[mapserver-users] Permissions on Microsoft IIS web server

Ed McNierney ed at topozone.com
Tue May 22 12:58:31 EDT 2001 

Brian -

You do not need to give EVERYONE access.  All IIS Web server requests
are run under an NT security context.  For anonymous access (i.e. public
Web sites) there's no way to differentiate users, so everyone shares the
same security account.  This is normally the IUSR_machinename account
(for example, on a server named FOO it would be the user account named
IUSR_FOO).  Everything done by IIS, including executing the MapServer
CGI executable, is done as if it were being done by the IUSR_machinename
user logged in and sitting at the console.

The only user account that requires read/execute access to the entire
MapServer site directories is the IUSR_machinename account.  You will
also want to leave full access for yourself and for administrators, of
course.  The "tmp" directory, where the images get written, is the only
directory that requires the IUSR_machinename account to have write
permission.

The whole intent of the IUSR_machinename account is that it is ONLY used
by anonymous Web users, and therefore is only given very tightly
controlled access.  It is a local machine account, not a domain account,
so it can't possibly have access to resources outside the machine the
Web server's on.  It is not a member of any of the default groups
(except EVERYONE) so it won't inadvertently be given access it shouldn't
have.

	- Ed

Ed McNierney
Chief Mapmaker
TopoZone.com
(978) 251-4242


-----Original Message-----
From: Brian Fischer [mailto:Brian.Fischer at co.sherburne.mn.us]
Sent: Tuesday, May 22, 2001 11:20 AM
To: mapserver-users at lists.gis.umn.edu
Subject: Re: [mapserver-users] Permissions on Microsoft IIS web server


Sorry I forgot to specify the folder I am talking about is the temp
image folder.  Does this folder need write access by the EVERYONE
account?

Thanks,
Brian

>>> "Brian Fischer" <Brian.Fischer at co.sherburne.mn.us> 05/22/01 08:26AM
>>>
Hi Mapserver users,

I am setting up a site on Microsoft IIS 4.0.  I was wondering if other
mapserver users using IIS could confirm that the EVERYONE account on the
webserver needs to have write permissions.  Everything I have read in
the documentation says the user account needs to have write access.  Our
IS department is worried about is security issues.  Has anyone had
problems with security using this setup?  Is there any other account on
the webserver that could be given write access, instead of the EVERYONE
account?

I have tried the EVERYONE account without write access and I get this
error: saveImage(); Access to file denied.


Thanks,
Brian



Brian Fischer
GIS Coordinator, Sherburne County
13880 US Hwy 10
Elk River, MN 55330
ph. (763) 241-7006

More information about the mapserver-users mailing list