[mapserver-users] msDrawRaster TileIndex TileItem Location HELP!

Sam Paske spaske at kapur-assoc.com
Wed Aug 1 11:22:55 EDT 2001


Thanks for the clarification. It *really* does help one understand how
things work if you can understand the underlying phylosophy. The part of
this that I am most hazy on is where the IUSR_* stops and where the SYSTEM
account starts.

For example, some mapserver users are using the cgi version, which is fairly
straightforward in that the cgi is invoked to execute with IUSR_*
permissions. (At least that's how I understand it....) But other users are
putting together more complicated servers where scripting hosts are
executing. I confess thatI have very little knowledge of how, for instance,
IIS->perl->IIS actually works. I believe the cgi version spawns a unique
process for every map session (or request). But I don't understand how the
scripting modules plug into IIS - are they running as a service, or are they
invoked like the cgi version. The implication, in effect, would be that you
would have a fairly priviledged user hitting the web server if the scripting
module was running as more than IUSR_*.

I have a little experience with Cold Fusion (CF), and I know that CF must
run as SYSTEM or some equivalent. So it is possible to mix security contexts
with IIS. (The saving factor is that CF manages it's own security by only
accepting page requests that are "ok" with IIS and by not allowing things
like access to the directory structure unless specifically permitted.)

Getting back to the issue, I noticed that another user thought the problem
might be with the path to the files. Has anyone tried to use a microsoft
Distributed File System? From what I understand, it could be an alternative
if you are using NT4/2000.

Finally, there is a way for a user to access files on a remote machine and
_not_ be a member of the domain. The key is that the "user" must exist on
both machines and must have the same name and password. For example, if I
want an anonymous web user (accessing IIS on the machine named
"terramapper") to be able to see files on John Doe's computer (named
"hal9000" let's say) I would need to have the anonymous web user use an
account with a static name and password. So I create a local account called
INETUSER and give it a password of "password" (couldn't resist). I do this
on BOTH machines. I then have IIS use that account (technically
INETUSER/TERRAMAPPER), and set the permissions of the web so that INETUSER
can read the necesary files. I then go over to hal9000 and give INETUSER
(technically INETUSER/HAL9000) the right to see a few shape files and
directories. (I make sure that the files are not under My Documents for
reasons I won't go into.) Then, paths and drive mapping aside, the IIS user
should have the ability to see the remote files.

Hope I didn't confuse the issue!


-----Original Message-----
From: Ed McNierney [mailto:ed at topozone.com]
Sent: Tuesday, July 31, 2001 7:11 PM
To: Sam Paske; Hankley, Chip
Cc: mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location

Sam et al. -

I think I covered a lot of this with my previous post, but there seems
to be enough interest to warrant some clarification.  I've worked with
both Windows and UNIX networks for a long time, and I don't find either
particularly hard to manage or easy to manage, but they're certainly
different.  It's really worth spending some time understanding the
philosophy behind Windows networking before you expose your network
assets to the world.

One of the fundamental precepts of Windows NT/2000 security is that
EVERY access to every resource on every system is done through a
security context.  For most purposes, it's simple enough to think of
this as a user context or user login.  For every operation there is
always the notion of an authenticated user context.  In particular, the
comment "This user is considered anonymous and has not authenticated in
any way" is correct from a Web site security point of view (no dialog
box popped up when someone tried to access your Web page) but it is
completely incorrect from a Windows networking point of view.

When a Web site developer tells IIS to permit anonymous access to a Web
site, or to a page on a site, Windows basically says "OK, since all
those Web users look the same to me, and they haven't logged in
anywhere, YOU give me a valid user account and password for them to
use."  This is the role served, by default, by the IUSR_<machinename>
account.  You can change that to any account you like, but obviously all
Web visitors use the same account because there's no way to tell them

Although (as someone mentioned) the Web server itself (IIS) is running
under the local SYSTEM account, it impersonates the IUSR_<machinename>
account for all access to files and other resources.  This includes
every single file, even if your Web server is doing nothing but serving
one, simple HTML file.  The IUSR_<machinename> account must have Read
access to that file.

