File Permissions and Impersonation

  • Thread starter Thread starter Steve Winter
  • Start date Start date
S

Steve Winter

Hi,

We have a number of websites running on an IIS6 server all running under
their own seperate Anonymous Web account and ASP.Net is configured to
Impersonate this account for each site for file system security reasons. The
problem comes however when one client needs to write files to their folders
and we receive the following error:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Could not find a part of the path "c:\".
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.

Exception Details: System.IO.DirectoryNotFoundException: Could not find a
part of the path "c:\".

I can get around this error by adding read permissions for all folders from
the drive root to the website directory ie. c:\ and c:\websites and
c:\website1 but this means that the client is now able to read the complete
file structure to their website which and other sites! Does anyone know of a
way of resolving this security issue?

Thanks - Steven
 
Hi!

I'm sure you have your reasons for impersonating some other anonymous user
than the default one...
Can you configure the page that has to read something from C: to run under
the privileges of a more privileged user?
Check out the information here about configuring single pages:
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrflocationelement.asp?frame=true
Here for impersonation:
http://msdn.microsoft.com/library/en-us/cpgenref/html/gngrfIdentitySection.asp?frame=true
And here on how to put the password in secure storage:
http://support.microsoft.com/default.aspx?scid=kb;en-us;329290

HTH,
Lars-Erik
 
Basically all I want to do is to make sure that the one website can write to
it's own folders but for some strange reason I'm getting ACCESS DENIED
errors (using FileMon to debug) for all directories from the drive root to
the website itself. I would have though that just providing Write access to
the relevant folder in the website should be enough without having to give
read access as well to all folders up from the website to the drive root ?!
 
OK, I think you might get what you want if you remove all impersonation
(don't use <impersonate> in web.config) and then give the ASPNET user write
access on the folder in question.

Lars-Erik
 
Back
Top