Re: Opening cmd.exe to IUSR_<machine>
From: Brad Watson (anonymous_at_discussions.microsoft.com)
Date: 01/29/04
- Previous message: David Wang [Msft]: "Re: Opening cmd.exe to IUSR_<machine>"
- In reply to: David Wang [Msft]: "Re: Opening cmd.exe to IUSR_<machine>"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Jan 2004 19:33:53 -0800
Thankyou very much for the input.
However, adding read/execute permission
does enable me to execute the shell command
whereas without it, the command fails so
I think the permission I need is related
to cmd.exe. Also, I believe that I've already
got access to CreateProcess because I'm
able to launch new processes as long as
they don't contain redirecting or piping
commands such as > and |.
If I wasn't to rename cmd.exe is there any
other way I could use > and | from a public
CGI script without causing security problems?
I'm suprised this doesn't seem to have
been an issue to anyone in the past.
Brad
>-----Original Message-----
>The default ACLs on CMD.EXE (indeed, all of the command
line EXE programs in
>the System32 directory) make it inaccessible to any user
identity logged on
>by IIS except for administrators. This is intentional.
>
>Your code does not actually need access to the command
shell. It needs
>access to the CreateProcess Win32 API call.
>
>Simply renaming cmd.exe is not security.
>
>--
>//David
>IIS
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>//
>"Brad Watson" <anonymous@discussions.microsoft.com> wrote
in message
>news:009e01c3e569$46940b60$3501280a@phx.gbl...
>
>Hi,
>
>I'm developing a publicly accessible Perl CGI
>script that needs to run shell commands such as:
>
>my $suggestions = `echo misspelt | aspell.exe -a`;
>
>Perl requires use of cmd.exe in order to execute
>this command and on Windows 2003/IIS 6.0 this is
>not possible under the default security permissions
>since IUSR_<machine> doesn't have read/execute
>permission on cmd.exe.
>
>Since it would be a bad idea to grant
>IUSR_<machine> read/execute access on cmd.exe
>(please correct me if I'm wrong) I was thinking
>of making a copy of cmd.exe elsewhere in the
>file system and changing the permissions on
>the copy. If the copy was renamed then it seems
>unlikely that a malicious user could find it
>in order to exploit it.
>
>Any thoughts on this would be greatly appreciated.
>
>Cheers,
>
>Brad
>
>
>.
>
- Previous message: David Wang [Msft]: "Re: Opening cmd.exe to IUSR_<machine>"
- In reply to: David Wang [Msft]: "Re: Opening cmd.exe to IUSR_<machine>"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
