3

我有一个试图从我的 ASP.Net Web 应用程序运行的命令行进程。

当 IIS7.5 应用程序池标识设置为“本地系统”时,将执行命令行代码。当它设置为 ApplicationPoolIdentity 时,它不会。由于使用“本地系统”存在安全风险,我只想授予 ApplicationPoolIdentity 所需的权限,而不是使用本地系统。

如果我正确理解这个答案:IIS AppPoolIdentity and file system write access permissions,用户“IIS AppPool [我的应用程序池]”需要被授予对我的命令行进程将修改的任何文件夹的权限。我已尝试为该用户授予该文件夹的完全权限,但它仍然无法正常工作。我还尝试了 IUSR 和 IIS_USRS 的完全权限。请在下面查看我的代码:

using (Process process = new Process())
        {
            process.StartInfo.FileName = fileToExecute;
            process.StartInfo.Arguments = arguments;
            process.StartInfo.UseShellExecute = false;
            process.StartInfo.RedirectStandardOutput = true;
            process.StartInfo.RedirectStandardError = true;

            StringBuilder output = new StringBuilder();
            StringBuilder error = new StringBuilder();

            using (AutoResetEvent outputWaitHandle = new AutoResetEvent(false))
            using (AutoResetEvent errorWaitHandle = new AutoResetEvent(false))
            {
                process.OutputDataReceived += (sender, e) =>
                {
                    if (e.Data == null)
                    {
                        outputWaitHandle.Set();
                    }
                    else
                    {
                        output.AppendLine(e.Data);
                    }
                };
                process.ErrorDataReceived += (sender, e) =>
                {
                    if (e.Data == null)
                    {
                        errorWaitHandle.Set();
                    }
                    else
                    {
                        error.AppendLine(e.Data);
                    }
                };

                process.Start();

                process.BeginOutputReadLine();
                process.BeginErrorReadLine();
                int timeout = 1000;
                if (process.WaitForExit(timeout) &&
                    outputWaitHandle.WaitOne(timeout) &&
                    errorWaitHandle.WaitOne(timeout))
                {
                    Logs logs = new Logs("Finished! - Output: " + output.ToString() + " | Error: " + error.ToString());
                    logs.WriteLog();
                }
                else
                {
                    // Timed out.
                    Logs logs = new Logs("Timed Out! - Output: " + output.ToString() + " | Error: " + error.ToString());
                    logs.WriteLog();
                }
            }
        }

提前感谢您的帮助!!!

4

4 回答 4

3

It turns out that the setting "Load User Profile" under the Advanced Settings in the Application Pool had to be set to true. By doing this the PGP encryption program was able to use the profile for temporary data storage, etc.

于 2013-05-20T15:00:36.500 回答
1

Try giving permissions to the IIS_IUSRS account.

Also, make sure the account has execute permissions on the file you're calling and any libraries it references.

I created some test code (below), the folder secret was given system and admin permissions only (not user). This means IIS could not view it by default (tested). I then gave IIS_IUSERS read permissions and it worked fine.

(results was displayed on screen)

Dim compiler As New Process()
compiler.StartInfo.FileName = "C:\Windows\System32\cmd.exe"
compiler.StartInfo.Arguments = "/C dir c:\Secret"
compiler.StartInfo.UseShellExecute = False
compiler.StartInfo.RedirectStandardOutput = True
compiler.Start()
Dim results As String = compiler.StandardOutput.ReadToEnd()
compiler.WaitForExit()

If your not sure what files need permissions, there is a program called process explorer that should enable you to see exactly what's in use.

http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx

于 2013-05-15T12:23:29.770 回答
1

您可以做的是创建新的 Windows 帐户并分配所需的权限。

在开始菜单中输入“mmc”,这将打开管理控制台。转到“文件”菜单并选择“添加/删除管理单元...”。选择“本地用户和组”,然后选择“添加”。

在此处输入图像描述

接下来以与上一个管理单元相同的方式添加“组策略对象”。你最终会得到这样的东西:

在此处输入图像描述

现在创建新的 windows 用户。由于您很可能不想让这个新用户能够在本地登录,我们需要设置附加设置。导航到用户权限分配,您应该会看到如下内容:

在此处输入图像描述

双击“拒绝本地登录”并添加新用户。确保您还将设置适当的文件系统权限。

最后只需打开 IIS 管理器并将新用户分配给您的应用程序池。

此致

于 2013-05-18T21:15:24.757 回答
0

不久前我在部署一些 Web 应用程序时遇到了类似的问题。最后,我们通过授予以下权限解决了我们的权限问题:IIS_USRS,IUSR,LocalMachineName\Users,LocalMachineName$,SYSTEM,(如果您的应用程序在域 DomainName\IIS_WPG,DomainName\Domain Users 中)

注意:在 Web.config 中

 <authentication mode="Windows" />
        <authorization>
            <deny users="?" />
            <allow users="*"/>
        </authorization>
<identity impersonate="false" />
于 2013-05-16T12:42:39.380 回答