ASPNET User Problem in Shared Hosting Environment
From: Ely Lucas (ely@cmconline.com)
Date: 06/25/02
- Next message: Kevin T. Price: "Re: override of webconfig doesn't work...."
- Previous message: Paul Ingles: "Re: Encrypt QueryString"
- Next in thread: Ben Miller [MS]: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Ben Miller [MS]: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ely Lucas" <ely@cmconline.com> Date: Tue, 25 Jun 2002 15:48:52 -0600
Hello,
I am trying to setup a win2k server that will be used for shared hosting
services, and am trying to figure out how asp.net is going to be able to run
secure on the server.
In the asp days, you would give each website its own IIS_User account to run
under, and give that user RWXD permission to it's web root folder. You would
remove the Everyone group and also give the admin group full permission on
the folder. This would keep users who are developing apps that are going to
be hosted on that machine from poking around in each others directories with
the file scripting object, include files, etc...
With asp.net, it seems like everything is ran under the ASPNET user account.
The problem here being, the ASPNET account needs Read permission to every
site on the server so it can monitor file changes and such for the
framework.
When a user runs an aspx page, it runs under the ASPNET account that has
read permissions to everyone elses aspx pages. So anyone can do a <!--
#Include File="c:\inetpub\site1\allmylovelypasswords.aspx" --> into someone
elses directory and get their source code. And that is just the beginning...
I have messed around the Impersonation, and set the machine.config up as
follows:
<identity impersonate="true" />
And when this happens, it seems like it is working, because when I do a
Response.write(WindowsIdentity.GetCurrent().Name)
it returns my IIS_User for that particular site that I have setup in the IIS
MMC. However, this site is still able to browse through and view any
resource on the hard drive that the ASPNET user has access to (which,
remember, has to be all the aspx pages on the entire server, the
Microsoft.NET folder, and more).
So, I guess what I am wondering is, what is the best practice for setting up
asp.net in a shared hosting environment? What are all the big hosts doing
out there? What does Microsoft have to say about this (there are no docs at
all in their web hoster program)?
Thanks,
Ely
- Next message: Kevin T. Price: "Re: override of webconfig doesn't work...."
- Previous message: Paul Ingles: "Re: Encrypt QueryString"
- Next in thread: Ben Miller [MS]: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Ben Miller [MS]: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
