User Account Running at Application_end

[Alphonse Giambrone]

I have a small asp.net web app running on a shared host.
It uses a Jet (Access) database. I included a routine to compact the
database when the application_event fires if it has not been compacted for a
certain period of time.
A compact must be done into a new file. In other words mydb.mdb compacts
into mydb2.mdb.
The original file (mydb.mdb) then gets deleted and mydb2.mdb is renamed to
mydb.mdb. This routine works fine on another shared host.
On the shared host in question, I receive the error 'Access to the path
....mydb.mdb is denied' when trying to delete the file.
Tech support told me it was because I uploaded the file (mydb.mdb) via ftp
(or FrontPage) and it was therefore owned by the site owner account and not
the aspnet user account. Therefore the aspnet account did not have
permission to delete the file. That I should upload the file via script.
Ok, so I created an aspx page to upload the file > same problem.

I created an aspx page with a single button to run the code to perform the
compact and it works fine, repeatedly.
Unless, the routine has been run from the application_end event and when it
failed, it left behind the file mydb2.mdb.
In that case I receive the same error, except referring to the file
mydb2.mdb, which must be deleted before performing the compact.

So, it appears that if a file is created while the app is running, it can't
be deleted at app_end AND if a file is created at app_end it can't be
deleted when the app is running.

I do understand that once application_end fires, the request, response,
server, etc. objects are no longer valid.
Is it possible that once application_end fires a different user account
takes over from the aspnet account?? This would explain my dilemma.

TIA

 

[Ken Schaefer]

Hi,

What OS is the host running, and what version of the framework are they
using?

Cheers
Ken


: I have a small asp.net web app running on a shared host.
: It uses a Jet (Access) database. I included a routine to compact the
: database when the application_event fires if it has not been compacted for
a
: certain period of time.
: A compact must be done into a new file. In other words mydb.mdb compacts
: into mydb2.mdb.
: The original file (mydb.mdb) then gets deleted and mydb2.mdb is renamed to
: mydb.mdb. This routine works fine on another shared host.
: On the shared host in question, I receive the error 'Access to the path
: ...mydb.mdb is denied' when trying to delete the file.
: Tech support told me it was because I uploaded the file (mydb.mdb) via ftp
: (or FrontPage) and it was therefore owned by the site owner account and
not
: the aspnet user account. Therefore the aspnet account did not have
: permission to delete the file. That I should upload the file via script.
: Ok, so I created an aspx page to upload the file > same problem.
:
: I created an aspx page with a single button to run the code to perform the
: compact and it works fine, repeatedly.
: Unless, the routine has been run from the application_end event and when
it
: failed, it left behind the file mydb2.mdb.
: In that case I receive the same error, except referring to the file
: mydb2.mdb, which must be deleted before performing the compact.
:
: So, it appears that if a file is created while the app is running, it
can't
: be deleted at app_end AND if a file is created at app_end it can't be
: deleted when the app is running.
:
: I do understand that once application_end fires, the request, response,
: server, etc. objects are no longer valid.
: Is it possible that once application_end fires a different user account
: takes over from the aspnet account?? This would explain my dilemma.
:
: TIA
:
: --
:
: Alphonse Giambrone
: Email: a-giam at customdatasolutions dot us
:
:
:

 

[Alphonse Giambrone]

Thanks for the reply Ken.

Not 100% sure, but I believe they are running Win 2003.
I know IIS is v 6.0. Installed framework is 1.0 and 1.1.
My app is running under 1.1.
They finally confirmed that the files are owned by two different accounts.
One by IUSR... and the other by IPOOL...
They will not give either account full permissions for 'security' reasons.

Am I the only one who desires to compact a database periodically??

I thought about looking into impersonation, but they also severly limit
configuration options and that is not listed in their 'allowed' options.

Any suggestions on a work-around?

 

[Steven Cheng[MSFT]]

Hi Alphonse,

Regarding on your particular situation. Your web app is located on a shared
host and they have very restricted allow lists for doing many security
setting. As you mentioned that Impersonate is not allowed, I think
generally, all your asp.net code is running under the machine\aspnet(or
Networkservice for IIS6 win2k3 server) account. So I think we haven't any
better approaches rather than grant the machine\aspnet(NetworkService)
account sufficient permissions for the mdb file. My suggestion is you make
a certain sub dir(put the mdb files or other need high permission resources
in it) and ask the host provider whether they can help grant the sufficient
permissions on this sub dir to the machine\aspnet(or NetworkService)
folder. How do you think of this? Anyway, hope the security guys of the
host will allow this so that the problem can be avoided simply. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Alphonse Giambrone]

Thanks for the response Steven.

There is already only one folder that is allowed write permission.
The problem is that code runs under one account when the app is running and
code runs under a different account once application_end fires. Neither
account can delete files created by the other account.

How do others handle compacting a database on a shared host?

I understand security concerns, but is this host being too restrictive or am
I the one that is off-base in trying to supply a well-designed,
maintenance-free app?

 

[Steven Cheng[MSFT]]

Hi Alphonse,

I've tested locally on IIS5 machine ,and generally , when the asp.net web
application is running without impersonate, it'll always use the aspnet
process Account to execute. In win2k3 , it'll be the NetworkService
Account. However the IIS6 has another application isolate model other than
the processModel in asp.net, I'm not sure what mode is using via your host
provider. If the host provider is using Applicaiton Pool setting , not sure
whether he've done any customize on the accounts in the pool setting.
Anyway, since your particular situation that the host provider has highly
restrict limitations, I think you'd better change your solution (avoid the
application_end's different account) or contact the host provider to see
whether they can help.
Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Steven Cheng[MSFT]]

Hi Alphonse,

Have you got any further ideas on this issue? If you have anything unclear
or if there're anything else we can help, please feel free to post here.
Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[Alphonse Giambrone]

Steven,

Thanks for the info.
Unless you have any more ideas, I am pretty much boxed in.
Application_end seems to be the only place it makes sense to try to compact
a database to be sure there are no active users.
The host has confirmed that the files are ownes by two different accounts.
I spoke to the account rep and so far they are offering no comprimise or
workaround.
This week I will start looking for a new host if they don't offer a
solution.
What I still find hard to believe is that I am the only person who has run
into this problem. It seems like such a basic function.
If anyone is interested, the host is Verio.

 

[Steven Cheng[MSFT]]

Hi Alphonse,

Thanks for the followup. Yes, sometimes the different webserver setting of
the hosts will result to different behavior when we want to do some
particular operations which need the support on the serverside
configuration. Currently we haven't any good ideas on this issue. Hope
you'll soon find a suitable host. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx