| Author |
 Topic  |
|
|
D3mon
Senior Member
United Kingdom
1685 Posts |
 Posted - 31 March 2002 : 19:09:24
|
Can anyone tell me - When an ASP page accesses the Filesystem to read an include file does it use a system account for the permissions or the anonymous web user account?
Somehow, someway I've an idea that I can turn my includes (with all my 'business logic' inside) into (kind of) fake COM objects by putting them in a seperate folder on the webserver and switching off read permissions for the standard web-user. Since they are only requested by the ASP parsing engine, I would have thought it would work. Can anyone see what I'm meaning?
COM objects kick ass, but my sysadmin won't allow them.
 D3mon |
|
|
Gidion
Starting Member
22 Posts |
Posted - 31 March 2002 : 19:15:38
|
IMHO Windows users the IUSR Account.
But if I understand right, then you are worrying about people seeing your code in the asps. Right? If so, you can stop worrying (i think  ) The Asps will not be shown even if you directly try to access them by typing their url.
---------------------------
MANIAC Development
http://mcc.in.tum.de/maniac |
 |
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 31 March 2002 : 19:17:08
|
you can't turn an asp file into a com object no matter what you do to it or where you put it, if you switch of read access for the web user, it will not be able to find your asp files.
|
|
|
|
ruirib
Snitz Forums Admin
Portugal
26364 Posts |
Posted - 31 March 2002 : 19:22:41
|
I also think the same. The anonymous internet user is the account used to access includes files in IIS 5.0. I understand that in IIS 4.0 for any file included with the VIRTUAL directive, the usual Access Control List permission were/are not checked.
This was changed in IIS 5.0, so I don't think you can do what you describe in your post.
Also from a security point of view it's always better to use an include file with an .ASP extension than using a .inc as sometimes happens. An .ASP file will always be executed by the server, so there is no way for the users to download them in normal circumstances.
-------------------------------------------------
Installation Guide | Do's and Dont's | MODs
Edited by - ruirib on 31 March 2002 19:25:43 |
|
|
|
Gidion
Starting Member
22 Posts |
Posted - 01 April 2002 : 15:09:13
|
Huwr: I don't think you can fully say that you can't turn asps into coms. I had to secure a bit of business logic a while back which was not allowed to be saved in "plain text". So I just turned all of the aspcode (It was easier to turn all of it into a com object than just the one part needing security) into a dll using vb. The dll just returned my html code and the asps took it and presented it.
Surely you can't turn every asp code into com but it worked for me.
---------------------------
MANIAC Development
http://mcc.in.tum.de/maniac |
|
|
|
D3mon
Senior Member
United Kingdom
1685 Posts |
Posted - 01 April 2002 : 18:35:12
|
Oh bugger. I'll have to rely on the ASP security then. I'm just concerned somebody might discover the ability to download an asp file. Luckily I had heard before that it is a good idea to name include files as .asp rather than .inc so they should be quite secure in that respect.
It is possible to convert ASP's into COM objects and visa-versa but it takes some re-coding as VB-script is slightly different to VB (mainly in that VBscript has some nice features pre-installed like the request and response objects and in VB they have to be added in.)
Thanks guys
|
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 01 April 2002 : 18:46:07
|
quote:
I've an idea that I can turn my includes (with all my 'business logic' inside) into (kind of) fake COM objects by putting them in a seperate folder on the webserver and switching off read permissions for the standard web-user
I actually said that you could not turn your asp files into COM objects by doing the above, I DID NOT say that you couldn't turn ASP into COM objects, that is an entirely different matter, and they are no longer asp files, but COM objects and behave completely differently.
|
|
|
| |
Topic |
|
Topic Locked
