Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Please explain: write permission security issue 1

Status
Not open for further replies.
EugenePaliev

EugenePaliev

Programmer
Jul 18, 2001
537
UA
Hello all!

I would very appreciate if you explain me how write permission assigned to some folder can be safe or harmful.

I have some .asp script that creates and saves files in some directory. To do this I have to have write permission to folder where files are saved. But I'm afraid that it can be unsafe...

Please be so kind to explain
- who can have this write permission?
- does it mean that everyone in the world can write to this directory?
- can I ask my ISP to setup permissions such way that only my .asp scripts will have write permission?

Sorry for maybe stupid questions, we all have to learn sometimes new things... Thank you in advance!!! Good Luck! :)
 
Sort by date Sort by votes
No questions are stupid! :) At least in my perspective.

First off.. r u running ur own server (cuz u mentioned ISP).

Do u mean ISP as in just a service provider or are u using their servers to host ur site too?

If u're running ur own IIS that means write permissions wouldn't have anything to do with ur ISP.. they only provide send/receieve of bits & bytes. Setting up .asp pages are a lot safer than hosting ftp as lots of ppl have ppl uploading weird stuff that they go through lots just to delete (this can be prevented by disabling write access to anonymous users & better yet use SSL).

As i've said b4.. having the .asp doing all the writing is safer BUT it's not bullet proof.. holes in MS products surface everyday.. and the majority of the issues depend on how those .asp pages are set up. Do u need a user and pass to get write permissions? Or can someone just upload w/o that? Lots of considerations. Let us know what u're doing.. we'll try to offer u a solution.

Good luck.

T [afro][gorgeous][afro2]

*HighSchool Graduate*
 
Upvote 0 Downvote
Thank you so much for response and help!

Here is my situation:
- I host my application with ISP,
- I don't have any acces to their server and cannot set any permissions,
- to change permissions I need to email them,
- they have IIS 5 on Win2K

One more question. Is it possible to give write permission only to .asp scripts so files can be written/uploaded only thru scripts? And if it's possible can it be password secured? And you mentioned SSL. How can SSL help?

Thank you soooooooooooooooo much!!! :)

P.S. I've already emailed my ISP asking to set write permission to some folder. Good Luck! :)
 
Upvote 0 Downvote
Hehe. Ok.. now I see what's going on.

Hmm.. so all of the control are over on their end. Ok, the first thing you should do is contact them and ask them about your priveleges. Some hosting companies don't allow scripts while some do.

The second thing you should do is to ensure that they allow your scripts to do that because, again, some companies let you and some don't.
(Opss.. sorry didn't read ur PS)

Ok.. what you should find out is if they do backups for your data. Allowing scripts to write files are definitly not as harmful as, say, allowing anonymous ftp users to write. However, like I've mentioned b4 there are ways around it but since u're not going to be the one maintaining the servers, I would say just go ahead and do it. Since ur ISP is hosting ur site then go ahead and let them handle the security threats that may exist.

SSL.. in plain words that's just a protocol to securing transfer data between two computers. These are most commonly used on pages that asks for personal info such as credit card #s. U will need to get a certificate for that(costs $$) so if u're not raking in money with this website then don't worry about it.

I gotta run off to school now.. let me know if u need more help.

T [afro][gorgeous][afro2]

*HighSchool Graduate* :)


 
Upvote 0 Downvote
Thank you! Now I think I've got the idea and know pretty enough for now [thumbsup2] Good Luck! :)
 
Upvote 0 Downvote
:) I'm come here to help and get help. Best of luck (u won't need it now tho cuz u're well equipped with knowledge hehe).

Have fun.

T
 
Upvote 0 Downvote
I had a client with this same issue with their ISP. The ISP was hosting on a Windows 2000 Server, and after some negotiation, they allowed us to use the ASP upload com+ component available from Microsoft.


Using generic code from venders like Microsoft to run backend components may give you more leverage with your applications.... but be aware, my client ended up paying extra for the functionality.

And with COM+, it gave the ISP a lot more control of their security, not to mention the same ISP now advertises the component on their server as a new "feature" for other sites being hosted.

Galrahn
galrahn@galrahn.com
 
Upvote 0 Downvote
Thank you, Galrahn, for the link and information! Good Luck! :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
740
araheusaff
araheusaff
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
875
pomazip
pomazip
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
281
SamBones
SamBones
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
345
MarkSweetland
MarkSweetland
telecotek1
  • Locked
  • Question
strange DNS issue
Replies
1
Views
405
telecotek1
telecotek1

Part and Inventory Search

Sponsor

Back
Top