[mapserver-users] msDrawRaster TileIndex TileItem Location HELP!
Dave Vieglais
vieglais at ku.edu
Wed Aug 1 14:48:01 PDT 2001
For a good description of how to use mapped network drives with IIS and
the security issues involved, try:
http://support.microsoft.com/support/kb/articles/Q257/1/74.ASP
http://support.microsoft.com/support/kb/articles/Q187/5/06.ASP
is also quite relevant.
Cheers,
Dave V.
>-----Original Message-----
>From: Sam Paske [mailto:spaske at kapur-assoc.com]
>Sent: Wednesday, August 01, 2001 11:23 AM
>To: Ed McNierney
>Cc: mapserver-users at lists.gis.umn.edu
>Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
>HELP!
>
>
>Ed,
>
>Thanks for the clarification. It *really* does help one understand how
>things work if you can understand the underlying phylosophy.
>The part of
>this that I am most hazy on is where the IUSR_* stops and where the
>SYSTEM
>account starts.
>
>For example, some mapserver users are using the cgi version, which is
>fairly
>straightforward in that the cgi is invoked to execute with IUSR_*
>permissions. (At least that's how I understand it....) But other users
>are
>putting together more complicated servers where scripting hosts are
>executing. I confess thatI have very little knowledge of how, for
>instance,
>IIS->perl->IIS actually works. I believe the cgi version
>spawns a unique
>process for every map session (or request). But I don't understand how
>the
>scripting modules plug into IIS - are they running as a service, or are
>they
>invoked like the cgi version. The implication, in effect, would be that
>you
>would have a fairly priviledged user hitting the web server if the
>scripting
>module was running as more than IUSR_*.
>
>I have a little experience with Cold Fusion (CF), and I know that CF
>must
>run as SYSTEM or some equivalent. So it is possible to mix security
>contexts
>with IIS. (The saving factor is that CF manages it's own security by
>only
>accepting page requests that are "ok" with IIS and by not allowing
>things
>like access to the directory structure unless specifically permitted.)
>
>Getting back to the issue, I noticed that another user thought the
>problem
>might be with the path to the files. Has anyone tried to use a
>microsoft
>Distributed File System? From what I understand, it could be an
>alternative
>if you are using NT4/2000.
>
>Finally, there is a way for a user to access files on a remote machine
>and
>_not_ be a member of the domain. The key is that the "user" must exist
>on
>both machines and must have the same name and password. For example, if
>I
>want an anonymous web user (accessing IIS on the machine named
>"terramapper") to be able to see files on John Doe's computer (named
>"hal9000" let's say) I would need to have the anonymous web user use an
>account with a static name and password. So I create a local account
>called
>INETUSER and give it a password of "password" (couldn't resist). I do
>this
>on BOTH machines. I then have IIS use that account (technically
>INETUSER/TERRAMAPPER), and set the permissions of the web so that
>INETUSER
>can read the necesary files. I then go over to hal9000 and
>give INETUSER
>(technically INETUSER/HAL9000) the right to see a few shape files and
>directories. (I make sure that the files are not under My Documents for
>reasons I won't go into.) Then, paths and drive mapping aside, the IIS
>user
>should have the ability to see the remote files.
>
>Hope I didn't confuse the issue!
>
>Sam
>
>-----Original Message-----
>From: Ed McNierney [mailto:ed at topozone.com]
>Sent: Tuesday, July 31, 2001 7:11 PM
>To: Sam Paske; Hankley, Chip
>Cc: mapserver-users at lists.gis.umn.edu
>Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
>HELP!
>
>
>Sam et al. -
>
>I think I covered a lot of this with my previous post, but there seems
>to be enough interest to warrant some clarification. I've worked with
>both Windows and UNIX networks for a long time, and I don't find either
>particularly hard to manage or easy to manage, but they're certainly
>different. It's really worth spending some time understanding the
>philosophy behind Windows networking before you expose your network
>assets to the world.
>
>One of the fundamental precepts of Windows NT/2000 security is that
>EVERY access to every resource on every system is done through a
>security context. For most purposes, it's simple enough to think of
>this as a user context or user login. For every operation there is
>always the notion of an authenticated user context. In particular, the
>comment "This user is considered anonymous and has not authenticated in
>any way" is correct from a Web site security point of view (no dialog
>box popped up when someone tried to access your Web page) but it is
>completely incorrect from a Windows networking point of view.
>
>When a Web site developer tells IIS to permit anonymous access to a Web
>site, or to a page on a site, Windows basically says "OK, since all
>those Web users look the same to me, and they haven't logged in
>anywhere, YOU give me a valid user account and password for them to
>use." This is the role served, by default, by the IUSR_<machinename>
>account. You can change that to any account you like, but
>obviously all
>Web visitors use the same account because there's no way to tell them
>apart.
