Re: ASPNET User Problem in Shared Hosting Environment
From: Mr Snorkel (snorkelmeister@yahoo.com)
Date: 07/28/02
- Next message: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Previous message: Arild Bakken: "Re: Accessing the ACL of a file?"
- In reply to: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Next in thread: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: snorkelmeister@yahoo.com (Mr Snorkel) Date: 28 Jul 2002 04:32:27 -0700
By the way, if you doubt this, check this out more-or-less from the horse's mouth:
http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=4186"Mr Snorkel" <snorkelmeister@yahoo.com> wrote in message
"Arild Bakken" <arildb_@hotmail.com> wrote in message news:<OuLXNxHNCHA.360@tkmsftngp13>...
> I'm not sure I aggree on this. It's actually just a matter of configuring
> the system.config file aswell as setting security options on the filesystem.
>
> We've done tests where one customer's ASP.NET application is unable to
> access anything outside it's own folderstructure. This is done by using the
> impersonate="true" option for all applications, and giving the aspnet
> account only read and listcontents permissions on the customers sites, and
> of course giving each customer their own IUSR account which has permissions
> on the customers' folderstructure, just as we did in the "old days" of ASP.
>
>
> Arild
>
> "Mr Snorkel" <snorkelmeister@yahoo.com> wrote in message
> news:bf7d325e.0207251320.49d8d21d@posting.google.com...
> > Exactly.
> >
> > It's time MS came clean about this. At present, it is not safe to run
> > ASP.NET applications in any shared hosting environment. It is
> > trivially easy to violate other sites' privacy if you're sharing a
> > server with them. I'm amazed that this has still not become more
> > widely known. Presumably MS are hoping that this will stay the case
> > until the problems are fixed with a later version of the framework.
> > But as things stand any business shared-hosting a .NET web application
> > is in my opinion being negligently foolish.
> >
> > "M. Shawn Dillon" <nollids@moc.ovc-erutrepa> wrote in message
> news:<ulbyvxgHCHA.1728@tkmsftngp09>...
> > > From this I gather that shared hosting is not supported or recommended
> > > unless you are willing to give all of your customers the ability to
> trash
> > > your machine or other customer's sites. Trustworthy computing indeed...
> > >
> > > "Ben Miller [MS]" <benmi@online.microsoft.com> wrote in message
> > > news:#vgSaOZHCHA.1712@tkmsftngp08...
> > > >
> > >
> http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
> > > > c/html/V1securitychanges.asp?frame=true
> > > >
> > > > Watch for URL wrap. This should give you an idea of what this is all
> about.
> > > >
> > > > Ben Miller
> > > > This post is provided "AS IS" and confers no rights or warranties.
> > > >
> > > > "Ely Lucas" <ely@cmconline.com> wrote in message
> > > > news:uhhpa6p7u09c2@corp.supernews.com...
> > > > > Hello,
> > > > >
> > > > > I am trying to setup a win2k server that will be used for shared
> hosting
> > > > > services, and am trying to figure out how asp.net is going to be
> able to
> run
> > > > > secure on the server.
> > > > >
> > > > > In the asp days, you would give each website its own IIS_User
> account to
> run
> > > > > under, and give that user RWXD permission to it's web root folder.
> You
> would
> > > > > remove the Everyone group and also give the admin group full
> permission
> on
> > > > > the folder. This would keep users who are developing apps that are
> going
> to
> > > > > be hosted on that machine from poking around in each others
> directories
> with
> > > > > the file scripting object, include files, etc...
> > > > >
> > > > > With asp.net, it seems like everything is ran under the ASPNET user
> account.
> > > > > The problem here being, the ASPNET account needs Read permission to
> every
> > > > > site on the server so it can monitor file changes and such for the
> > > > > framework.
> > > > >
> > > > > When a user runs an aspx page, it runs under the ASPNET account that
> has
> > > > > read permissions to everyone elses aspx pages. So anyone can do a
> <!--
> > > > > #Include File="c:\inetpub\site1\allmylovelypasswords.aspx" --> into
> someone
> > > > > elses directory and get their source code. And that is just the
> beginning...
> > > > >
> > > > > I have messed around the Impersonation, and set the machine.config
> up as
> > > > > follows:
> > > > >
> > > > > <identity impersonate="true" />
> > > > >
> > > > > And when this happens, it seems like it is working, because when I
> do a
> > > > >
> > > > > Response.write(WindowsIdentity.GetCurrent().Name)
> > > > >
> > > > > it returns my IIS_User for that particular site that I have setup in
> the
> IIS
> > > > > MMC. However, this site is still able to browse through and view any
> > > > > resource on the hard drive that the ASPNET user has access to
> (which,
> > > > > remember, has to be all the aspx pages on the entire server, the
> > > > > Microsoft.NET folder, and more).
> > > > >
> > > > > So, I guess what I am wondering is, what is the best practice for
> > > setting
> > > up
> > > > > asp.net in a shared hosting environment? What are all the big hosts
> doing
> > > > > out there? What does Microsoft have to say about this (there are no
> docs
> at
> > > > > all in their web hoster program)?
> > > > >
> > > > > Thanks,
> > > > > Ely
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
- Next message: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Previous message: Arild Bakken: "Re: Accessing the ACL of a file?"
- In reply to: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Next in thread: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Arild Bakken: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
