|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS6 on Win 2003 server ISAPI loadLibrary security problemHi,
I have an ISAPI which need load other DLL, which load other dlls. If this dll is in some directory, which is indicated in system PATH environment variable I obtain every time access denied error after loadLibrary call. I tryed set IUSR_ .. account with even full control on dll directory still no way to make it work. It work only if all necessary dlls are in ...\system32\inetsrv directory (which is work dir for inetinfo.exe) Any one can advise me how to make it work from my specific directory? (on win2k with IIS5 it work fine) Thx. Based on your description, I suspect you are talking about an ISAPI Filter
loading DLLs. Actually, security permissions has always worked the same between IIS5 and IIS6 for ISAPIs. So really, there's no problem here... You just happen to use some haphazard behavior which worked on IIS5; we are forcing you to intentionally make it work on IIS6 for security reasons. Breaking code like this is generally good for security, even if it means extra work comes out of it -- we are forcing the user to think and deal with security because it is definitely not something just for the OS to worry about: http://blogs.msdn.com/david.wang/archive/2005/06/29/IIS_User_Identity_to_Run_Code_Part_2.aspx http://blogs.msdn.com/david.wang/archive/2005/09/30/Thoughts_on_IIS_Security_vs_Apache.aspx http://blogs.msdn.com/david.wang/archive/2005/10/01/Thoughts_on_IIS_Security_vs_Apache_Part_2.aspx -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Laco" <LSo***@1024Informatica.com> wrote in message news:1141668866.758220.101210@i40g2000cwc.googlegroups.com... > Hi, > > I have an ISAPI which need load other DLL, which load other dlls. If > this dll is in some directory, which is indicated in system PATH > environment variable I obtain every time > access denied error after loadLibrary call. I tryed set IUSR_ .. > account with even full control on dll directory still no way to make it > work. It work only if all necessary dlls are in > > ..\system32\inetsrv directory (which is work dir for inetinfo.exe) > > Any one can advise me how to make it work from my specific directory? > > (on win2k with IIS5 it work fine) > > Thx. > Thx, for respond.
Nop, it is not a ISAPI fiter. It is regular ISAPI extension, Which use other regular dlls for its internal data processing. There is no problem to load ISAPI from IIS. it work fine, problem starts later, when loaded ISAPI need to call one regular dll ( i wrote it ) and this dll use third party dlls to work on images. Let me explain better. I have ISAPI: HxIMGServerISAPI.dll just extend IIS for WebGis procesing then i have HxJPGServer.dll which i use in all my programs for JPG management (not only web based) this dll call many others dlls when work with images. When i call HxIMGServerISAPI.dll, to process my request, it load HxJPGServer.dll. Then HxJPGServer.dll loads all other dlls to work. I wanted to put my HxJPGServer.dll with other dlls in one dir ( different from ...\system32\intesrv) to have some order in things on my server. And it wan't work, only if all dlls are in ..\system32\inetsrv it works fine. It seems that command LoadLibrary, which i call to load HxJPGServer.dll dont make search in dirs which are in PATH system variable. laco. I believe path resolution is documented to be changed on Windows Server 2003
for security reasons. I'm not certain that system32\inetsrv matters because it's not in the PATH. ISAPI Extension runs as impersonated identity (comes from authentication - see my blog entries in the prior response) so all your DLLs need to be accessible to that identity. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Laco" <LSo***@1024Informatica.com> wrote in message news:1141722850.215368.140070@z34g2000cwc.googlegroups.com... > Thx, for respond. > > Nop, it is not a ISAPI fiter. It is regular ISAPI extension, Which use > other regular dlls for its internal data processing. There is no > problem to load ISAPI from IIS. it work fine, problem starts later, > when loaded ISAPI need to call one regular dll ( i wrote it ) and this > dll use third party dlls to work on images. > > Let me explain better. I have ISAPI: HxIMGServerISAPI.dll just > extend IIS for WebGis procesing > then i have HxJPGServer.dll which i use in all my programs for JPG > management (not only web based) this dll call > many others dlls when work with images. > > When i call HxIMGServerISAPI.dll, to process my request, it load > HxJPGServer.dll. Then HxJPGServer.dll loads all other dlls to work. > > I wanted to put my HxJPGServer.dll with other dlls in one dir ( > different from ...\system32\intesrv) to have some order in things on my > server. And it wan't work, only if all dlls are in ..\system32\inetsrv > it works fine. It seems that command LoadLibrary, which i call to load > HxJPGServer.dll dont make search in dirs which are in PATH system > variable. > > laco. > 
Other interesting topics
IIS 6.0 SSL for whole site EXCEPT a few directories
Single user id to access web site?? Urgent SSL which files are requried The call to Server.CreateObject failed while checking permissions. IIS 6 problem only test- solo test 2003 web edition, share and web site CertificateAuthority.Admin make IIS silent HTTP 403.16 error |
|||||||||||||||||||||||
