PHP :: Request #34871 :: php isapi does not impersonate app. pool user

Request #34871	php isapi does not impersonate app. pool user
Submitted:	2005-10-14 14:56 UTC	Modified:	2010-02-12 19:10 UTC
From:	giunta dot gaetano at sea-aeroportimilano dot it	Assigned:
Status:	Wont fix	Package:	Feature/Change Request
PHP Version:	*	OS:	windows
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	giunta dot gaetano at sea-aeroportimilano dot it
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-10-14 14:56 UTC] giunta dot gaetano at sea-aeroportimilano dot it

Description:
------------
I had a very hard time trying to figure out which user will be used to actually run the php processes on IIS 6+php isapi.

The server is configured in non-IIS5-compliant security mode, and php runs fine, but it keeps using the windows user account configured for anonymous website access, instead of the user account set for the Application Pool connected to the website in question.

All MS docs state that web apps run under the user account/using the privileges of the account defined for the App. Pool (by default NETWORK SERVICE).

User comments on the online manual vary wildly: some users seem to have had success in using the app. pool user, some using the anonymous connection user.

Docs at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/appisoa.mspx#EGAA
indicate that in order for the web app to exibhit this behaviour, it has to call the he Win32API RevertToSelf function, of which I sould finnd no trace in the php source code, except for the FCGI module...

Am I missing something?

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-10-14 15:04 UTC] wez@php.net

How did you determine that it isn't impersonating?

[2005-10-14 15:12 UTC] giunta dot gaetano at sea-aeroportimilano dot it

Quick test:
Anonymous access for IIS set to IUSR_XXX; App Pool user set to IWAM_XXX; set a .txt file permissions to 'read access only for IWAM_XXX' and called readfile() on it.

[2005-11-01 22:27 UTC] sniper@php.net

Are you sure you're doing it the right way (tm) ?

[2005-11-02 11:03 UTC] giunta dot gaetano at sea-aeroportimilano dot it

I tried to change every single bit of IIS and PHP configuration to my best, but of course I cannot be 100% sure...

The hint that pointed me to file a bug was the aforementioned MS technet article, that explicitly states that IIS apps must call the RevertToSelf function, and I could find no trace of that call in the ISAPI source dir.

PS: as a side note: 'impersonation' as mentioned in the php docs looks to be the reverse process of what I am trying to accomplish: one case is for websites that have guest access disabled and the scripts have to run with the privileges of the single user account used to log in into the website, the other is for websites with guest access enabled and the scripts have to run with app. pool account instead of iis guest account.

[2010-02-12 19:10 UTC] pajoye@php.net

Use fastcgi for IIS.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 09:01:27 2024 UTC