|
-
Apr 2nd, 2004, 07:09 AM
#1
Thread Starter
Frenzied Member
 Script Runs As Wrong User [Resolved]
In my site, i use the following ASP.NET script to automatically fill a table with the users downloads so that all i have to do to share the files is copy the files into the folder and the script creates the links and does the rest. However, i use Windows security to lockout the files so other users can't access each others files. The problem i have is that the script seems to run as the user NETWORK SERVICE and they have to have permission to list folder contents. To allow my script to work, i have to give this account permissions to see all the files in everybodies folders which means that anyone who knows the username of someone else can see their files. Is there a way to prevent this from happening and force the script to run as the user logged on?
VB Code:
Dim Username as String = Request.QueryString("username") 'Username of the user to whom's files are to be retrieved
Dim URLPath as string = "downloads/users/" & Username & "/files/" 'The path that is appended to the files for the hyperlinks
Dim DirInfo As New DirectoryInfo("...\Downloads\users\" & username & "\files") 'The directory the files are referenced from
Dim fInfo As FileInfo() = DirInfo.GetFiles
Dim FileName as String 'Stores the file name so that the spaces can be replaced with %20 for hyperlinks
Dim FileSize as Single 'Stores the size of the files so that they can be rounded to two decimal places
Dim CreatedDate as Date 'Stoes the date the file was added i.e. the created date
And the rest just sorts the data and puts it into a table.
Last edited by Ideas Man; Apr 11th, 2004 at 11:08 PM.
I use Microsoft Visual Basic 2005. (Therefore, most code samples I provide will be based around the .NET Framework v2.0, unless otherwise specified)
-
Apr 3rd, 2004, 09:08 PM
#2
Thread Starter
Frenzied Member
Does anyone have any ideas? Bump.
I use Microsoft Visual Basic 2005. (Therefore, most code samples I provide will be based around the .NET Framework v2.0, unless otherwise specified)
-
Apr 4th, 2004, 06:54 PM
#3
New Member
Using the IIS MMC admininstrative console, you will need to set directory security on the application/folder that contains this script so that it does not permit Anonymous authentication (it should only allow Integrated Windows authentication, so that your users logged-on domain identity is what the webserver recognises and takes on).
-
Apr 5th, 2004, 01:04 AM
#4
Thread Starter
Frenzied Member
I've already done that actually, musta been the first thing i did when i set it up for secure thingy. So that doesn't work, because it's already set. Any more ideas though, sounds like you are on the right track.
I use Microsoft Visual Basic 2005. (Therefore, most code samples I provide will be based around the .NET Framework v2.0, unless otherwise specified)
-
Apr 11th, 2004, 11:19 PM
#5
Thread Starter
Frenzied Member
I fixed it. For those interested, you cannot change the script to run as the logged in user because all scripts run under the same application pool using a special account in IIS 6. The NETWORKSERVICE is an account designed to run scripts such as these and it doens't have much in the way of flexibility i.e. can't be used to comprimised the system. It can perform many tasks and access the network to access resources but nothing that would pose as a real danger security wise. To fix the problem, I simply put a username checker into the code to verify that the username entered corresponds to the user logged in and it works fine.
I use Microsoft Visual Basic 2005. (Therefore, most code samples I provide will be based around the .NET Framework v2.0, unless otherwise specified)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote