I could really use someone elses help. I have a script that has you login as a user. The user is NOT an account on the windows 2003 server. I guess this user is just an IUSR. The user name and password exist in the script itself. Now.. This script works for thousands of people so it has to be permissions and not the script. The folder heirarchy goes something like this. web.sites/digitalpoint/www/ inside the www folder you have the entire website and all its subfolders. ex.. /images, /archives, /whatever In this case the folder is called b.news.letter which is located on the root of the website. Within this folder is a folder called "tmp" so the actual path would be d:/web.sites/digitalpoint/www/b.news.letter/tmp There are also a couple other folders. One is called d:/web.sites/digitalpoint/www/b.news.letter/backups the other d:/web.sites/digitalpoint/www/b.news.letter/public/images I need to allow 777 or full access to the IUSR or maybe not account so that it has the ability to write to these locations. I have tried giving IUSR Full Control and applying the permission within those folders. It does not work. Can someone make heads or tails outta this for me. I am just not sure what I should do. I have tried to create an account for the user, and then apply full control permission to that user on those folders. Nada. My next test was to see if I create that user and grant that user read permissions on the www folder so that the user can see the folder and then say.. I see you what can I get into and then add FC to the /tmp folder. Maybe? I really need this fixed ASAP.. I have something I MUST do shortly and this is really holding me up. I am not one of those people that say help I need help fast. This is just something that I have tried what I know and I just cannot figure out the puzzle. And yes, this really needs to be done now. I appreciate any help I can get. Thanks in advance. Kind regard, Liquidfrog PS.. This was the reply from the script writer.. Not a Windows user. Either way, I think I know what the problem is. It doesn't look like the tmp directory (D:/web.sites/digitalpoint/www/b.news.letter/tmp) is writable by PHP. In Linux / UNIX I would tell you to chmod that directory to 777; however, on Windows I'm not exactly sure what you have to do. It's probably something simple, like right clicking on that tmp directory and allowing anyone to write to it or something like that. Either way, that's all you need to do to get it to work. The reason I am 99% sure this is what the problem is, is because I give you three options to import (XLS, CSV, and CSV Text) and all of them give similar problems. "Cannot open the temp file for writing in the temp directory." Let me know what you think. You probably already know how to easily make that tmp directory writeable by PHP. Also, while you're at it... the following directories need to be writable by PHP: /backups /tmp /public/images Here's another permissions error with the backup file: "The backup attempt failed. Is the backups directory writeable by PHP?"
IUSR_machinename is still a user and must have a valid password (by default IIS manages this user's password). It all depends on what kind of object you use for writing. For example, if you want to use server-side object, like FileSystemObject, folder permissions is all that matters. If you want to use an HTTP method, like PUT, you will need enable write permissions in the IIS admin applet (this will be a huge security risk, though - I would recommend against this). Finally, if you use some third-party tool, like ASP upload, all will depend on whether you are running in the IIS5 compatibility mode (in which case the actual user will be IWAM_machinename) or in the IIS6 mode (may be IUSR or Network Service). Making a directory writable under the web root is a big security risk - if somebody manages to create their file in there, they will be able to run arbitrary COM objects on your system and make other system calls. J.D.
Hello, Thanks for the quick reply. Yes IUSR does have a password and that was the account I was using to give full permission on the folder. I have to assume that no one will know where the /tmp folder is so the security risk is minimal, but I hear you none the less. The script itself basically allows me to IMPORT from a local XLS file the name and email address of users. In this case I assume that I am doing this as the scripts login userid and password, but still acting as an IUSR since I am an arbitrary remote user who just happens to have the ID and password for the script. I do use MMC to access what I need to. I am not a GURU but I consider myself a very advanced user. I just cannot figure this out. Maybe I should sleep on it. I am using PHP here.. so it is actually a hypertext pre processor. Since I have already tried the IUSR and the System account already has FC. What do you think I should try next? I know it is hard to respond here.. But maybe some ideas will spark some of my own.. Kind regard, Liquifrog
Wrong assumption. It's called forceful browsing and there are dozens upon dozens of directory names used by attack tools. If you need to do something like this, validate the submitted content and only allow writing into this directory, not full control. If you don't want the general public (i.e. the anonymous user) to be able to write in this directory, it's actually simpler to configure - remove IUSR from this directory and allow only the designated user to write in this directory. In this case when you request a page from this directory, you will be prompted for a password. Turn on login auditing and see in the event log who's trying to log in. You can turn on auditing on files and see who's trying to access files and who's failing. This should get you started. J.D.
Quote" If you don't want the general public (i.e. the anonymous user) to be able to write in this directory, it's actually simpler to configure - remove IUSR from this directory and allow only the designated user to write in this directory. In this case when you request a page from this directory, you will be prompted for a password." The question here is WHO is the designated user? There is no windows user account for the login ID of the script. The designated user to me here is PHP. No? Quote"Turn on login auditing and see in the event log who's trying to log in. You can turn on auditing on files and see who's trying to access files and who's failing. This should get you started." This provides me no results. I already have the auditing set to failure, succeed for that. Basically NoOne is trying to login and NoOne is failing to execute. ( sigh ) Hmmmmmmmm...... Thanks again..
IIS uses system users, so create any user using computer administration tools and remove IUSR from the directory's ACL. If you are using IE, you can go with NTLM authentication. If any other browser, it will have to be clear text (beware of eavesdroppers). IIS caches logins, you need to restart IIS to be able to see logins. As for files, there are two places - one in the local policies and the other one is actual audit attributes on files. Another useful thing is to run a test CGI script and get environment - this should give you the actual user name. Finally, if you are using .NET, you can call one of the functions to figure out the name. J.D.