European Experts Exchange (EEE.org) :: Free Experts PHP MySql Oracle Microsoft Web SQL Delphi

visitor (0 QPoints)

262 experts, 1140 registered users, 1616 questions already answered
European Experts Exchange, the very best site for high-quality IT solutions

We now celebrate our 5 years of existence and break our frequentation records... Here are the stats of those 5 years.


Languages :: PHP :: mkdir and exec(cacls) in php - permission denied
By: YKK	Date: 07/04/2008 13:32:29	Points: 20	Status: Answered Quality : Excellent
Hi, I’m having trouble using mkdir and cacls (via exec) . I have permission denied for mkdir and nothing happens when I run cacls. Below is my scenario….. The web site is currently using \\\"Integrated Windows authentication\\\". And I\\\'ve used: echo ($_SERVER[\\\'LOGON_USER\\\']) echo($_SERVER[\\\'AUTH_USER\\\']); echo($_SERVER[\\\'REMOTE_USER\\\']); to display the users in php and they displayed my username for all of the above and I have admin rights. The folders that I want to create subfolders have full control rights for the Domain Admin groups (which I belong to) but it doesn\\\'t work. I\\\'ve even put myself with full control in the folder where I want to make directory. Ppan is an Active Direcoty user. below is my \\\"test results\\\"... MKDIR RUNNING SCRIPT SCRIPT HOSTED PERMFORMING TASK PERFORMING TASK LOCATION RESULT My local PC Svr_M creating a directory Svr_S Permission denied My local PC Svr_M creating a directory Svr_M OK – directory created My local PC My local PC creating a directory Svr_S OK – directory created Exec(CACLS…) RUNNING SCRIPT SCRIPT HOSTED PERMFORMING TASK PERFORMING TASK LOCATION RESULT My local PC Svr_M exec cacls for user ppan Svr_S (\\\\\\\\Svr_S\\\\CKTest\\\\ppan) nothing happened My local PC Svr_M exec cacls for user ppan Svr_M (\\\\\\\\Svr_M\\\\CKTest\\\\ppan) OK – ppan added with full control My local PC My local PC exec cacls for user ppan My local PC (c:\\\\ppan) OK – ppan added with full control But if the run the mkdir and cacls in the command prompt on Svr_M, it works. Hence I suspect it’s the user that IIS uses but it should be using me. Can Mkdir and Exec execute scripts perform tasks across networks? Any suggestions would be very much appreciated – I’ve already spent days/weeks “googling” and posting discussions on forums – still no joy! Many thanks in advance.
By: VGR	Date: 07/04/2008 17:36:05		Type : Comment
exactly. It IS the user the webserver is using, which hasn't the rights to perform the mkdir() either you make that user belong to the SVR_S's "domain admin group", which I find dangerous, or you ensure the Svr_S's parent directory (the one in which you want to mkdir() ) has the webserver's Svr_M's user in its ACL - access control list - and yes, "across networks" isn't a problem as log as you've the entry point (winNet share, network drive...) and the proper permissions.

By: YKK	Date: 08/04/2008 10:10:25		Type : Comment
Thank you for your reply... umm, but in the Intranet properties - directory security - authentication methods, Anonymous access is NOT checked, and Integrated Windows authenication is checked. And from the above (echo ($_SERVER[ LOGON_USER ]), echo($_SERVER[ AUTH_USER ]); echo($_SERVER[ REMOTE_USER ]); in the same script, all were showing my username, and I'm an admin (also belongs to Domain Admin group). So I guess I can make an assumption that IIS is using me to run mkdir? Which I have all admin rights. Domain Admin is a group setup in Active Directory, I belong to this group and Domain Admin also has full control for directory CKTest, and the scripts were to make a subfolder \ppan under CKTest. For testing purpose, I've also added myself with full control for directory CKTest. So still not sure what to do next....please advise!!!

By: YKK	Date: 08/04/2008 14:19:29		Type : Comment
Something else I'm not sure of regarding this. I've inserted the following lines to the script so that I can see the exact error message. ini_set('display_errors', 1); error_reporting(E_ALL \| E_STRICT); and the following message appears... Warning: mkdir(\\svr_s/cktest/PPan): Permission denied in d:\xxx\xxx\CKTest2.php on line 46 where is where the mkdir command is in the php script. Where is the permission problem? I don't think it's gone as far as touching the directory (where I want to create directory) yet. I've tried auditing the directory and it didn't show any error in the event log!

By: VGR	Date: 08/04/2008 19:41:30		Type : Answer
it's clear it's a permission issue. Your IIS is NOT runnign as your user. The _SERVER['LOGON_USER'] (populated only by IIS, but it's in the ENV anyway) is the user you're LOGGED AS on the domain, not the user IIS runs as. here are the results of some quick searhes : By default, IIS (inetinfo.exe) is configured to run in the System account context, but you can use the Services console to change the identity of various services so that they run in a user account rather than the System account. In the event of a buffer-overflow attack on IIS, Inetinfo running under a user account rather than System would be quite helpful. you should be able from the IIS GUI to "Configure IIS to run the ISAPI DLL with an user identity that has access" (you should read this page and also this Merdu$oft Tech Entry, especially that part : "How To Run Applications Not In The Context of the System Account" sorry, I can't help a lot more, I only use Apache (it's cross-platform, amongst other things)

Do register to be able to answer

Add This Article To:
Del.icio.us	Digg	Google	Spurl
Blink	Wong	Simpy	Y! MyWeb

browser fav

page generated in 4767.333980 milliseconds

Why Google AdSense ads ?

compteur

Ranking-Hits