Is there a way to access the file-system outside of the current ASP.NET application, without going around giving IIS_IUSRS permissions? For example, if I wanted this line to work:
logStream = File.Open("C:logsapp.log", FileMode.Append, FileAccess.Write, FileShare.ReadWrite);
… I’d have to normally grant read/write permission to C:logsapp.log to the IIS_IUSRS group. This gets annoying for setting the app up on new systems, where the directories which need to be accessed can be in different locations. Is there any way to tell ASP.NET what directories it should have access to?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
You can do this using impersonation, but I would urge you not to do this. You’re getting into very risky areas as far as security is concerned. If you’re not 100% sure of the access permissions of the identity you are impersonating, then you run the very real risk of allowing hackers to get at areas of your server that you did not intend. Setting up ACL’s properly is time consuming, and you do NOT want to just use an administrative or super user. You’d want to set up a user specifically for this purpose, and if you’re doing that, you’re just adding a step to what you’re already doing.
A better solution would be to design your app to write to a folder that your application controls. Your installation can create the folder on the machine and grant permissions automatically, rather than relying on an existing system folder.
http://msdn.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_impersonationdelegation
Method 2
You can also setup your AppPool to run under an account with the appropriate credentials.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0