IIS Server Security >> Permissions Fun with CGI

by Mike » Wed, 15 Oct 2003 05:41:20 GMT

What specifically must I do to enable a cgi script to
execute a process that modifies a file on the local file
system of the server (IIS 6.0)?

I've granted my iuser_account modify rights to a
directory that will house the file. When I use a perl
OPEN filehandle within the CGI it works fine...when I
remove the NTFS file permissions the OPEN filehandle
doesn't work. However, if I try something simple like
dir d:\wwwroot > d:\temp\directory.txt within the CGI
that won't work. If I return the dir command directly to
a variable then use the open filehandle to print it to a
file it'll ....so I know my permissions are ok on the
directory, I know CGI is properly enabled, I know I've
got all the necessary access to the executable I'm trying
to call...but it just doesn't work. No errors. Nothing in
the IIS log, I enabled auditing on this directory and I
don't see any problems, and Filemon doesn't show anything
either. Beyond the file permission changes I mentioned,
this is a pretty simple install of IIS 6.0


IIS Server Security >> Permissions Fun with CGI

by Mike » Wed, 15 Oct 2003 06:47:47 GMT

Well I was a bit wrong. The system commands didn't work
at all....even when they would pipe straight to a
variable. As it turns out Access was being denied on
c:\windows\system32\cmd.exe I granted my iusr_servername
account Read and Execute to cmd.exe and all problems went
away...but it prompts a bigger question, what have I
exposed myself to? This user doesn't really have any
other special permissions to the O/S. It does have full
control of the files in the wwwroot however..

hmm.... anyone have thoughts?


Similar Threads

1. IIS6 CGI permission question

2. CGI permission problem

I've a permission problem with cgi scripts under IIS 6
Everytime i run a page with .cgi extension i get the authentication pop-up.
Obviously permissions for the anonymous user are good (read write and
execute permissions).
I've also tried to add in the registry editor
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters) this
Createprocessasuser as a reg:dword and giving it value 0.
Unfortunately i get always this autnethication pop-up.
What can i do?

3. Domain User permissions vs cgi

4. CGI: Permission Denied error

I am running an NT4 server with IIS4.

I'm attempting to write a CGI script that gets input from a WWW form
via input type="file". Here's the Perl I'm using:

use CGI;
my $cgi = new CGI;
my $file = $cgi->param('file');
$file=~m/^.*(\\|\/)(.*)/; # strip the remote path and keep the filename
my $name = $2;
open(LOCAL, ">/test/$name") or die $!;
while (<$file>) {
	print LOCAL $_;
print $cgi->header();
print "$file has been successfully uploaded... thank you.\n";

When I run the html form that calls this script (method=POST), it says:

CGI Error

The specified CGI application misbehaved by not returning a complete
set of HTTP headers. The headers it did return are:

Permission denied at D:\cgi\upload.pl line 8.

I've set up a directory on the server's hard drive called /test enabled
web sharing (alias /test), given it write permission and everything. I
assume I'm missing something elementary, but I a day's worth of
Googling has gotten me no where.



5. Permissions for IIS6 wwroot/cgi-bin ?

6. CGI Script permissions

I've been tasked with the job of migrating an iPlanet Web 
Server to IIS 6.0. I wrote nearly all of the CGI on the 
server so I've got a pretty good handle on what its 
trying to do.  There are several scripts that provide web-
based utilities, to read directories, set permissions, 
etc. within the wwwroot.  For example, the script will 
get a directory listing of all the subdirs in a given 
directory and print those back to the browser.  When this 
CGI script (written in PERL) runs on the IIS 6.0 machine, 
none of the directories get printed.  The same script 
executed locally on the server via command line works 
fine.  Other functions of CGI seem to work ok, 
interfacing with a MySQL database, formmailers, etc.  But 
when a script needs to create a file on the server, or in 
similar filesystem/operating system interactions, this 
external process doesn't take place.  What do I need to 
allow for this to work? On the cgi-bin virtual directory 
I've permitted all the checkboxes, but that didn't seem 
to help: Script Source Access, Read, Write, Directory 
Browsing, Log visits, Index this resouce.

Thanks in advance,

7. #exec cgi problem: lack of execute permission. - IIS Server Security

8. CGI execute permissions

I have a perl script that needs to query the registry (reg.exe QUERY) and return the value to the webpage. The script runs fine from the command line but when run from the webpage it tells me access denied. I do a lot of linux bash stuff and there is a sudo command and I know windows has a runas but it requires you to type in a password which can't be done from web. So how do I give the perl script permission to READ only, the registry?