What you want should be doable with Win32::AdminMisc's CreateProcessAsUser or LogonAsUser functions, with example code included in the RUNAS.PL file that accompanies the install.

But ... you'll have to put the password for whatever account you log into in the CGI script, so whether or not this is a "bad idea" depends on your level of paranoia and confidence in the security of your scripts.

    --k.

Thank you for the tip.

Win32::AdminMisc has LogonAsUser, which appears to be what I'm looking for. I was hoping for a platform independent function but I guess that's not possible.

Looking at the requirements for functions such as LogonAsUser, switching the anonymous user account under which the scriopt runs might be less trouble than asking system administrators to set priveleges such as "SeTcbPrivilege", "SeChangeNotify" and "SeAssignPrimaryToken".

I'll take a closer look. Thank you!

Richard

If you want it to be portable, abstract it one level, and then bring in whatever code you need based on the OS in your abstraction layer rather than the application layer. As you need support for new environments, you only adjust your abstraction layer.

Example:

# Application.pl

use IO::File::AsUser;       # Your abstraction layer
my $fh = IO::File::AsUser->open($file, $user);

# AsUser.pm

package IO::File::AsUser;

#blah blah
sub open {
    if ($Windows) {
        do_what_needs_to_be_done_on_windows();
    } elsif ($Unix} {
        do_what_needs_to_be_done_on_unix();
    }
}
[download]

thor

The IUSR_* user is created when IIS is installed (prob with OS). IIS uses this account by default to allow internet access. By default the IUSR password is given few access rights on the server and nothing on remote servers. You can however change the user that IIS uses on a site wide or per folder basis.

Select the properties page for the virtual directory that you are working with. select the 'Directory Security' tab. Click the edit button in the section concerning authentication. A new Dialog called 'Authentication Methods' is shown. The Anonymous access section has another Edit button that allows you to choose the user account that IIS will use. This can be a local or domain password.

You may also want to uncheck the 'Integrated Windows Authentication' checkbox. Inman

Thank you.

This is exactly what I have decided to recommend to people using my script.

It's not that difficult to create a new user account that has rights on the domain and then have the script run using that account (using the instructions you outlined).

In the end, given what I have learned from this thread, I think this is easier than trying to have the script program switch login accounts. The script currently works without modification on all operating systems that support Perl 5.

Richard

HTH

Thank you for your reply.

Unfortunately, setting the permissions doesn't help when a script running under IUSR_MACHINE (the Internet Guest Account) is trying to open a file on another machine even when the other machine is on the same domain. The reason is that by default the Internet Guest Account does not have network file access.

This can be worked around by promoting the Internet Guest Account to a domain level account or by duplicating the Internet Guest Account on the other machine. The second approach is described as more secure because one doesn't want to necessarily allow all web site visitors access to other machines on the network.

I believe it's also possible to change the account that the script is running under to a domain level account or perhaps another local account that is duplicated on the other machine. I'm having trouble switching the anonymous account to a domain level account because I think my Win2K machine is not able to make sense of the Active Directory that has replaced the old NT user login account lists.

In any case, I'm wondering if it would simplify things for my users if the script were able to update the text file using a different account. Perhaps this solution is similar to switching the anonymous account under which the script runs?

I have searched through the Perl documentation but don't see any functions that allow me to do operations using a different login account. Maybe this has been left out intentionally or I'm using the wrong search criteria?

Thanks.

Richard

I'm having trouble switching the anonymous account to a domain level account because I think my Win2K machine is not able to make sense of the Active Directory that has replaced the old NT user login account lists.

Again, forgive me any inaccuarcies, as it's been a long, long time since I've done Windows sysadmin work, but Win2K and Active Directory should be completely compatible (well, as compatible as windows anything gets).

• Do you have an AD server?
• Are you able to log in as a dmomain admin on your web servers?
• are your servers members of the domain?