Friday, January 14, 2011

Best practice for IUSR_ account and giving write access

Just for clairity I'm wondering what the best practice is for giving the IUSR_ account write access under IIS 6.0 to a folder. I gave searching on Google a try and on here a try but nothings really pointing me in either direction. From my understanind giving that account write access to a folder in an Internet site would be a bad idea. This site would be a mix of Classic ASP and ASP.NET.

Any one want to chime in on this?

  • I don't know everything about the subject, but I do know that you don't want to do it if you have WebDAV enabled. I ran into this issue a couple years ago and I'm basically copy/pasting my old post on the issue. In short, if you have WebDAV enabled, you can write to the server using PUT commands. Try it out.

    1. Make sure that WebDAV is Allowed in the "Web Service Extensions".
    2. Create a site
    3. Through IIS, permit READ and WRITE.
    4. Telnet to port 80 (i.e. telnet www.mysite.com 80)
    5. Type the lines below exactly as you see below (they will be blanked, so you won't see anything until you've finished)

    PUT /uhoh.txt HTTP/1.1 enter
    Host: localhost enter
    Content-Length: 6 enter
    enter
    Scary! enter

    At this point it should have accepted it. Check the root of your directory and view your file. You'll see that the owner is IUSR_{computer.name}.

    From pk
  • Here are my "I wouldn't do this" statements in order of amount of discomfort they cause me (least to worst):

    • I wouldn't give anonymous users write access to a folder on a server computer connected to the Internet.

    • I especially wouldn't give anonymous users write access to a folder on a server computer configured to run scripts.

    • I really, really, really wouldn't give anonymous users write access to a folder on a server computer configured to run arbitrary executibles.

    In short, I wouldn't do it. If you need anonymous users to be able to write to the web server it should be done through scripts that impose some type of sanity checking / validation (size, content, etc) on the uploaded data rather than through a straight HTTP PUT to the filesystem.

0 comments:

Post a Comment