[mapserver-users] msDrawRaster TileIndex TileItem Location HELP!
Ed McNierney
ed at topozone.com
Tue Jul 31 17:10:31 PDT 2001
Sam et al. -
I think I covered a lot of this with my previous post, but there seems
to be enough interest to warrant some clarification. I've worked with
both Windows and UNIX networks for a long time, and I don't find either
particularly hard to manage or easy to manage, but they're certainly
different. It's really worth spending some time understanding the
philosophy behind Windows networking before you expose your network
assets to the world.
One of the fundamental precepts of Windows NT/2000 security is that
EVERY access to every resource on every system is done through a
security context. For most purposes, it's simple enough to think of
this as a user context or user login. For every operation there is
always the notion of an authenticated user context. In particular, the
comment "This user is considered anonymous and has not authenticated in
any way" is correct from a Web site security point of view (no dialog
box popped up when someone tried to access your Web page) but it is
completely incorrect from a Windows networking point of view.
When a Web site developer tells IIS to permit anonymous access to a Web
site, or to a page on a site, Windows basically says "OK, since all
those Web users look the same to me, and they haven't logged in
anywhere, YOU give me a valid user account and password for them to
use." This is the role served, by default, by the IUSR_<machinename>
account. You can change that to any account you like, but obviously all
Web visitors use the same account because there's no way to tell them
apart.
Although (as someone mentioned) the Web server itself (IIS) is running
under the local SYSTEM account, it impersonates the IUSR_<machinename>
account for all access to files and other resources. This includes
every single file, even if your Web server is doing nothing but serving
one, simple HTML file. The IUSR_<machinename> account must have Read
access to that file.
Windows networking supports local machine accounts and domain accounts.
Local machine accounts can ONLY have access to resources on their local
machine. Domain accounts can use resources on any machine on the
network, provided they are granted access rights to those resources.
You CAN'T sit down at machine FOO and set the permissions on a file to
give BAR\IUSR_BAR Read access to that file. (BAR\IUSR_BAR means the
local account IUSR_BAR on the MACHINE named BAR.) If FOO and BAR are
members of a domain named BAZ, then you can grant access (on FOO) to any
domain account (BAZ\Guest or BAZ\Administrator or anything).
If you want IIS to grant an anonymous Web visitor rights to read any
file that's not on the local IIS machine, you MUST change IIS' default
(and conservative) setting and assign a domain user account for it to
use. You can then set the access rights on any file or other resource
to grant that domain user account access. That machine must have access
to a domain controller so the IIS login account can be authenticated
when the first anonymous access occurs.
Always create an account that is used only for this purpose; don't share
another account. Always realize that this account can potentially have
access to any resource on your network, so be careful.
- Ed
Ed McNierney
Chief Mapmaker
TopoZone.com
-----Original Message-----
From: Sam Paske [mailto:spaske at kapur-assoc.com]
Sent: Tuesday, July 31, 2001 5:32 PM
To: Hankley, Chip
Cc: mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!
I remember wrestling with user priviledge issues when I first set up a
mapserver site. I went around the issue a few times trying to get the
cgi to
work, yet restrict access to the map file (because that file contains
drive
and data path information, which could help compromise a server...).
The user accessing the content, if coming from the internet, should be
IUSR_* (the * could be a computer name or something else). This user is
considered anonymous and has not authenticated in any way. Check your
IIS
directory security properties and see how your users are authenticating
-
you could be allowing a range of users to log on, from anonymous to
domain
authenticated.
The domain of this user will most likely not be the domain(s) in which
the
machine is a member, but the machine name itself. In other words, IUSR_*
is
not a member of any domain. This is how our Win2000 server works. So if
you
want an internet user to have access to a file, you must explicitly
grant
IUSR_* access to the file, but that could be complicated if the file is
on
another machine in the domain. That machine may require _authorized_
(and
authentic) users to be members of the domain, and that would not be a
good
idea for the anonymous internet account.
Of course, this all depends on what user is accessing the file. Perhaps
the
anonymous user is not actually accessing the data files - the server
software is. If the server software is accessing a file as admin (or
similar), can it access the domain? I doubt it, because it is running
under
a local account, not a domain account. There are Microsoft protocols
that
can be used to access/execute files on other machines, but I am not too
familiar with them.
That is the extent of my Windows knowledge, and our guru is gone for the
day. (And not because windows networks are sooo easy to administer....
:)
Sam Paske
Kapur AGS
-----Original Message-----
From: owner-mapserver-users at lists.gis.umn.edu
[mailto:owner-mapserver-users at lists.gis.umn.edu]On Behalf Of Hankley,
Chip
Sent: Tuesday, July 31, 2001 12:54 PM
To: 'Richard Greenwood'; mapserver-users at lists.gis.umn.edu
Subject: RE: [mapserver-users] msDrawRaster TileIndex TileItem Location
HELP!
Richard and I are having the same problem I think...
I'm beginning to think that on NT, your data HAS to be on a local
drive....
Lowell wrote:
>You might try dumping a simple shapefile over on the share and adding
it
as
>a layer in your .map file. Just to see if things on that level work.
I tried this yesterday and got the same results. I used a map file with
one
simple polygon layer. Did it local, worked fine, on a share, didnt'
work.
>Have you tried blowing open the privs just to see if that fixes it?
This is possible, does anyone know what USER IIS or PWS acts as on NT?
Does
it take on the credentials of whoever is logged in, or is it something
more
obsure, like %SYSTEM?
Man, if anyone knows the definitive answer to this, please speak up!
This
has some significant ramifications for how I deploy some applications,
and
I'm totally stuck.
Chip Hankley
More information about the MapServer-users
mailing list