a440guy has asked for the wisdom of the Perl Monks concerning the following question:

[IIS on Windows 2003 Server; ActiveState Perl 5.8.4]

I wrote a simple "hit counting" script for use against IIS log files. I turned it into a CGI script so that my boss can run it instead of me having to do it all the time.

Problem: I get 'Permission denied' when my script tries to open a log file. This is because the logfile directory is accessable only by the pseudo-user "SYSTEM". If I set 'read' permissions on that directory for IUSR_<hostname>, there is no problem. I would prefer not to give such permission to this anonymous user.

Ideally, my CGI script would run with the credentials of SYSTEM, but this is Windows! I could not find any solutions on the web. Is there a way to run my perl CGI script with SYSTEM credentials? (I know, not really a perl question.) Any other suggestions?

Replies are listed 'Best First'.
Re: IIS Log Permission problem
by shonorio (Hermit) on Sep 14, 2005 at 00:51 UTC
    Run IIS web site with 'System account' isn't a good pratice, I strong recomend you to run your script with IUSR_<hostname>, as like default, and set the correct permission on the files that you need.

    But if you really need a power user to run your script, you can change who is running your web application by 'Directory Security' tab of your web application configuration property, following :
    * Click 'Edit' botton on 'Anonymous access and authentication control';
    * On 'Anonymous access', configure the user that you want, like administrator, and go selecting 'Ok' botton on all windows.

    Last advice, do not do it, especially for a public web site. For your question, I think you don't have a good skill on Windows enviromment, and maybe didn't take care of all configuration for a 'security' IIS server.

    Try do run your CGI with a less security as a possible.

    Solli Moreira Honorio
    Sao Paulo - Brazil
[reply]
Re: IIS Log Permission problem
by Anonymous Monk on Sep 13, 2005 at 22:26 UTC
    Is there a way to run my perl CGI script with SYSTEM credentials?
    IIS is running your script, so if you reconfigure IIS to run as SYSTEM.
[reply]
Re: IIS Log Permission problem
by inman (Curate) on Sep 14, 2005 at 07:53 UTC
    When you say 'I would prefer not to give such permission to this anonymous user', your log file is not being directly published by IIS so any user would have to go through the CGI script to read the content. What you want to do is to protect your CGI script and make sure that it can only be used by an appropriate person.

    Have you looked at using the default 'Windows Integrated' authentication so that the CGI script would be run as your Manger user account? You can then secure the script and your app by setting his account as having read access.

[reply]

Back to Seekers of Perl Wisdom