Re: ASPNET User Problem in Shared Hosting Environment
From: Arild Bakken (arildb_@hotmail.com)
Date: 07/28/02
- Next message: Michael Howard [MS]: "Re: CyrptProtectData"
- Previous message: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- In reply to: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Next in thread: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Arild Bakken" <arildb_@hotmail.com> Date: Sun, 28 Jul 2002 14:51:55 +0200
Hi,
I really didn't doubt it, it just slipped my mind that it was just the
thread that was impersonated. I just did a test on this - everthing works
fine when setting proper security and enabling impersonation, but if my code
just issues a RevertToSelf(), it's running as the ASPNET account again.
I've been able to strip down the rights allocated to the ASPNET account on
the system so that it cannot access other customers' files, but it still
needs read access on the Web.Config file, and that still poses a security
issue. I'm sure if I dig even deeper there are more issues with the fact
that it's just impersonation and not a separate process.
But then again, the customers we are hosting are not allowed to add stuff
themselves to the server, and all updates and fixes are run through our
test-team before we deploy it to the servers, so if we just make sure that
they do all kinds of security tests, and also check for imports of external
dll methods, we might still be able to use this.
Thanks for the input.
Arild
"Mr Snorkel" <snorkelmeister@yahoo.com> wrote in message
news:bf7d325e.0207280332.d195836@posting.google.com...
> By the way, if you doubt this, check this out more-or-less from the
horse's mouth:
>
> http://www.asp.net/Forums/ShowPost.aspx?tabindex=1&PostID=4186
>
>
> "Arild Bakken" <arildb_@hotmail.com> wrote in message
news:<OuLXNxHNCHA.360@tkmsftngp13>...
> > I'm not sure I aggree on this. It's actually just a matter of
configuring
> > the system.config file aswell as setting security options on the
filesystem.
> >
> > We've done tests where one customer's ASP.NET application is unable to
> > access anything outside it's own folderstructure. This is done by using
the
> > impersonate="true" option for all applications, and giving the aspnet
> > account only read and listcontents permissions on the customers sites,
and
> > of course giving each customer their own IUSR account which has
permissions
> > on the customers' folderstructure, just as we did in the "old days" of
ASP.
> >
> >
> > Arild
> >
> > "Mr Snorkel" <snorkelmeister@yahoo.com> wrote in message
> > news:bf7d325e.0207251320.49d8d21d@posting.google.com...
> > > Exactly.
> > >
> > > It's time MS came clean about this. At present, it is not safe to run
> > > ASP.NET applications in any shared hosting environment. It is
> > > trivially easy to violate other sites' privacy if you're sharing a
> > > server with them. I'm amazed that this has still not become more
> > > widely known. Presumably MS are hoping that this will stay the case
> > > until the problems are fixed with a later version of the framework.
> > > But as things stand any business shared-hosting a .NET web application
> > > is in my opinion being negligently foolish.
> > >
> > > "M. Shawn Dillon" <nollids@moc.ovc-erutrepa> wrote in message
> > news:<ulbyvxgHCHA.1728@tkmsftngp09>...
> > > > From this I gather that shared hosting is not supported or
recommended
> > > > unless you are willing to give all of your customers the ability to
> > trash
> > > > your machine or other customer's sites. Trustworthy computing
indeed...
> > > >
> > > > "Ben Miller [MS]" <benmi@online.microsoft.com> wrote in message
> > > > news:#vgSaOZHCHA.1712@tkmsftngp08...
> > > > >
> > > >
> >
http://www.msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetse
> > > > > c/html/V1securitychanges.asp?frame=true
> > > > >
> > > > > Watch for URL wrap. This should give you an idea of what this is
all
> > about.
> > > > >
> > > > > Ben Miller
> > > > > This post is provided "AS IS" and confers no rights or warranties.
> > > > >
> > > > > "Ely Lucas" <ely@cmconline.com> wrote in message
> > > > > news:uhhpa6p7u09c2@corp.supernews.com...
> > > > > > Hello,
> > > > > >
> > > > > > I am trying to setup a win2k server that will be used for shared
> > hosting
> > > > > > services, and am trying to figure out how asp.net is going to be
> > able to
> > run
> > > > > > secure on the server.
> > > > > >
> > > > > > In the asp days, you would give each website its own IIS_User
> > account to
> > run
> > > > > > under, and give that user RWXD permission to it's web root
folder.
> > You
> > would
> > > > > > remove the Everyone group and also give the admin group full
> > permission
> > on
> > > > > > the folder. This would keep users who are developing apps that
are
> > going
> > to
> > > > > > be hosted on that machine from poking around in each others
> > directories
> > with
> > > > > > the file scripting object, include files, etc...
> > > > > >
> > > > > > With asp.net, it seems like everything is ran under the ASPNET
user
> > account.
> > > > > > The problem here being, the ASPNET account needs Read permission
to
> > every
> > > > > > site on the server so it can monitor file changes and such for
the
> > > > > > framework.
> > > > > >
> > > > > > When a user runs an aspx page, it runs under the ASPNET account
that
> > has
> > > > > > read permissions to everyone elses aspx pages. So anyone can do
a
> > <!--
> > > > > > #Include File="c:\inetpub\site1\allmylovelypasswords.aspx" -->
into
> > someone
> > > > > > elses directory and get their source code. And that is just the
> > beginning...
> > > > > >
> > > > > > I have messed around the Impersonation, and set the
machine.config
> > up as
> > > > > > follows:
> > > > > >
> > > > > > <identity impersonate="true" />
> > > > > >
> > > > > > And when this happens, it seems like it is working, because when
I
> > do a
> > > > > >
> > > > > > Response.write(WindowsIdentity.GetCurrent().Name)
> > > > > >
> > > > > > it returns my IIS_User for that particular site that I have
setup in
> > the
> > IIS
> > > > > > MMC. However, this site is still able to browse through and view
any
> > > > > > resource on the hard drive that the ASPNET user has access to
> > (which,
> > > > > > remember, has to be all the aspx pages on the entire server, the
> > > > > > Microsoft.NET folder, and more).
> > > > > >
> > > > > > So, I guess what I am wondering is, what is the best practice
for
> > > > setting
> > > > up
> > > > > > asp.net in a shared hosting environment? What are all the big
hosts
> > doing
> > > > > > out there? What does Microsoft have to say about this (there are
no
> > docs
> > at
> > > > > > all in their web hoster program)?
> > > > > >
> > > > > > Thanks,
> > > > > > Ely
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
- Next message: Michael Howard [MS]: "Re: CyrptProtectData"
- Previous message: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- In reply to: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Next in thread: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Reply: Mr Snorkel: "Re: ASPNET User Problem in Shared Hosting Environment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
