php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #34871 php isapi does not impersonate app. pool user
Submitted: 2005-10-14 14:56 UTC Modified: 2010-02-12 19:10 UTC
From: giunta dot gaetano at sea-aeroportimilano dot it Assigned:
Status: Wont fix Package: Feature/Change Request
PHP Version: * OS: windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: giunta dot gaetano at sea-aeroportimilano dot it
New email:
PHP Version: OS:

 

 [2005-10-14 14:56 UTC] giunta dot gaetano at sea-aeroportimilano dot it
Description:
------------
I had a very hard time trying to figure out which user will be used to actually run the php processes on IIS 6+php isapi.

The server is configured in non-IIS5-compliant security mode, and php runs fine, but it keeps using the windows user account configured for anonymous website access, instead of the user account set for the Application Pool connected to the website in question.

All MS docs state that web apps run under the user account/using the privileges of the account defined for the App. Pool (by default NETWORK SERVICE).

User comments on the online manual vary wildly: some users seem to have had success in using the app. pool user, some using the anonymous connection user.

Docs at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx#EGAA
indicate that in order for the web app to exibhit this behaviour, it has to call the he Win32API RevertToSelf function, of which I sould finnd no trace in the php source code, except for the FCGI module...

Am I missing something?


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-14 15:04 UTC] wez@php.net
How did you determine that it isn't impersonating?

 [2005-10-14 15:12 UTC] giunta dot gaetano at sea-aeroportimilano dot it
Quick test:
Anonymous access for IIS set to IUSR_XXX; App Pool user set to IWAM_XXX; set a .txt file permissions to 'read access only for IWAM_XXX' and called readfile() on it.
 [2005-11-01 22:27 UTC] sniper@php.net
Are you sure you're doing it the right way (tm) ?

 [2005-11-02 11:03 UTC] giunta dot gaetano at sea-aeroportimilano dot it
I tried to change every single bit of IIS and PHP configuration to my best, but of course I cannot be 100% sure...

The hint that pointed me to file a bug was the aforementioned MS technet article, that explicitly states that IIS apps must call the RevertToSelf function, and I could find no trace of that call in the ISAPI source dir.

PS: as a side note: 'impersonation' as mentioned in the php docs looks to be the reverse process of what I am trying to accomplish: one case is for websites that have guest access disabled and the scripts have to run with the privileges of the single user account used to log in into the website, the other is for websites with guest access enabled and the scripts have to run with app. pool account instead of iis guest account.
 [2010-02-12 19:10 UTC] pajoye@php.net
Use fastcgi for IIS.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 01:01:28 2024 UTC