[mapserver-users] msDrawRaster TileIndex TileItem Location HELP!

Ed McNierney ed at topozone.com
Wed Aug 1 11:57:10 PDT 2001


Sam -

The fact that IIS runs as a service under the SYSTEM account is
basically irrelevant.  For all practical purposes, for a Web site with
anonymous access, everything it does is under the security context of
the IUSR_<machinename> or equivalent account.

I have used MapServer with DFS mapped drives - it works fine.  It is,
however, subject to exactly the same security constraints.  It's well
worth looking into, because it offers a network-wide namespace
organization.  But it does not change the security constraints we've
been discussing here.

Your last point is interesting - and a little surprising.  Presumably
this is part of the reason the machinename is included by default in the
anonymous user account - to prevent such access.  I'll have to look into
that a bit more (BTW, Windows accounts are usually typed as <machine or
domain>\<username>, so your examples are HAL9000\INETUSER and
TERRAMAPPER\INETUSER).

	- Ed

-----Original Message-----
From: Sam Paske [mailto:spaske at kapur-assoc.com]
Sent: Wednesday, August 01, 2001 11:23 AM
To: Ed McNierney
Cc: mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!


Ed,

Thanks for the clarification. It *really* does help one understand how
things work if you can understand the underlying phylosophy. The part of
this that I am most hazy on is where the IUSR_* stops and where the
SYSTEM
account starts.

For example, some mapserver users are using the cgi version, which is
fairly
straightforward in that the cgi is invoked to execute with IUSR_*
permissions. (At least that's how I understand it....) But other users
are
putting together more complicated servers where scripting hosts are
executing. I confess thatI have very little knowledge of how, for
instance,
IIS->perl->IIS actually works. I believe the cgi version spawns a unique
process for every map session (or request). But I don't understand how
the
scripting modules plug into IIS - are they running as a service, or are
they
invoked like the cgi version. The implication, in effect, would be that
you
would have a fairly priviledged user hitting the web server if the
scripting
module was running as more than IUSR_*.

I have a little experience with Cold Fusion (CF), and I know that CF
must
run as SYSTEM or some equivalent. So it is possible to mix security
contexts
with IIS. (The saving factor is that CF manages it's own security by
only
accepting page requests that are "ok" with IIS and by not allowing
things
like access to the directory structure unless specifically permitted.)

Getting back to the issue, I noticed that another user thought the
problem
might be with the path to the files. Has anyone tried to use a microsoft
Distributed File System? From what I understand, it could be an
alternative
if you are using NT4/2000.

Finally, there is a way for a user to access files on a remote machine
and
_not_ be a member of the domain. The key is that the "user" must exist
on
both machines and must have the same name and password. For example, if
I
want an anonymous web user (accessing IIS on the machine named
"terramapper") to be able to see files on John Doe's computer (named
"hal9000" let's say) I would need to have the anonymous web user use an
account with a static name and password. So I create a local account
called
INETUSER and give it a password of "password" (couldn't resist). I do
this
on BOTH machines. I then have IIS use that account (technically
INETUSER/TERRAMAPPER), and set the permissions of the web so that
INETUSER
can read the necesary files. I then go over to hal9000 and give INETUSER
(technically INETUSER/HAL9000) the right to see a few shape files and
directories. (I make sure that the files are not under My Documents for
reasons I won't go into.) Then, paths and drive mapping aside, the IIS
user
should have the ability to see the remote files.

Hope I didn't confuse the issue!

Sam

-----Original Message-----
From: Ed McNierney [mailto:ed at topozone.com]
Sent: Tuesday, July 31, 2001 7:11 PM
To: Sam Paske; Hankley, Chip
Cc: mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!


Sam et al. -

I think I covered a lot of this with my previous post, but there seems
to be enough interest to warrant some clarification.  I've worked with
both Windows and UNIX networks for a long time, and I don't find either
particularly hard to manage or easy to manage, but they're certainly
different.  It's really worth spending some time understanding the
philosophy behind Windows networking before you expose your network
assets to the world.

One of the fundamental precepts of Windows NT/2000 security is that
EVERY access to every resource on every system is done through a
security context.  For most purposes, it's simple enough to think of
this as a user context or user login.  For every operation there is
always the notion of an authenticated user context.  In particular, the
comment "This user is considered anonymous and has not authenticated in
any way" is correct from a Web site security point of view (no dialog
box popped up when someone tried to access your Web page) but it is
completely incorrect from a Windows networking point of view.

