Re: IIS 6 and system's object namespace
- From: David Wang <w3.4you@xxxxxxxxx>
- Date: Wed, 31 Oct 2007 00:47:31 -0000
On Oct 28, 11:12 pm, "Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote:
"David Wang" <w3.4...@xxxxxxxxx> wrote in message
news:1193544076.689868.13760@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Oct 26, 2:19 pm, "Roger Abell [MVP]" <mvpnos...@xxxxxxx> wrote:
This is perhaps a bit extreme, but I wonder if anyone might have a hint
on
this.
I have to support multiuser/multiowner webs in multiple sites on IIS 6,
which is no problem, except that they also require FPSE/Sharepoint
extensions. As we know, those extensions are lame when it comes to
ACLing
content.
So, I have been exploring a new route for content isolate in order to
contain content authors from one another's content and in order to
contain
the backend accounts from the areas of other backend accounts on which
the
extensions plug grants to Network and Interactive.
In order to break the effect of the excessive grants I am exploring use
of
not granting Bypass traverse checking to any of the browsing accounts
(restricted access webs), the authoring accounts, or the backend accounts
(read iusr*/iwam*). Doing this for the browsing, authoring, and iusr*
accounts is no problem. I have in place NTFS failure audit for any
failure
by any account on any partition (system and/or content), and am running
clean.
But once Bypass traverse is taken away from the iwam* accounts, when an
app
pool needs to spin up it fails.
The eventlog trace of this is:
- a sequence of 5 attempts to start the pool, each failing and recording
in
system log
Warning from source W3SVC, category none EventID 1009
Message text is:
A process serving application pool 'EnpubPool' terminated unexpectedly.
The
process id was '3440'. The process exit code was '0xffffffff'.
- simultaneous with each of these 5 messages is a failure message in
Application log
Error from W3SVC-WP, category none, EventID 2269
Message text is:
The worker process failed to initialize the http.sys communication or the
w3svc communication layer and therefore could not be started. The data
field
contains the error number.
The data is access denied code 80070005
- these are followed by one system log message
Error from W3SVC, category none, EventID 1002
Message text is:
Application pool 'EnpubPool' is being automatically disabled due to a
series
of failures in the process(es) serving that application pool.
Again, there are no failures recorded at the NTFS level.
I have used Sysinternals WinObj to set a grant to the iwam* account group
of
List + Read Control on \Device\Http in the object namespace, as there
were
grants to only System and Administrators (which by the way included a
"Special" that the Advanced view in WinObj does not illuminate, and which
I
was not able to grant to the iwam* group). There is a grant on both
higher
objects nodes to Everyone.
If I grant Bypass traverse check to the iwam* group all is fine.
So, there is a grant, I had assumed in the Windows object namespace, that
is
missing.
In fact, until this I was not aware that Bypass traverse governed access
checks on other than NTFS, but it quite apparently does.
Anyone with any ideas as to where the missing grant might be? or how to
trace into this to find it?
I am not sure that this new approach is less or more of a performance
drag
than results from defining unique app pools for each web that is able to
dynamically alter serverside execution (the in IIS 5 parallel to which
was
not too bad but IIS 6 is more heavyweight), and recognize that the excess
empowerment of the Interactive and Network grants is only mostly, not
totally, nullified.
But at this point I am just trying to find from where the access denial
arises when Bypass traverse checking is taken away for the iwam* account
group.
Thanks for reading all that, by the way.
Roger
I don't know the answer, but I know the developers who would know the
answer from both the IIS and HTTP.SYS sides, so I will pass your
question onto them.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
Thanks David.
I found it both curious and troublesome.
While one still needs to use unique Iusr/Iwam accounts per web
if one must guarantee full isolation, if this works without excessive
overhead for the lack of bypass then it does make dealing with the
extension's permissioning trivial instead of quite complex.
Roger- Hide quoted text -
- Show quoted text -
I'm waiting for the responses since a couple of the key people
involved with the design/implementation you are asking about have
since moved onto other teams and projects, so it may take a little
while. I can spend some of my "personal brownie points" to get the
answers.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
.
- References:
- IIS 6 and system's object namespace
- From: Roger Abell [MVP]
- Re: IIS 6 and system's object namespace
- From: David Wang
- IIS 6 and system's object namespace
- Prev by Date: Re: Basic Authentication fails with Error 401.2 where Integrated s
- Next by Date: Re: Upgrading from IIS 5.1 to IIS 6.0
- Previous by thread: Re: IIS 6 and system's object namespace
- Next by thread: IIS5 - 'microsoft false logging weakness'
- Index(es):
Relevant Pages
|
