out.

    Also, I can upload fine to the root directory. It's only ones that my
    application creates that the access denied error happens.

    > Also, consider using
    > Path.Combine to merge the directory name and the filename.


    I'll try that!

    Otherwise, I think I'm going to set up a new user 'formUploads' and then
    have my application run as that user via impersonation. Does that sound like
    a valid solution?
     
    darrel, Jun 14, 2005
    #5
  6. darrel

    Brock Allen Guest

    > Otherwise, I think I'm going to set up a new user 'formUploads' and
    > then have my application run as that user via impersonation. Does that
    > sound like a valid solution?


    Well, it's still hard to tell what the exact problem is. I'd not want to
    give advice without knowing for sure.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
     
    Brock Allen, Jun 14, 2005
    #6
  7. darrel

    darrel Guest

    > Well, it's still hard to tell what the exact problem is.

    Hence my predicament. ;o)

    -Darrel
     
    darrel, Jun 14, 2005
    #7
  8. darrel

    Brock Allen Guest

    Heh... sorry that my last post wasn't too helpful :(

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    >> Well, it's still hard to tell what the exact problem is.
    >>

    > Hence my predicament. ;o)
    >
    > -Darrel
    >
     
    Brock Allen, Jun 14, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roberto López
    Replies:
    0
    Views:
    312
    Roberto López
    Jul 22, 2003
  2. techfuzz
    Replies:
    1
    Views:
    1,341
    Yan-Hong Huang[MSFT]
    Aug 12, 2003
  3. graphicsxp

    allow anonymous access to directory

    graphicsxp, May 23, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    443
    graphicsxp
    May 23, 2006
  4. Jeff
    Replies:
    2
    Views:
    971
    clintonG
    Sep 19, 2006
  5. Ryan Taylor
    Replies:
    1
    Views:
    700
    Ryan Taylor
    Sep 9, 2004
Loading...

Share This Page