Windows networking supports local machine accounts and domain accounts.
Local machine accounts can ONLY have access to resources on their local
machine.  Domain accounts can use resources on any machine on the
network, provided they are granted access rights to those resources.

You CAN'T sit down at machine FOO and set the permissions on a file to
give BAR\IUSR_BAR Read access to that file.  (BAR\IUSR_BAR means the
local account IUSR_BAR on the MACHINE named BAR.)  If FOO and BAR are
members of a domain named BAZ, then you can grant access (on FOO) to any
domain account (BAZ\Guest or BAZ\Administrator or anything).

If you want IIS to grant an anonymous Web visitor rights to read any
file that's not on the local IIS machine, you MUST change IIS' default
(and conservative) setting and assign a domain user account for it to
use.  You can then set the access rights on any file or other resource
to grant that domain user account access.  That machine must have access
to a domain controller so the IIS login account can be authenticated
when the first anonymous access occurs.

Always create an account that is used only for this purpose; don't share
another account.  Always realize that this account can potentially have
access to any resource on your network, so be careful.

	- Ed

Ed McNierney
Chief Mapmaker

-----Original Message-----
From: Sam Paske [mailto:spaske at kapur-assoc.com]
Sent: Tuesday, July 31, 2001 5:32 PM
To: Hankley, Chip
Cc: mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location

I remember wrestling with user priviledge issues when I first set up a
mapserver site. I went around the issue a few times trying to get the
cgi to
work, yet restrict access to the map file (because that file contains
and data path information, which could help compromise a server...).

The user accessing the content, if coming from the internet, should be
IUSR_* (the * could be a computer name or something else). This user is
considered anonymous and has not authenticated in any way. Check your
directory security properties and see how your users are authenticating
you could be allowing a range of users to log on, from anonymous to

The domain of this user will most likely not be the domain(s) in which
machine is a member, but the machine name itself. In other words, IUSR_*
not a member of any domain. This is how our Win2000 server works. So if
want an internet user to have access to a file, you must explicitly
IUSR_* access to the file, but that could be complicated if the file is
another machine in the domain. That machine may require _authorized_
authentic) users to be members of the domain, and that would not be a
idea for the anonymous internet account.

Of course, this all depends on what user is accessing the file. Perhaps
anonymous user is not actually accessing the data files - the server
software is. If the server software is accessing a file as admin (or
similar), can it access the domain? I doubt it, because it is running
a local account, not a domain account. There are Microsoft protocols
can be used to access/execute files on other machines, but I am not too
familiar with them.

That is the extent of my Windows knowledge, and our guru is gone for the
day. (And not because windows networks are sooo easy to administer....

Sam Paske
Kapur AGS

-----Original Message-----
From: owner-mapserver-users at lists.gis.umn.edu
[mailto:owner-mapserver-users at lists.gis.umn.edu]On Behalf Of Hankley,
Sent: Tuesday, July 31, 2001 12:54 PM
To: 'Richard Greenwood'; mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location

Richard and I are having the same problem I think...

I'm beginning to think that on NT, your data HAS to be on a local

Lowell wrote:
 >You might try dumping a simple shapefile over on the share and adding
 >a layer in your .map file.  Just to see if things on that level work.

I tried this yesterday and got the same results. I used a map file with
simple polygon layer. Did it local, worked fine, on a share, didnt'

 >Have you tried blowing open the privs just to see if that fixes it?

This is possible, does anyone know what USER IIS or PWS acts as on NT?
it take on the credentials of whoever is logged in, or is it something
obsure, like %SYSTEM?

Man, if anyone knows the definitive answer to this, please speak up!
has some significant ramifications for how I deploy some applications,
I'm totally stuck.

Chip Hankley

More information about the mapserver-users mailing list