Using impersonation to allow writing to server directory?

  • Thread starter Thread starter darrel
  • Start date Start date
D

darrel

I'm struggling with an odd permissions problem I have with one of my
functions. It takes a file, writes a directory, and then uploads some files
to it. This works. Once. Any subsequent attempt and writing new files to the
created directory results in an access denied error.

Thanks to a script by Keith Brown, I was able to determine who my
application was running as:
======================================================

Unmanaged Process Identity: mycomputerid\ASPNET
Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
Client Identity (HttpContext.User): [anonymous]

======================================================
Click to expand...

The root folder I am writing too (and any child folder created by my script)
has the ASPNET user given full permissions. I don't have IUSER set up on any
of these folders.

Should I have IUSER set up with write permissions? Or is this where I should
consider using impersonation, and set up a new user just for writing to this
one parent directory? The one catch is that impersonation seems to be at an
application level...not an individual function level.

-Darrel
 
This tells me you have <identity impersonate=true /> in your web.config.
This says to impersonate on the thread during execution the identity IIS
is using. IUSR_machine in your case, given that you must be allowing anonymous
access.

Ohh! You say it works once? This must mean you have the files left open?
Meaning, you've forgotten to close them, perhaps?

-Brock
DevelopMentor
http://staff.develop.com/ballen


I'm struggling with an odd permissions problem I have with one of my
functions. It takes a file, writes a directory, and then uploads some
files to it. This works. Once. Any subsequent attempt and writing new
files to the created directory results in an access denied error.

Thanks to a script by Keith Brown, I was able to determine who my
application was running as:
======================================================

Unmanaged Process Identity: mycomputerid\ASPNET
Unmanaged Thread Identity: mycomputerid\IUSR_mycomputerid
Client Identity (HttpContext.User): [anonymous]
======================================================
Click to expand...
The root folder I am writing too (and any child folder created by my
script) has the ASPNET user given full permissions. I don't have IUSER
set up on any of these folders.

Should I have IUSER set up with write permissions? Or is this where I
should consider using impersonation, and set up a new user just for
writing to this one parent directory? The one catch is that
impersonation seems to be at an application level...not an individual
function level.

-Darrel
Click to expand...
 
This tells me you have said:
This says to impersonate on the thread during execution the identity IIS
is using. IUSR_machine in your case, given that you must be allowing anonymous
access.
Click to expand...

Hmm...nope. No impersonation tag at all in my web.config file.
Ohh! You say it works once? This must mean you have the files left open?
Meaning, you've forgotten to close them, perhaps?
Click to expand...

Maybe? That was my original thought. Here are the two key lines in my
function. The first creates the directory (if not created) and the second
saves the files.

system.IO.Directory.CreateDirectory(savePath)
postedFile.SaveAs(savePath & strUploadFileName)


The first time the function runs, the directory is created, and the is
uplaoded. It's after that that I get denied access. Do I need to 'release'
the new directory I create and the files I upload?

Also, here's the full function if it is of any help:

------------------------------------------------------------------

Private Sub uploadFile(fileToUpload as System.web.HttpPostedFile)
Dim saveVirtualPath As String = "/documents/forms/"
Dim savePath As String = Server.MapPath(saveVirtualPath)

if trim(secondaryCategoryDirectory) <> ""
savePath = savePath & fixName(primaryCategoryDirectory, "directory")
& "\" & fixName(secondaryCategoryDirectory, "directory")
else
savePath = savePath & fixName(primaryCategoryDirectory, "directory")
End If

if System.IO.Directory.Exists(savePath) then
'do nothing
else
response.Write("<p>CREATING DIRECTORY</p>")
system.IO.Directory.CreateDirectory(savePath)
End If

Dim strUploadFileName as string

'Make sure the path has a trailing slash
if Right( savePath, 1 ) <> "\" then savePath = savePath & "\"

Try

'Save some information from the upload and set up paths
Dim postedFile = fileToUpload 'fileUpload_DOC.PostedFile
Dim contentType As String = postedFile.ContentType
Dim contentLength As Integer = postedFile.ContentLength
strUploadFileName =
fixName(System.IO.Path.GetFileName(PostedFile.FileName), "file")

'clean up the filename
strUploadFileName = fixName(strUploadFileName, "file")

'save the file
postedFile.SaveAs(savePath & strUploadFileName)

Catch exc As system.Exception
div_updateLog.Visible = true
lbl_updateLog.text = label_changeConfirmations.text &
"<p><b>Failed</b> to upload the file <i>" & strUploadFileName & ": " &
exc.InnerException.Message & _
"<br/>Please contact the system Administrator for help.</p>"
End Try
End Sub
 
Hmm...nope. No impersonation tag at all in my web.config file.

Hmm, perhaps in a parent web.config?
The first time the function runs, the directory is created, and the is
uplaoded. It's after that that I get denied access. Do I need to
'release' the new directory I create and the files I upload?
Click to expand...

Hmm, no; CreateDirectory should be sufficient.
system.IO.Directory.CreateDirectory(savePath)
postedFile.SaveAs(savePath & strUploadFileName)
Click to expand...

I'd debug just to make sure your filenames are correct. Also, consider using
Path.Combine to merge the directory name and the filename.

-Brock
DevelopMentor
http://staff.develop.com/ballen
 
Hmm, perhaps in a parent web.config?

Nope.
I'd debug just to make sure your filenames are correct.
Click to expand...

Yep. I've done all that...response.writing every single string out.

Also, I can upload fine to the root directory. It's only ones that my
application creates that the access denied error happens.
Also, consider using
Path.Combine to merge the directory name and the filename.
Click to expand...

I'll try that!

Otherwise, I think I'm going to set up a new user 'formUploads' and then
have my application run as that user via impersonation. Does that sound like
a valid solution?
 
Otherwise, I think I'm going to set up a new user 'formUploads' and
then have my application run as that user via impersonation. Does that
sound like a valid solution?
Click to expand...

Well, it's still hard to tell what the exact problem is. I'd not want to
give advice without knowing for sure.

-Brock
DevelopMentor
http://staff.develop.com/ballen
 
Well, it's still hard to tell what the exact problem is.

Hence my predicament. ;o)

-Darrel
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

IIS Management and ASP.Net Impersonation 4
security issue, access denied, impersonate 2
Identity Impersonate in ASP.NET 2
Global.asax not allowing identity impersonation? 8
'The current identity does not have write access to Temporary Asp.netFiles 0
Impersonation and Session_End() 1
When impersonation doesn't seem to work 4
impersonation 3

Back
Top