[mapserver-users] msDrawRaster TileIndex TileItem Location HELP!

Sam Paske spaske at kapur-assoc.com
Tue Jul 31 17:32:22 EDT 2001 

I remember wrestling with user priviledge issues when I first set up a
mapserver site. I went around the issue a few times trying to get the cgi to
work, yet restrict access to the map file (because that file contains drive
and data path information, which could help compromise a server...).

The user accessing the content, if coming from the internet, should be
IUSR_* (the * could be a computer name or something else). This user is
considered anonymous and has not authenticated in any way. Check your IIS
directory security properties and see how your users are authenticating -
you could be allowing a range of users to log on, from anonymous to domain
authenticated.

The domain of this user will most likely not be the domain(s) in which the
machine is a member, but the machine name itself. In other words, IUSR_* is
not a member of any domain. This is how our Win2000 server works. So if you
want an internet user to have access to a file, you must explicitly grant
IUSR_* access to the file, but that could be complicated if the file is on
another machine in the domain. That machine may require _authorized_ (and
authentic) users to be members of the domain, and that would not be a good
idea for the anonymous internet account.

Of course, this all depends on what user is accessing the file. Perhaps the
anonymous user is not actually accessing the data files - the server
software is. If the server software is accessing a file as admin (or
similar), can it access the domain? I doubt it, because it is running under
a local account, not a domain account. There are Microsoft protocols that
can be used to access/execute files on other machines, but I am not too
familiar with them.

That is the extent of my Windows knowledge, and our guru is gone for the
day. (And not because windows networks are sooo easy to administer.... :)

Sam Paske
Kapur AGS



-----Original Message-----
From: owner-mapserver-users at lists.gis.umn.edu
[mailto:owner-mapserver-users at lists.gis.umn.edu]On Behalf Of Hankley,
Chip
Sent: Tuesday, July 31, 2001 12:54 PM
To: 'Richard Greenwood'; mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!


Richard and I are having the same problem I think...

I'm beginning to think that on NT, your data HAS to be on a local drive....

Lowell wrote:
 >You might try dumping a simple shapefile over on the share and adding it
as
 >a layer in your .map file.  Just to see if things on that level work.

I tried this yesterday and got the same results. I used a map file with one
simple polygon layer. Did it local, worked fine, on a share, didnt' work.

 >Have you tried blowing open the privs just to see if that fixes it?

This is possible, does anyone know what USER IIS or PWS acts as on NT? Does
it take on the credentials of whoever is logged in, or is it something more
obsure, like %SYSTEM?

Man, if anyone knows the definitive answer to this, please speak up! This
has some significant ramifications for how I deploy some applications, and
I'm totally stuck.

Chip Hankley

More information about the mapserver-users mailing list