Re: ASPNET User Problem in Shared Hosting Environment
From: M. Shawn Dillon (nollids@moc.ovc-erutrepa)
Date: 06/27/02
- Next message: Paul Ingles: "Re: Encrypt password"
- Previous message: Harry Simpson: "Re: General SSL Question"
- In reply to: Ben Miller [MS]: "Re: ASPNET User Problem in Shared Hosting Environment"
- Next in thread: Easymoney: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Easymoney: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "M. Shawn Dillon" <nollids@moc.ovc-erutrepa> Date: Thu, 27 Jun 2002 14:57:54 -0400
>From this I gather that shared hosting is not supported or recommended
unless you are willing to give all of your customers the ability to trash
your machine or other customer's sites. Trustworthy computing indeed...
"Ben Miller [MS]" <benmi@online.microsoft.com> wrote in message
news:#vgSaOZHCHA.1712@tkmsftngp08...
>
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
> c/html/V1securitychanges.asp?frame=true
>
> Watch for URL wrap. This should give you an idea of what this is all
about.
>
> Ben Miller
> This post is provided "AS IS" and confers no rights or warranties.
>
> "Ely Lucas" <ely@cmconline.com> wrote in message
> news:uhhpa6p7u09c2@corp.supernews.com...
> > Hello,
> >
> > I am trying to setup a win2k server that will be used for shared hosting
> > services, and am trying to figure out how asp.net is going to be able to
> run
> > secure on the server.
> >
> > In the asp days, you would give each website its own IIS_User account to
> run
> > under, and give that user RWXD permission to it's web root folder. You
> would
> > remove the Everyone group and also give the admin group full permission
on
> > the folder. This would keep users who are developing apps that are going
> to
> > be hosted on that machine from poking around in each others directories
> with
> > the file scripting object, include files, etc...
> >
> > With asp.net, it seems like everything is ran under the ASPNET user
> account.
> > The problem here being, the ASPNET account needs Read permission to
every
> > site on the server so it can monitor file changes and such for the
> > framework.
> >
> > When a user runs an aspx page, it runs under the ASPNET account that has
> > read permissions to everyone elses aspx pages. So anyone can do a <!--
> > #Include File="c:\inetpub\site1\allmylovelypasswords.aspx" --> into
> someone
> > elses directory and get their source code. And that is just the
> beginning...
> >
> > I have messed around the Impersonation, and set the machine.config up as
> > follows:
> >
> > <identity impersonate="true" />
> >
> > And when this happens, it seems like it is working, because when I do a
> >
> > Response.write(WindowsIdentity.GetCurrent().Name)
> >
> > it returns my IIS_User for that particular site that I have setup in the
> IIS
> > MMC. However, this site is still able to browse through and view any
> > resource on the hard drive that the ASPNET user has access to (which,
> > remember, has to be all the aspx pages on the entire server, the
> > Microsoft.NET folder, and more).
> >
> > So, I guess what I am wondering is, what is the best practice for
setting
> up
> > asp.net in a shared hosting environment? What are all the big hosts
doing
> > out there? What does Microsoft have to say about this (there are no docs
> at
> > all in their web hoster program)?
> >
> > Thanks,
> > Ely
> >
> >
> >
> >
>
>
- Next message: Paul Ingles: "Re: Encrypt password"
- Previous message: Harry Simpson: "Re: General SSL Question"
- In reply to: Ben Miller [MS]: "Re: ASPNET User Problem in Shared Hosting Environment"
- Next in thread: Easymoney: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Easymoney: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
