Databases
StackOverflow2013
Postsdbo
POApplication's AppPool permisions on parent Site folder structure
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POApplication's AppPool permisions on parent Site folder structure
    text
    copied!<h3>ApplicationHost.config Context</h3> <pre><code>&lt;!-- App Pool --&gt; &lt;add name="Site - Intranet" autoStart="true" managedRuntimeVersion="v4.0" /&gt; &lt;add name="App - App1" autoStart="true" managedRuntimeVersion="v4.0" /&gt; &lt;add name="App - App2" autoStart="true" managedRuntimeVersion="v2.0" /&gt; &lt;!-- Site --&gt; &lt;site name="Intranet" id="1" serverAutoStart="true"&gt; &lt;application path="/" applicationPool="Site - Intranet"&gt; &lt;virtualDirectory path="/" physicalPath="D:\Web\Sites\Intranet" /&gt; &lt;/application&gt; &lt;application path="/Apps/App1" applicationPool="Application - App1"&gt; &lt;virtualDirectory path="/" physicalPath="D:\Web\Apps\App1" /&gt; &lt;/application&gt; &lt;application path="/Apps/App2" applicationPool="Application - App2"&gt; &lt;virtualDirectory path="/" physicalPath="D:\Web\Apps\App2" /&gt; &lt;/application&gt; &lt;/site&gt; </code></pre> <p>As you can see, I have one Site with its own 4.0 CLR app pool and identity, which hosts two separate Applications, each with their own app pools and identities. All three are sandboxed into separate file system locations.</p> <h3>NTFS Permissions for AppPoolIdentity Accounts</h3> <p>Permissions must be given to each AppPoolIdentity on its respective folder (ex. <code>IIS AppPool\Site - Intranet</code> needs Read/Execute permissions on <code>D:\Web\Sites\Intranet</code>). </p> <p>At this point, Application App1 should not be able to read/execute files in it's parent Site's physical folder structure. And vice versa, the hosting Site Intranet should not be able to read/execute files within App1's physical folder structure. <strong><em>Am I understanding that right?</em></strong></p> <p>When I visit a child application (ex <code>http://intranet/apps/app1</code>) I get a server error stating that it cannot read the parent Site's <code>web.config</code> file due to insufficient permissions.</p> <p>If I grant the Application's identity account read/execute permissions on the parent Site's physical folder structure (ex. <code>IIS AppPool\App - App1</code> access to <code>D:\Web\Sites\Intranet</code>) the issue is resolved.</p> <h3>Question(s)</h3> <ol> <li><p>Why does the child Application need to read <code>web.config</code> or any other files from the parent site?</p> <p><strong>Note:</strong> My parent site's web.config is already breaking child app/vdir inheritance using the <code>&lt;location path="." inheritInChildApplications="false"&gt;</code> technique.</p></li> <li><p>Given that this identity account has by nature Write permissions on many folders - <a href="https://stackoverflow.com/questions/5437723/iis-apppoolidentity-and-file-system-write-access-permissions">IIS AppPoolIdentity and file system write access permissions</a> - doesn't this introduce a security risk? For instance, couldn't any child application now potentially write to the parent Site's App_Data folder or elsewhere?</p></li> </ol>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload