Can I make a folder writeable in Medium trust?

Question

My web app writes to several folders (logs, uploads, etc), and I've always set these permissions manually through my hosting provider.

I'd like to create a setup script that performs this on new installations. Is this possible under Medium trust?

I can't even call File.GetAccessControl, let alone File.SetAccessControl, but I don't need such a "big hammer", anyway. I just want to do what the ISP (in this case GoDaddy) is letting me do through a management console.

I believe PHP is able to do this, and I'd be willing to consider a PHP page for this purpose if that's possible.

have you checked if the user running the script has access to set the Windows Access Controls? — Jonas Stawski, Mar 23 '10 at 17:23

score 2 · Answer 1 · answered May 17 '10 at 14:37

Ok assuming you are using IIS and asp.net in the usual fashion you must have an asp.net account under which the framework executes your application on your behalf.

The web application runs under a single account and through authentication users are programmatically granted access to do things that your "master account" carries out on their behalf.

Think of it as looking something like this ....

Asp.net loads your app (asp account) User connects (iuser account) User logs in (? depending on account used could be windows auth or forms auth, ect)

User requests to do something using your rendered web pages under their accounts ...

asp.net checks user has permission to perform operation (asp.net acount) if user can do this asp.net acts on requested action (asp.net account)

Therefore ... You should already have the relevant permissions in that asp.net account to do what you need to do.

There is a level above all that too ... the IIS server itself runs under the system / network service account normally.

So the question is really ... How do you want to grant the permissions to a possible user to write to the server.

Have a look at the membership provider and roleprovider classes in the framework you should be able to inherit those and create an ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider class that would authenticate based on role membership of users in AD, or if you prefer just authenticate against a DB with the basic asp.net provider classes.

Hope this helps.

Oh i'd just like to add, if you need to override the trust level of the code you can do this based on the user having the permission to do so. So if you find that "medium trust" is not enough and the user authenticated is a sys admin then I believe you can override based on the user demanding the permissions. I don't however think you will need to. — War, May 17 '10 at 14:40
Thanks for the input. This does shed a little light on the various accounts used in a typical setup. If the application connects through the IUSR account, how then would it take advantage of permissions available to only the ASP.NET account? — harpo, May 17 '10 at 15:34

score 0 · Answer 2 · answered Apr 08 '10 at 23:45

0

You need to edit a config file in %windir%\Microsoft.NET\Framework{Version}\

see http://msdn.microsoft.com/en-us/library/ms998341.aspx

answered Apr 08 '10 at 23:45

AndreasN

2,881
3
24
29

Can I make a folder writeable in Medium trust?

2 Answers2