Chapter 6: User Impersonation and Permissions

Contents

6.1 What is Impersonation

By default, ASP scripts run under the security context of the "Anonymous" user account IUSR_machinename. This user account usually has very few permissions and if your script is uploading files to a remote machine you are likely to receive the error Access is denied. To overcome this problem, you may use the method Upload.LogonUser which impersonates an arbitrary user account with sufficient permissions.

The LogonUser accepts three required parameters: a domain name, username and password. Once a successful call to the LogonUser method is made, the rest of the script on that ASP page will run under the security context of the specified user account. For example:

<%
Set Upload = Server.CreateObject("Persits.Upload")
Upload.LogonUser "mydomain", "Administrator", "xxxxxxxxx"

' Upload to a remote drive
Count = Upload.Save("\\someserver\cdrive\upload")
%>

If an empty string is specified for the domain name, the local machine will be used to validate the username and password. On Windows NT/IIS4, if your virtual directory has the "Run in separate memory space" option checked, the current user (IUSR_xxx) must have the "Act as part of the operating system" privilege or you will get the error A required privilege is not held by the client.

On Windows 2000/IIS5, you must set the "Application Protection" option to Low (IIS Process) on your virtual directory to avoid the error A required privilege is not held by the client.

6.2 Setting NTFS Permissions

AspUpload is capable of setting and changing NTFS permissions on uploaded files via the methods File.AllowAccess, File.DenyAccess, File.RevokeAllowance and File.RevokeDenial.

The methods AllowAccess and DenyAccess add an allowance access control entity (ACE) and a denial ACE, respectively, to the file's Access Control List (ACL). These methods expect an NT username or group name, and a set of flags, as parameters.

The methods RevokeAllowance and RevokeDenial remove an allowance and denial ACE, respectively, from the file's ACL.

The sample files access.asp and access_upload.asp demonstrate the usage of the NTFS methods by allowing a user to select a file, specify a username/password to impersonate, an account to call AllowAccess on, and an account to call DenyAccess on.

This is what the file access_upload.asp looks like:

<!--#include file="AspUpload.inc"-->

<HTML>
<BODY>
<% Set Upload = Server.CreateObject("Persits.Upload")

' We use memory uploads, so we must limit file size
Upload.SetMaxSize 100000, True

' Save to memory so that we can access form items before file hits the disk
Upload.Save

Username = Upload.Form("username")
Password = Upload.Form("password")

If Username <> "" Then
   ' Specify domain name in first parameter, if necessary
   Upload.LogonUser "", Username, Password
End If

AllowName = Upload.Form("ALLOW")
DenyName = Upload.Form("DENY")

' Save files to disk
For Each File in Upload.Files
   File.SaveAs "c:\upload\" & File.FileName
   Response.Write "File " & File.Path & " saved.<BR>"

   ' Set allowance
   If AllowName <> "" Then
      File.AllowAccess AllowName, GENERIC_ALL
      Response.Write "User " & AllowName & " granted access on file " & File.Path & "<BR>"
   End If

   ' Set denials
   If DenyName <> "" Then
      File.DenyAccess DenyName, GENERIC_ALL
      Response.Write "User " & DenyName & " denied access on file " & File.Path & "<BR>"
   End If
Next
%>
</BODY>
</HTML>

Note that this file uses the constant GENERIC_ALL to grant/deny full access to the file. This constant, along with other permission flags and file attributes, is defined in the file AspUpload.inc which is included in this ASP page using the directive

<!--#include file="AspUpload.inc"-->

Some of the valid flag combination for the AllowAccess and DenyAccess methods include:

Read (RX):GENERIC_READ + FILE_GENERIC_EXECUTE
Change(RWXD): GENERIC_READ + GENERIC_WRITE + FILE_GENERIC_EXECUTE + DELETE
Full Control (All): GENERIC_ALL

Click the link below to run this code sample:

6.3 Setting File Attributes

AspUpload enables you to set file attributes on uploaded files such as read-only, hidden, etc. This is done via the property File.Attributes. For example, the following line of code sets the file's attribute to Hidden and Read-only:

File.Attributes = FILE_ATTRIBUTE_READONLY + FILE_ATTRIBUTE_HIDDEN

To add a new attribute while leaving existing attributes intact, you may say

File.Attributes = File.Attributes + FILE_ATTRIBUTE_READONLY

Don't forget to #include the file AspUpload.inc to be able to use the constants such as FILE_ATTRIBUTE_READONLY, etc.