用户是否对Temporary ASP.NET Files文件夹写入权限会造成任何安全问题?
[英]Does user write permissions to the Temporary ASP.NET Files folder pose any security problems?
问题描述
I am experiencing assembly binding failures due to insufficient permissions to the Temporary ASP.NET Files folder. 
由于对Temporary ASP.NET Files文件夹的权限不足,我遇到程序集绑定失败。
The application uses (web.config) Forms authentication with Impersonate = True and IIS Windows Integrated Authentication. 该应用程序使用(web.config)表单身份验证与Impersonate = True和IIS Windows集成身份验证。
According to ASP.NET Identity Matrix , this means that the WindowsIdentity resolves to Domain\\UserName and according to ASP.NET Required Access Control Lists (ACLs) , the WindowsIdentity requires read/write permissions to the Temporary ASP.NET Files folder. 根据ASP.NET Identity Matrix ,这意味着WindowsIdentity解析为Domain \\ UserName,并且根据ASP.NET必需的访问控制列表(ACL) ,WindowsIdentity需要对Temporary ASP.NET Files文件夹的读/写权限。
Using the Fusion log viewer, I can confirm that the assembly binding failure is due to Domain\\UserName (belonging to the "Users" group in security) only having read permissions to this folder, but not write permissions. 使用Fusion日志查看器,我可以确认程序集绑定失败是由于Domain \\ UserName(属于安全性中的“Users”组)只对该文件夹具有读取权限,而不是写入权限。
The questions are: 问题是:
Are there any security implications of assigning write permissions to the Temporary ASP.Net Files folder? 为临时ASP.Net Files文件夹分配写权限是否有任何安全隐患?
Is such a server configuration change commonly used? 这种服务器配置变化是常用的吗? If not, why would WindowsIdentity resolve to Domain\\UserName for this combination of web.config settings - or should this combination not be used in this context? 如果没有,为什么WindowsIdentity会针对此web.config设置组合解析为Domain \\ UserName - 或者是否应该在此上下文中使用此组合?
Note: The problem only occurs if a non-admin user is the first to hit the page. 注意:仅当非管理员用户是第一个访问该页面的用户时,才会出现此问题。 If the assembly has already been compiled and stored in Temporary ASP.NET Files due to an admin user hitting the page, there are no problems for subsequent users. 如果由于管理员用户访问页面而已将程序集编译并存储在临时ASP.NET文件中,则后续用户不会遇到任何问题。 I do NOT wish to place the assemblies in the GAC. 我不希望将程序集放在GAC中。
1 个解决方案
解决方案1
1 2009-07-08 23:25:26
ASP.NET requires write permission to the Temporary ASP.NET files folder, it shouldn't be a security risk providing you only grant permission to that folder and not any higher as it sits within the c:\\windows folder. ASP.NET需要对Temporary ASP.NET files文件夹具有写入权限,如果您只授予该文件夹的权限而不是更高级别,因此它不应该是安全风险,因为它位于c:\\ windows文件夹中。
This MSDN article about securing ASP.NET applications recommends granting full control to the temporary compilation directory to the ASP.NET process identity. 这篇关于保护ASP.NET应用程序的MSDN文章建议授予对ASP.NET进程标识的临时编译目录的完全控制权。 I've quoted the relevant section: 我引用了相关部分:
By default, temporary files are created and compiled in the following directory:
%winnt%\\Microsoft.NET\\Framework{version}\\Temporary ASP.NET Files
You can specify the location on a per application basis using the tempDirectory attribute, although this provides no security benefit.
Note The ASP.NET process identity specified on the element requires Full Control access rights on the temporary compilation directory.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.