Give PHP Access to files/folders without giving access to IUSR

[msing]

Hey, I'm running PHP 5.2.1 with IIS 6.0.

 

Generally, what I'd like to know is if I can give PHP (or the webserver, whatever account it is that executes the PHP code) access to read files, without giving the IUSR account NTFS access to the files.

 

More specifically, here is the problem that I'm having;

 

All of the pages (which are all just index.php files within their own directory) in my site include a shared nav bar which reports the "time last modified" of any file within the top directory. Now I want to remove the access for 'Everyone' (which includes IUSR) from certain directories. So that some directories need a user/pass to view, and some don't. The problem is that EVERY page includes the nav bar whose script reads "file modification time" information from ALL of the directories. So when you view a page that doesn't need special credentials (i.e. allows read access to 'Everyone' and thus to IUSR), it loads as far as the nav bar, but kills any subsequent processing of the page upon hitting the "last file modified" script, since it can't read that info from the protected directories. The script in the nav bar works fine when viewing the protected directories, since you've already authorized yourself. But for anyone viewing the non-protected pages, this problem happens.

 

So I'd like to know if there's is a way to allow PHP read access to all files in my site without also allowing IUSR read access to all files.

 

What I effectively want to do is add the "PHP service account" access to the entire site, and then remove 'Everyone' access to certain directories. However I know that PHP doesn't have such an account. So I need a way to do the equivalent.

 

Thanks in advance,

== Matt

[msing]

*bump*

 

I'm also having this problem (I think it's the same basic problem) when I load a protected page (by typing a user/pass) and then use a form on that page whose action attribute refers to a file in a subdirectory.

 

It would seem as though the form needs to load the page in the subdirectory, but can't because the subdirectory (via inheriting permissions) needs a user/pass and doesn't prompt for it since its actually the form that's doing the redirection to that page.

 

I dunno if that makes sense, but when I take off the password on the form directory the form works correctly and loads the page in the subdirectory as per the form's instructions. More specifically, when the form directory is protected and you use the form it loads the "no input file specified" error page, as if the page to which the form is directing you doesn't exist (or in this case is inaccessible).

[msing]

*bump* for Monday.

 

() <--- Nuts to DST.

[msing]

I did manage to find this MS KB article listed on this php.net faq page describing IIS's inability to allow CGI requests to open pages in protected directories. It seems to fit perfectly with the problem mentioned in my second post in this thread. I suppose it could be the cause of the problem in the first post as well.

 

The only workaround options MS offers, however are:

 

• Modify the registry to run all applications as the system.

 

Under the W3SVC/Parameters, place the value CreateProcessAsUser as a REG_DWORD and give it a value of 0. This causes the CGI to be ran with the CreateProcess API and run in the system context. This has serious security implications because CGI scripts will have much greater access to the system than they normally would.

 

Note All users would be able to launch CGI no matter what user they are authenticated as.

 

• You can also run the CGI/ISAPI from a secured web page. If you run it from a secured web page, you will have to either be authenticated by Basic or NT Challenge. When you click the URL for the CGI/ISAPI, it will pass the REMOTE_USER environment variable, and the CreateProcessAsUser API will use that user to run the CGI. Anonymous will not be used in that instance because a user account has already being passed to the server.

 

• Turn off Anonymous access to the server, and use only Basic or NT Challenge.

 

The first bullet point above is just lame. No one is going to allow any and all CGI applications to run as System. The second is alright, but I'd rather not have to go setting up a secure server for the simple web interface stuff for which this site was made. The third point could be possible If I were to turn off anon access for only the protected directories. I'll give that a try.

 

Other than that the php.net faq page entry suggests simply letting a non-PHP-parsed html page do the jumping into the protected directory. This is also possible, but then I'd have to pass all my variables from my php page to an html page, and THEN have that html page auto-redirect (to prevent further need for user-interaction) into the protected directory. I'm not even sure how you go about passing variables into a pure-html webpage. Javascript maybe? I've never had experience passing variables to a non-CGI page. But I suppose it'd be worth looking up.

 

So I've got a couple things to try now. Oui.