Re: CGI, application context and security

chromatic, ww && eric256

You are all right : MS IIS uses the default IUSR_<machine> for anon access, and this user must have appropriate ACL privileges (R.X) set for the relevant groups in order to access files from the CGI program.

The ps.exe util from MKS I used had uid:Admin and gid:SYSTEM, which did not match the IUSR privileges.

C:\Program Files\MKS Toolkit\mksnt>ls -al ps*.*
owner           group 
Administrators  SYSTEM            ps.exe
Administrators  SYSTEM            psproxy.exe
[download]

When I switched to another util on the machine : pslist.exe from PsTools installed with different gid, i was allowed get a process list from the CGI-program (I could have changed the group ownership on MKS ps.exe instead - TMTOWTDI):

C:\systools\@SI\PsTools>ls -al pslist*.*
owner           group 
Administrators  KMD\Domain+Users  pslist.exe
[download]

Changing the privileges for the IUSR and the file ACL fixed the access problem; Then of course I ran into another issue (the IUSR wasn't authorized to access the VSS-database on a network share...), but now i know how to tweak the IIS user privileges in order to allow the CGI-program to access the necessary resources.

The HTTP/CGI programming model, and not the least: the security model, is significantly different from developing rich clients. I found these ref's usefull for a Perl CGI beginner...
Course
TroubleShoot

And then I'm switching to Perl Win32 modules instead of external utility programs for a more robust solution.

Best regards
allan

Comment on Re: CGI, application context and security Select or Download Code


P is for Practical
	PerlMonks