Sub Menu
Links Menu
Online Users

In total there are 310 users online :: 1 registered, 0 hidden and 309 guests

Most users ever online was 1091 on Wed Aug 16, 2023 5:27 pm

Registered users: Google [Bot] based on users active over the past 60 minutes

Windows Servers and file permissions

General discussion of anything. Discuss a topic in and out of IntegraMOD

Moderator: Integra Moderator

Windows Servers and file permissions

PostAuthor: Helter » Sun May 27, 2007 9:17 am

How you set up write permission required for installation process depends on your system:

* Windows Apache server users: permissions are enabled by default à ¢Ã¢â€š ¬Ã¢â‚¬Å“ no need for any changes
* Windows IIS server users: IIS runs as the IUSER_[machine name] local user, thus to enable write permissions on certain folders and files, please grant IUSER_[machine name] rights to rewrite these files and folders. (Please refer to the user guide to see which folders/files require (re)write permissions). Please contact your hosting provider to learn how to change files and folders permissions on a remote server.
* UNIX/Linux/FreeBSD/Mac OS servers: file permissions are defined using chmod command.


I found this article that may answer alot of questions for our users who are hosted on windows servers

==========================================================================

Remotely setting file permissions on Windows

This document is intended to help people who experience file permission problems when installing Perl CGI .scripts onto Windows web servers.

How do I know if I am having a Windows Perl CGI permissions problem?

Note that we are talking about a Windows web server. The type of computer that you have in your home or office is not what is important here.

Your web hosting company should be able to tell you the operating system of your web server.

If you are having a file permission problem, you will see the string "Permission denied" returned in an error message when the CGI .script tries to update some file or folder. Any other problem that you see - like a 404 Not Found error or a 500 Internal Server error - is not necessarily related to file permissions.

Techniques for solving permissions problems

Windows file permissions are a problem because there is no standard way for clients to change permissions remotely. On Unix, permissions are handled automatically by setuid solutions, or they are handled by using FTP and sending CHMOD commands, or they are handled by granting shell access to the user. Windows does not support FTP CHMOD and setuid solutions are much rarer there.

Because there is no standard technique for setting permissions, we need to try a variety of non-standard techniques. In some cases you will need to contact your web host directly. And in some cases it will be impossible to set permissions, because the web host will not cooperate.

Here is a de.scription of all permissions solutions and how to test them:


*

global read-write

If your web hosting provider makes the entire file system be read-write for web processes, then you will have no permissions problems. This can be done by giving the IUSR_Machine account Read/Write privileges to the web root folder. This is a reasonable solution if you have a dedicated web server that nobody else logs in to or uses for hosting.

Note that if you experience a permissions problem, then that means your web host is not configured for global read-write. You may want to contact your web host and request that they configure their server in this way.
*

setuid

Your web hosting provider can make all files and folders in your root web folder be writable by your own web processes. This is one of the most secure and easy-to-maintain configurations. It is identical to setuid/suexec/CGIWrap on Unix hosts.

In this model, your web host will modify the IIS server settings so that your web site is accessed using your Windows login account, instead of the default IUSR_Machine account. By doing this, all .scripts that run in your site (CGI, ASP, etc.) will run under your user account and will be able to update any files or folders. You will still be protected against hacking from the other web sites on the same server, since their processes will run under a different account context (either IUSR_Machine or their own personal accounts).

Note that if you experience a permissions problem, then that means your web host is not configured for setuid. You may want to contact your web host and request that they configure their server in this way.
*

custom control panel

Your web hosting provider may have a web-based control panel that lets you set file permissions. These control panels are proprietary (each host must develop its own) and so you will need to contact your host to see if they have one, and to see how it works.

Web hosting company xo.com uses a custom control panel. See Installing CGI at xo.com for more information on using it.
*

admin setuid request

If your web server is running a pure Microsoft solution (with Microsoft Windows operating system, Microsoft IIS web server, and Microsoft FTP service), and if the web server allows for HTTP Basic authentication, then you should be able to force your own user context on a case-by-case basis. This is done by installing a CGI or ASP .script which challenges you for username and password, and then uses those credentials to change its own process context from IUSR_Machine over to your user account. Once it is executing within your account context, it can take administration actions such as changing file permissions with the command-line cacls program.

FDSC makes available the free perms.asp .script for doing this. If you use the auto-installer, it will perform a similar action using nph-installer. The perms.asp .script is slightly more powerful because it can execute if HTTP Basic authentication is disabled, but another one such as NTLM is enabled. The auto-installer nph-installer .script requires HTTP Basic.
*

preset data area

Some web hosts provider a default folder that is writable. For example, when you log in to your account over FTP, you will see folders labeled "data", "db", "logs", and "web". All of your web files will go into the read-only /web/ folder, and any .script data files will need to be stored within the read-write /data/ or /db/ folders.

In these cases, you should install the .script and then follow the instructions provided with each .script regarding changing the location of the data folder. This will involve moving the .script data folder into your private data area, and then updating the .script files to reference the new location.
*

using Front Page folders

If the Front Page server extensions are installed on your site, then you will probably have a folder named /_private/ at the top level of your site, and that folder will probably be .script-writable. You can store your data files within that folder, using the same approach described in present data area.
*

manual setting permissions

Visit the actual server computer (i.e., be sitting in front of it, logged in). Alternately, you can contact somebody who has local access and ask them to take these steps for you.

Select the file or folder to be made writable. Right-click, choose Properties, then Security. Customize all permissions.

An equivalent method is to open a command prompt, navigate to the file or folder, and use the "calcs" command-line tool to manipulate permissions. Both "calcs" and the Security tab are equivalent interfaces to the same underlying functionality.