>
>Although (as someone mentioned) the Web server itself (IIS) is running
>under the local SYSTEM account, it impersonates the IUSR_<machinename>
>account for all access to files and other resources. This includes
>every single file, even if your Web server is doing nothing but serving
>one, simple HTML file. The IUSR_<machinename> account must have Read
>access to that file.
>
>Windows networking supports local machine accounts and domain accounts.
>Local machine accounts can ONLY have access to resources on their local
>machine. Domain accounts can use resources on any machine on the
>network, provided they are granted access rights to those resources.
>
>You CAN'T sit down at machine FOO and set the permissions on a file to
>give BAR\IUSR_BAR Read access to that file. (BAR\IUSR_BAR means the
>local account IUSR_BAR on the MACHINE named BAR.) If FOO and BAR are
>members of a domain named BAZ, then you can grant access (on
>FOO) to any
>domain account (BAZ\Guest or BAZ\Administrator or anything).
>
>If you want IIS to grant an anonymous Web visitor rights to read any
>file that's not on the local IIS machine, you MUST change IIS' default
>(and conservative) setting and assign a domain user account for it to
>use. You can then set the access rights on any file or other resource
>to grant that domain user account access. That machine must
>have access
>to a domain controller so the IIS login account can be authenticated
>when the first anonymous access occurs.
>
>Always create an account that is used only for this purpose;
>don't share
>another account. Always realize that this account can potentially have
>access to any resource on your network, so be careful.
>
> - Ed
>
>Ed McNierney
>Chief Mapmaker
>TopoZone.com
>
>-----Original Message-----
>From: Sam Paske [mailto:spaske at kapur-assoc.com]
>Sent: Tuesday, July 31, 2001 5:32 PM
>To: Hankley, Chip
>Cc: mapserver-users at lists.gis.umn.edu
>Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
>HELP!
>
>
>I remember wrestling with user priviledge issues when I first set up a
>mapserver site. I went around the issue a few times trying to get the
>cgi to
>work, yet restrict access to the map file (because that file contains
>drive
>and data path information, which could help compromise a server...).
>
>The user accessing the content, if coming from the internet, should be
>IUSR_* (the * could be a computer name or something else). This user is
>considered anonymous and has not authenticated in any way. Check your
>IIS
>directory security properties and see how your users are authenticating
>-
>you could be allowing a range of users to log on, from anonymous to
>domain
>authenticated.
>
>The domain of this user will most likely not be the domain(s) in which
>the
>machine is a member, but the machine name itself. In other
>words, IUSR_*
>is
>not a member of any domain. This is how our Win2000 server works. So if
>you
>want an internet user to have access to a file, you must explicitly
>grant
>IUSR_* access to the file, but that could be complicated if the file is
>on
>another machine in the domain. That machine may require _authorized_
>(and
>authentic) users to be members of the domain, and that would not be a
>good
>idea for the anonymous internet account.
>
>Of course, this all depends on what user is accessing the file. Perhaps
>the
>anonymous user is not actually accessing the data files - the server
>software is. If the server software is accessing a file as admin (or
>similar), can it access the domain? I doubt it, because it is running
>under
>a local account, not a domain account. There are Microsoft protocols
>that
>can be used to access/execute files on other machines, but I am not too
>familiar with them.
>
>That is the extent of my Windows knowledge, and our guru is
>gone for the
>day. (And not because windows networks are sooo easy to administer....
>:)
>
>Sam Paske
>Kapur AGS
>
>
>
>-----Original Message-----
>From: owner-mapserver-users at lists.gis.umn.edu
>[mailto:owner-mapserver-users at lists.gis.umn.edu]On Behalf Of Hankley,
>Chip
>Sent: Tuesday, July 31, 2001 12:54 PM
>To: 'Richard Greenwood'; mapserver-users at lists.gis.umn.edu
>Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
>HELP!
>
>
>Richard and I are having the same problem I think...
>
>I'm beginning to think that on NT, your data HAS to be on a local
>drive....
>
>Lowell wrote:
> >You might try dumping a simple shapefile over on the share and adding
>it
>as
> >a layer in your .map file. Just to see if things on that level work.
>
>I tried this yesterday and got the same results. I used a map file with
>one
>simple polygon layer. Did it local, worked fine, on a share, didnt'
>work.
>
> >Have you tried blowing open the privs just to see if that fixes it?
>
>This is possible, does anyone know what USER IIS or PWS acts as on NT?
>Does
>it take on the credentials of whoever is logged in, or is it something
>more
>obsure, like %SYSTEM?
>
>Man, if anyone knows the definitive answer to this, please speak up!
>This
>has some significant ramifications for how I deploy some applications,
>and
>I'm totally stuck.
>
>Chip Hankley
>
More information about the MapServer-users
mailing list