Write privs needed on Windows to run 2.1 branch?

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
3/15/2006 2:48:03 AM
Shawn Anderson
Gravatar
Total Posts 10
View Posts

Write privs needed on Windows to run 2.1 branch?

What files actually need write premission for the latest branch?  I really hate the idea of having to give the entire sites folder write access.
3/15/2006 2:49:38 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

Just make the Data folder beneath the root and all its children writable. I have purposely put anything that needs to be updateable like logs skins etc beneath this folder so you don't have to make the whole site writable.

Cheers,

Joe
3/15/2006 3:59:35 AM
Shawn Anderson
Gravatar
Total Posts 10
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

Ouch :-/

Can we narrow it down to a set list of files?  As a rule, I never like to make anything that can be accessed via a URL writable.

3/15/2006 4:09:55 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

I can't think of a way to do that without losing some current and future functionality. not all file names are known ahead of time like files to be uploaded by the gallery or shared files module, the index files for search are named by lucene, etc, etc, therefore the folders need to be writable.

I envision creating a feature to edit and create skins in the browser and other features that need write access.

If you can think of a solution that works and is not overly complex I'm all ears.
3/15/2006 4:11:45 AM
Shawn Anderson
Gravatar
Total Posts 10
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

Maybe lock it down to a very smal suset of folders?

Or, what about setting a user id/password concept on a site by site basis that is used internally when a write needs to happen?

3/15/2006 4:20:06 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

The Data folder is the subset of folders.

I'd have to hear more about this user id/password idea. If you're going to do something like that you have to use impersonation of a domain/machine user not a portal user. Its the web process that has to run as a user with write permission.

You could possibly configure some folders like the shared file folder in IIS to only be accessible from 127.0.0.1 making it impossible for remote hosts to access it directly over http, but in theory the files in there are already not accessible over http because the files end with a .config extension which is protected by .NET

Some of the other folders also use the .config extension for this same reason.
3/15/2006 6:33:46 AM
Shawn Anderson
Gravatar
Total Posts 10
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

True, but it is a very large subset :)

I had three thoughts on this:

  1. Store an encrypted NT user id/password in the web.config (or database) that can be used on a per site basis.  The information is then used when any creating or writing of information is needed.  This adds more code, but is a pretty solid and secure option
  2. Create a subfolder under each site called "data" and only that folder needs write access, so it would look like: Data/Sites/[Site ID]/data -- this would be the only one that needed write access and everything would point to it
  3. Create a folder outsite of the website root folder of the website and store all config in that one -- this is the best, but it will make coding a lot more tricky :)

Think any of those has merit?

BTW, you have an extremely impressive portal here :)

3/15/2006 7:04:38 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

I think your ideas have some merit and I have considered some of these before but to me the added value is questionable in light of the complexity involved to implement such ideas.

Changing the user being impersonated by the worker process based on which site would be a big challenge. when the application starts it has to run as some user before it can even look in the db for the encrypted user credentials (which would need to be in the db since we're talking multiple sites on one installation sharing the same web.config), then once you do lookup the credentials how do you force the web process to now change to impersonate that user?

In some ways creating a different machine user for each site and configuring folder permissions for each is creating more attack surface than having one user with permission and the only beneift really is preventing an admin user from one site from somehow doing something bad to another site. I say somehow because we are not talking about a specific exploit that has been identified. This would not eliminate any potential exploit on a writable folder for the site currently running since no matter which site it is still running with write permission.

If I was concerned about exploits by users between sites I would just setup separate physical installations for each site.

This would not be possible in many hosted environments so it would have to an optional thing to begin with.

Also some things like the error logging are not site specific.

Any solution would also need to workable on linux as well as windows.

Lots of downside in terms of making installation and configuration easy.
3/15/2006 7:13:30 AM
Shawn Anderson
Gravatar
Total Posts 10
View Posts

Re: Write privs needed on Windows to run 2.1 branch?

Hmm, good points -- all of them.

The impersation is easy -- just create a principal object and call impersonate.  But I see what you are saying.

My main concern/worry is for IIS/Apache exploits that take advantage of writable folders to force a fileupload and then execute it under the context of the user id running the webserver.  Now, on Linux, this is not a big deal for many people since the web server normally runs under the "nonbody" account.  The issue is rather serious on windows since IIS runs under the NETWORK_SERVICES account which does have a good deal of access.

I figured it was at least worth a shot to ask about this :)

You must sign in to post in the forums. This thread is closed to new posts.