Re: Opening cmd.exe to IUSR_<machine>

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 01/29/04 

Date: Wed, 28 Jan 2004 17:22:08 -0800

The default ACLs on CMD.EXE (indeed, all of the command line EXE programs in
the System32 directory) make it inaccessible to any user identity logged on
by IIS except for administrators. This is intentional.

Your code does not actually need access to the command shell. It needs
access to the CreateProcess Win32 API call.

Simply renaming cmd.exe is not security. 

-- 
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Brad Watson" <anonymous@discussions.microsoft.com> wrote in message
news:009e01c3e569$46940b60$3501280a@phx.gbl...
Hi,
I'm developing a publicly accessible Perl CGI
script that needs to run shell commands such as:
my $suggestions = `echo misspelt | aspell.exe -a`;
Perl requires use of cmd.exe in order to execute
this command and on Windows 2003/IIS 6.0 this is
not possible under the default security permissions
since IUSR_<machine> doesn't have read/execute
permission on cmd.exe.
Since it would be a bad idea to grant
IUSR_<machine> read/execute access on cmd.exe
(please correct me if I'm wrong) I was thinking
of making a copy of cmd.exe elsewhere in the
file system and changing the permissions on
the copy. If the copy was renamed then it seems
unlikely that a malicious user could find it
in order to exploit it.
Any thoughts on this would be greatly appreciated.
Cheers,
Brad

Relevant Pages

  • Re: Cannot run sdimgr.wsf on XPE Image
    ... > Try to specify the full paths for all the files in the command. ... >> I am trying to use sdimgr.wsf on a small XPE image. ... >> Both the sdimgr.wsf and sdiaut.dll are in the system32 directory which is in ...
    (microsoft.public.windowsxp.embedded)
  • Re: autoexec.nt elusive
    ... system32 directory, which should ferret out hidden files, but I only see ... It's a legacy file meant for ... place its shortcut into your Startup folder! ... command to run at boot time, ...
    (microsoft.public.win2000.general)
  • Re: Unable to access the DOS system32 subdirectory
    ... My problem is that my system32 directory ... This is a command prompt, ... Note that there is a Windows directory in your profile folder in Documents ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Cannot run sdimgr.wsf on XPE Image
    ... Try to specify the full paths for all the files in the command. ... Any chance for you to monitor the launch with Filemon? ... > I am trying to use sdimgr.wsf on a small XPE image. ... > Both the sdimgr.wsf and sdiaut.dll are in the system32 directory which is in ...
    (microsoft.public.windowsxp.embedded)
  • Re: ubuntu-users Digest, Vol 47, Issue 208
    ... Superuser confusion or maybe critically confused ... "Permissions" appears nowhere in Nautilus, so far as I can tell. ... I am attempting to learn to use command line. ...
    (Ubuntu)