qadwjoh has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I'm creating a Perl CGI script to read and write files on a windows share. I've created a very basic script which writes some lines to a file on the share, and while it works fine from the command line, it won't run as a CGI script - the open command fails. The script is served by IIS running on Win2000 server.

Here's the code - nothing special... 
$file = "//my_machine/share/file1.txt";
unless (open (FILE, $file)) {
   die "Couldn't open $file."
} 
@file = <FILE>;
close FILE;
print @file;

[download]
OK, there's no HTML here, but I'm getting the error message "Couldn't open $file" as a header.

Perhaps this is a windows permissions issue more than a Perl one? Any help would be much appreciated

Thanks,
A

Replies are listed 'Best First'.
Re: Windows Share Access from CGI Script
by BrowserUk (Patriarch) on Sep 29, 2003 at 17:00 UTC

    The default userid used by IIS is explicitly barred from having access to network resources on security grounds.

    I'm not sure if it is possible to give the user IUSR_machinename, network access rights, but even if it is, you should probably talk to your SysAdmin people about it. If this is possible, and you have the appropriate rights to make this change, you should probably think carefully about why MS (not exactly known for their stringent security) chose not to give these rights by default!

    Examine what is said, not who speaks.
    "Efficiency is intelligent laziness." -David Dunham
    "When I'm working on a problem, I never think about beauty. I think only how to solve the problem. But when I have finished, if the solution is not beautiful, I know it is wrong." -Richard Buckminster Fuller
    If I understand your problem, I can solve it! Of course, the same can be said for you.
[reply]
Re: Windows Share Access from CGI Script
by NetWallah (Canon) on Sep 29, 2003 at 17:39 UTC
    As previously mentioned, the most likely cause is that your CGI code is running under default security, which is "Anonymous" access.

    You need to either (a)disable anonymous access on the page or directory, from the IIS control (mmc). or
    (b)change the user ID inside the script, which can get very complicated.
    I recommend (a).

    The other thing is that you are using unix-style forward-slashes for the file name. This is usually OK, but for Window's sanity sake, I would suggest: 

    $file = "\\\\my_machine\\share\\file1.txt";

    [download]
    The alternative is to use single-quotes (or q()), so you don't have to escape the back-slash.
[reply]
[d/l]
      Personally, I prefer the UNIX style and with the application I'm developing being a cross-platform one, I prefer to stick with just the one style. It doesn't make any difference to ActivePerl.
[reply]
Re: Windows Share Access from CGI Script
by digger (Friar) on Sep 29, 2003 at 16:18 UTC
    It looks like a permissions issue from here. When you run this from the command line, it runs with your permissions. When a cgi runs under IIS, I believe it runs under the user IUSR_YourServerName. I am depending on memory here, and a couple of excursions into Google to confirm, so anyone feel free to correct me.

    To get access to this share, you would have to grant write permissions to IUSR_YourServerName, which is probably not a great idea, unless this is internal only. It really depends on how secure you need this to be.

    Good Luck,
    digger
[reply]
Re: Windows Share Access from CGI Script
by inman (Curate) on Sep 30, 2003 at 08:25 UTC

    You probably need to change the account that is used to access anonymous content. See below for more details.

    When you request any resource through IIS, the server accesses the resource using a user account. The authentication behaviour can be set at server, site or virtual directory level. Open the properties dialog at the appropriate place and select the 'Directory Security' tab. This shows the authentication options.

    By default, the authentication method for a virtual directory is set to accept 'Anonymous Access' and 'Windows Integrated Authentication'. This means that the user will access the resource anonymously or as a user that can be authenticated against a Windows NT domain. The two methods are described below.

    Anonymous Access: By default, IIS uses the IUSR_Servername account to access any resource that is requested anonymously. This account is created during the IIS installation (or when the OS is installed) and should never be granted much in the way of permissions. It is unwise to grant more than minimal access rights (e.g. network rights) to the IUSR account.

    The IUSR account is only used by default. It is possible to use a different account for a specific virtual directory (in your case this is where your perl script is located). Properties page for the virtual directory -> Directory security tab -> Authentication Edit button -> Anonymous Authentication Edit Button. You can now change the user account that IIS uses for anonymous authentication to the virtual directory. You should of course choose an account with suitable rights. A Domain user account set up for the purpose and given minimal rights is probably the right thing to do.

    Windows Integrated Authentication: This requires your users to use Internet Explorer as their browser and have a Windows NT Domain account. It basically means that the IIS server uses the users own account to access the resource. This is a good way to go if you are providing an application in a limited environment where everyone logs on to a Windows Domain anyway.

    Enjoy.

    Inman

[reply]
      Thanks for all your help - I should have mentioned though, that the script is located in a directory which I have given Integrated Windows Authentication only, which is why I'm flummoxed.

      A

      UPDATE:
      I found this : HOW TO: Access Network Files From IIS Applications, which has pointed me in the right direction. I've set up my own user account as the anonymous access account and have been able to run my CGI script successfully.

      My only problem is, that when my CGI script invokes a second Perl script, this script is unable to access the share.

      Is there a way to pass on the user ID I've set up in IIS? Or is there a way my second script can run under a specified user ID? Can I do this from within Perl?

      A
[reply]
Re: Windows Share Access from CGI Script
by sgifford (Prior) on Sep 29, 2003 at 16:05 UTC
    Perhaps the user the Web server runs as doesn't have permission to open that file, or isn't logged in. If the open fails, the error will be in $!; printing that will probably help you figure out what's going on.
[reply]
[d/l]
[select]
      Thanks for your help.

      I'm getting "permission denied" in $! Presumably this works from the command line because I'm logged in and have permission. How do I give access to my CGI script then? I've granted everyone full access to the share in it's settings.

      A
[reply]
        Unfortunately, I don't know; I'm not a Windows user. Perhaps somebody who knows Windows can comment?...
[reply]

Back to Seekers of Perl Wisdom