[mapserver-users] msDrawRaster TileIndex TileItem Location HELP!

Tue Jul 31 15:50:24 EDT 2001

No, on NT your data does NOT have to be on a local drive.  This is
probably a permissions problem.  But you need to know a bit more about
IIS and NT security.

By default (you can change it), NT creates a unique user account called
IUSR_<machinename> for IIS.  If your machine is named FOO, then the
account is named IUSR_FOO.  This is NOT a domain-level account - it's a
local machine account.  This gives you fine control over exactly what
files this account has access to, and it minimizes the risk that you'll
give a Web user access to something you shouldn't.  If you're using
anonymous Web access, all Web server activities run under the security
context of the IUSR_FOO account.  In other words, the person sitting at
the Web browser is acting like they have logged in as the user IUSR_FOO.

The first thing you'll need to do is to make sure IUSR_FOO has
appropriate access to all the directories it will need.  This generally
comes down to Read permission on the template and map files, Read and
Execute on the CGI directory, and Read and Write permission on the
directory where MapServer creates output files.

However, the restrictions on the IUSR_FOO account prevent it from
getting access to domain resources.  That's what local accounts are
supposed to do.  If you want your Web server to have access to domain
resources (that is, shared files on other machines in the domain) you
will need to change IIS to use a domain-level account rather than a
local machine account.  This is easy to do - under Internet Services
Manager, right-click on the Web site and select Properties.  On the
Directory Security page, hit the Edit... button to edit anonymous access
control, the hit the next Edit... button to change the account IIS uses
for that Web site.  Each site can have its own account if you need that.
Be sure to create this account first, and remember that it needs to be a
domain-level account.

Now you will have IIS running in a domain-level security context.  You
can grant it permission to do anything to any file anywhere on your
domain.  This can be very helpful, but it can be very dangerous, too.
Make sure you keep that new IIS account on a short leash - don't make it
a member of any groups, and remember that anything that's accessible to
all users on your domain will be accessible to the Web user.  This is a
vulnerability that's very unlikely to be exploited by a person, but puts
you at risk of being attacked by viruses/worms/etc.

It's not a bad thing - I do it on my systems - but you have to be
careful.  You should get your network administrator, or at least a
consultant who knows something about NT security, to review your
configuration and make recommendations before you expose it to the wide
world.

	- Ed

Ed McNierney
Chief Mapmaker
TopoZone.com
ed at topozone.com
(978) 251-4242

-----Original Message-----
From: Hankley, Chip [mailto:Chip.Hankley at GASAI.Com]
Sent: Tuesday, July 31, 2001 1:54 PM
To: 'Richard Greenwood'; mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!

Richard and I are having the same problem I think...

I'm beginning to think that on NT, your data HAS to be on a local
drive....

Lowell wrote:
 >You might try dumping a simple shapefile over on the share and adding
it
as
 >a layer in your .map file.  Just to see if things on that level work.

I tried this yesterday and got the same results. I used a map file with
one
simple polygon layer. Did it local, worked fine, on a share, didnt'
work.

 >Have you tried blowing open the privs just to see if that fixes it?

This is possible, does anyone know what USER IIS or PWS acts as on NT?
Does
it take on the credentials of whoever is logged in, or is it something
more
obsure, like %SYSTEM?

Man, if anyone knows the definitive answer to this, please speak up!
This
has some significant ramifications for how I deploy some applications,
and
I'm totally stuck.

Chip Hankley