When a Web site developer tells IIS to permit anonymous access to a Web
site, or to a page on a site, Windows basically says "OK, since all
those Web users look the same to me, and they haven't logged in
anywhere, YOU give me a valid user account and password for them to
use."  This is the role served, by default, by the IUSR_<machinename>
account.  You can change that to any account you like, but obviously all
Web visitors use the same account because there's no way to tell them
apart.

Although (as someone mentioned) the Web server itself (IIS) is running
under the local SYSTEM account, it impersonates the IUSR_<machinename>
account for all access to files and other resources.  This includes
every single file, even if your Web server is doing nothing but serving
one, simple HTML file.  The IUSR_<machinename> account must have Read
access to that file.

Windows networking supports local machine accounts and domain accounts.
Local machine accounts can ONLY have access to resources on their local
machine.  Domain accounts can use resources on any machine on the
network, provided they are granted access rights to those resources.

You CAN'T sit down at machine FOO and set the permissions on a file to
give BAR\IUSR_BAR Read access to that file.  (BAR\IUSR_BAR means the
local account IUSR_BAR on the MACHINE named BAR.)  If FOO and BAR are
members of a domain named BAZ, then you can grant access (on FOO) to any
domain account (BAZ\Guest or BAZ\Administrator or anything).

If you want IIS to grant an anonymous Web visitor rights to read any
file that's not on the local IIS machine, you MUST change IIS' default
(and conservative) setting and assign a domain user account for it to
use.  You can then set the access rights on any file or other resource
to grant that domain user account access.  That machine must have access
to a domain controller so the IIS login account can be authenticated
when the first anonymous access occurs.

Always create an account that is used only for this purpose; don't share
another account.  Always realize that this account can potentially have
access to any resource on your network, so be careful.

	- Ed

Ed McNierney
Chief Mapmaker
TopoZone.com

-----Original Message-----
From: Sam Paske [mailto:spaske at kapur-assoc.com]
Sent: Tuesday, July 31, 2001 5:32 PM
To: Hankley, Chip
Cc: mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!


I remember wrestling with user priviledge issues when I first set up a
mapserver site. I went around the issue a few times trying to get the
cgi to
work, yet restrict access to the map file (because that file contains
drive
and data path information, which could help compromise a server...).

The user accessing the content, if coming from the internet, should be
IUSR_* (the * could be a computer name or something else). This user is
considered anonymous and has not authenticated in any way. Check your
IIS
directory security properties and see how your users are authenticating
-
you could be allowing a range of users to log on, from anonymous to
domain
authenticated.

The domain of this user will most likely not be the domain(s) in which
the
machine is a member, but the machine name itself. In other words, IUSR_*
is
not a member of any domain. This is how our Win2000 server works. So if
you
want an internet user to have access to a file, you must explicitly
grant
IUSR_* access to the file, but that could be complicated if the file is
on
another machine in the domain. That machine may require _authorized_
(and
authentic) users to be members of the domain, and that would not be a
good
idea for the anonymous internet account.

Of course, this all depends on what user is accessing the file. Perhaps
the
anonymous user is not actually accessing the data files - the server
software is. If the server software is accessing a file as admin (or
similar), can it access the domain? I doubt it, because it is running
under
a local account, not a domain account. There are Microsoft protocols
that
can be used to access/execute files on other machines, but I am not too
familiar with them.

That is the extent of my Windows knowledge, and our guru is gone for the
day. (And not because windows networks are sooo easy to administer....
:)

Sam Paske
Kapur AGS



-----Original Message-----
From: owner-mapserver-users at lists.gis.umn.edu
[mailto:owner-mapserver-users at lists.gis.umn.edu]On Behalf Of Hankley,
Chip
Sent: Tuesday, July 31, 2001 12:54 PM
To: 'Richard Greenwood'; mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!


Richard and I are having the same problem I think...

I'm beginning to think that on NT, your data HAS to be on a local
drive....

Lowell wrote:
 >You might try dumping a simple shapefile over on the share and adding
it
as
 >a layer in your .map file.  Just to see if things on that level work.

I tried this yesterday and got the same results. I used a map file with
one
simple polygon layer. Did it local, worked fine, on a share, didnt'
work.

 >Have you tried blowing open the privs just to see if that fixes it?

This is possible, does anyone know what USER IIS or PWS acts as on NT?
Does
it take on the credentials of whoever is logged in, or is it something
more
obsure, like %SYSTEM?

Man, if anyone knows the definitive answer to this, please speak up!
This
has some significant ramifications for how I deploy some applications,
and
I'm totally stuck.

Chip Hankley




More information about the MapServer-users mailing list