iis >> IIS6 CGI permission question

by Morgan Cheng » Tue, 03 Apr 2007 14:47:57 GMT


I have IIS6 on Windows 2003 box, and ActivePerl 5.8.8.
I have one Perl CGI writing something to log file on request. The
script is located at virtual directory named "cgi-bin", Execute
Permisson is "Script and Executables". Physical direcotry is "D:
\Script", permission setting in IIS is "READ", "Log Visit" and "Index
this resource".

open FD, ">>log.txt";
print FD, "something";
close FD;

Orginally, I thought I had to add some permission to
IUSR_<machincename> account to enable the script write log in "D:
\Script". However, it works without any change.

I checked the perl process with ProcessExplore and it is run with
account IUSR_<machinename>. And the ACL of "D:\Script" doesn't include
IUSR_<machinename>. So, why the script has privilege to write in the

This phenomenon upset me, because it looks like a security hole.

Anybody can shed some light on this?

iis >> IIS6 CGI permission question

by Morgan Cheng » Tue, 03 Apr 2007 15:57:06 GMT

And, ACL of "D:\Script" just has

These groups has nothing to do with IUSR_<machinename> account.

iis >> IIS6 CGI permission question

by Andrew Morton » Tue, 03 Apr 2007 17:23:44 GMT

You could use filemon
( http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx ) to
look at which account is being used to access the file rather than which
account the process is running under. If that makes sense :-)


iis >> IIS6 CGI permission question

by Morgan Cheng » Tue, 03 Apr 2007 19:35:12 GMT

I tracked the group-user relationship. "<machinename>\Users" group
contains "NT Authority\Authenticated" Group, which must contains
"IUSR_<machinename>" user.
If I remove "NT Authority\Authenticated" Group from "<machinename>
\Users" group. The script operation is denied.

Similar Threads

1. Permissions for IIS6 wwroot/cgi-bin ?

2. Question about FormMail script and CGI BIN on an IIS6 server

Our web developer has created a form that is using the FormMail script and 
is requesting access to the CGI BIN.  In doing a little research it looks 
like this is used with Unix and SendMail.  Is there a way to enable this to 
work on an IIS6 server?



3. Problems executing a CGI from a CGI in IIS6 (works in IIS5)

4. Security Question on setting NTFS permission for IIS6.0

I have some question about NTFS permission, I'm using W2k3 Standard Edition
and PHP 4.3.4

1. If I do not add "IUSR_XXXX" user into NTFS permission, but I have
"NETWORK" group which have "Read" permission instead, I can access to my
website. So, is "IUSR_XXX" account is a member of "NETWORK" group?

2. If I add "NETWORK" group which have "Read" permission into NTFS
permission rather than exactly "IUSR_XXXX" account, are there any security

3. Do I need to add "INTERACTIVE" group which have only "Read" permission?
Is this group necessary?

4. Do I need to have "CREATOR OWNER" and "CREATOR GROUP" which have "Full
Control" permission? Because when I create a new folder for adding new web
site, that folder is automatically have these group on the NTFS permission.

5. If my web site contains asp or aspx files, do I need to add "NETWORK
SERVICE" or "IWAM_XXXX" user into NTFS permission? If not, when or in what
situation I need to add those users into NTFS permission?

Any ideas or suggestions are welcome.
Thank you very much.

5. CGI permission problem

6. Domain User permissions vs cgi

Hello Derf,

I've spent some time reviewing your case. I after all the research I've 
done, I've come back to read your problem again and I think I'm going to 
take a different approach.

If you can run the script at all - then it's likely you've setup NTFS 
permission correctly (and IIS for that matter).

To me this would be a coding error - not a permissions issue.

Can you get this same code to work anywhere else?

What changed? When did it stop working etc...

What version of IIS are you running?

I think there is some logic problem here in the .pl or in the way the 
redirection is happening...

You may try posting to a group that deals with pear script issues for a 
second opinion.

Thank you,

Tony DeVere [MSFT]
Microsoft IIS
Newsgroup Support

"Please do not send email directly to this alias. This is our online 
account name for newsgroup participation only."

This posting is provided "AS IS" with no warranties, and confers no rights. 
You assume all risk for your use. 2001 Microsoft Corporation. All rights 

7. CGI: Permission Denied error

8. Permissions Fun with CGI

What specifically must I do to enable a cgi script to 
execute a process that modifies a file on the local file 
system of the server (IIS 6.0)?

I've granted my iuser_account modify rights to a 
directory that will house the file.  When I use a perl 
OPEN filehandle within the CGI it works fine...when I 
remove the NTFS file permissions the OPEN filehandle 
doesn't work.  However, if I try something simple like 
dir d:\wwwroot > d:\temp\directory.txt within the CGI 
that won't work.  If I return the dir command directly to 
a variable then use the open filehandle to print it to a 
file it'll ....so I know my permissions are ok on the 
directory, I know CGI is properly enabled, I know I've 
got all the necessary access to the executable I'm trying 
to call...but it just doesn't work. No errors. Nothing in 
the IIS log, I enabled auditing on this directory and I 
don't see any problems, and Filemon doesn't show anything 
either. Beyond the file permission changes I mentioned, 
this is a pretty simple install of IIS 6.0