You can also wrap a set of "calcs" commands in a batch file and run the batch file. This is useful if you are giving instructions for someone else to carry out. Just create a pre-programmed bat file and ask them to run it. All of our programs come with a pre-programmed "setperms.bat" file.
*

mapped drive


Ask your web host if you can create a mapped drive from your local Windows computer to their Windows server. You will need to connect from a client Windows computer running NT, 2000 or XP.

Once you have connected over the mapped drive, you can use the Security Properties or calcs command as in the above example.

Mapped drives also make it much easier to transfer files between client and server. You can use this instead of FTP.

Sample dialogs with tech support

You: I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: Okay go in with FTP and set "chmod 777".

This is very common. TechSup has been trained for Unix and thinks things are same on Windows. How do you convince him that FTP chmod does not work here?

You: As I mentioned, my site is hosted on a Windows server. Only Unix file permissions can be set via FTP, not Windows permissions.

TechSup: No, they can all be set via FTP.

TechSup needs to be shown

You: My FTP client trace log shows:

yu: 220 c152048a Microsoft FTP Service (Version 5.0).
me: USER xx
yu: 331 Password required for xx.
me: PASS yy
yu: 230 User xx logged in.
me: SITE chmod 666 file.txt
yu: 500 'SITE chmod 666 file.txt': command not understood

You: I have now provided you with technical data that demonstrates the problem. Your server is responding to my valid SITE CHMOD command with an error. Please provide counter-data, such as an FTP trace log showing a successful SITE CHMOD on my Windows server, or retract your claim.

Note: you can get this trace information by using the xav.com auto-installer with the "show detailed FTP trace output" option.

You: I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: Okay go in with FTP and set "chmod 777".

TechSup has been trained for Unix and thinks things are same on Windows.

You: As I mentioned, my site is hosted on a Windows server. Only Unix file permissions can be set via FTP, not Windows permissions.

TechSup: Well I guess you cannot set permissions then. For a transfer fee of only $600 we will transfer you to a Unix server. Or you can take your business elsewhere.

TechSup has no tech answers

You: Actually, there are several ways to set file permissions on Windows, but they just cannot be done over FTP. Would you please manually set them for me? I need folder XXX to be writable. I have uploaded a batch file for you which contains the exact "cacls" command that you would need to run. The file is at /web/XXX/setperms.bat.

At this point you might also request that they set up a setuid solution

You: I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: We do not allow writable files and folders on our Windows servers.

You: My CGI .scripts cannot function if they are not allowed to save state by saving to a file. You have claimed that Perl CGI is supported on this account. Part of Perl CGI support is the ability to run programs which save state.

You: That is like allowing me to run a Word processing program on my computer, but not allowing me to save files. That would not be "support for Word processing programs".

You:
I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: We do not allow that because of security concerns.

TechSup is paranoid about security and does not understand it. Person is probably afraid of change and afraid of being yelled at. Possible responses:

*

You: There is nothing insecure about saving data to files.

If hosting company provides both Unix and Windows hosting, point out that they allow writable files/folders on their Unix side. Mention other large hosting companies like xo.com which run Windows shared web servers and allow for writable files.
*

You: All I ask is that you provide the IUSR_Machine account with Read/Write privileges in addition to its current Read privileges for one data folder. I realize that this would allow my CGI .scripts, and all other CGI .scripts on the server, including those by other accounts, to modify the files. I realize that this is a risk and I hold you blameless for any problems that my come up do to it.
*

You:
Would you please customize the Security tab for my account (or for this folder/file) so that my user account context runs this Perl CGI .script, as per the setuid configuration. That will allow my .scripts to update all files in my account, and only those files in my account. Nobody else on the server will be able to modify my files, and I will not be able to modify files belonging to anyone else.

Security/paranoid people are difficult to work with. If they can articulate the exact specific security concern that they have, then usually you can meet them halfway with a solution that fits your data storage needs and fits their security needs. On the other hand, those tech support people who are not able to articulate any specific concern, but who just keep saying "no, security risk", "no, security risk", "no, security risk" cannot be worked with. You may want to hang up, call again, and hope for a more rational person.

You: I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: We only allow writable files within the non-public "data" folder provided with your account.

You: Okay, thanks [See preset data area]

You: I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: Okay, you can set your own file/folder permissions by going to our custom control panel at http://foo.bar/admin/.

You: Okay, thanks [See custom control panel]

You: I need to make these files and folders writable for my CGI .script. I am hosted on your Windows server.

TechSup: Okay, you can set your own file/folder permissions by mapping a drive to our server.

You: Okay, thanks [See mapped drive]

[url=http]"Remotely setting file permissions on Windows"[/url]
Last edited by Helter on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
Always use Protection
Image


Please do not PM for support
User avatar
Helter
Administrator
Administrator
 
Posts: 4167
Likes: 0 post
Liked in: 0 post
Images: 0
Joined: Sat Mar 11, 2006 3:46 pm
Cash on hand: 172.60
Location: Seattle Wa
IntegraMOD version: IM 3

Re: Windows Servers and file permissions

PostAuthor: Frost » Sat Jun 02, 2007 7:43 pm

Awesome, this is like having 148 websites and 12 hours of searching right here in one post 8)

Thanks Helter!
Last edited by Frost on Wed Dec 31, 1969 4:00 pm, edited 1 time in total.
[size=99px]PhpBB3 Themes[/url] ]PhpBB3 Development Center[/url] [/size]

Frost
Sr Integra Member
Sr Integra Member
 
Posts: 776
Likes: 0 post
Liked in: 0 post
Joined: Wed Sep 13, 2006 1:04 am
Cash on hand: 0.00
Location: Photoshop CS3


Return to General Discussion

Who is online

Registered users: Google [Bot]

cron