Shared hosting

Shared hosting

am 10.01.2008 15:53:07 von Christophe Gosiau

Hi all,
I'm testing the new Windows 2008 Server with IIS7. The goal is to create
a stable shared hosting platform.
So far I managed to configure multiple websites with each an application
pool.
I also installed PHP5 to run as FastCGI.
Now I'm running into some security problems:
PHP scripts that are running in an application pool, can access all
files from other application pools.
This means that I probably should create a user for each website and
only grant this specific user all priviliges to his wwwroot.
So far I haven't found any documentation where this plan is confirmed.

Can someone help me with this question?

thx
Christophe

Re: Shared hosting

am 10.01.2008 17:19:04 von Kristofer Gafvert

Hi,

I am not really sure i understand. What do you mean by "files from other
application pools"? Files that has been read into memory from disk?

Do you perhaps mean that if you share the IUSR account across multiple
websites, someone from "website 1" can access files from "website 2" with
the same access rights as the IUSR account? That would be expected. You
grant the IUSR account permissions to read a file. That is what the file
system cares about, if the user trying to access the file has the rights to
do so. It does not care where the file is located (in which folder). In
fact, it does not know that "IIS tries to access the file".

I *think* this information is documentated in the Shared Hosting Web
Deployment Guide. It should be, and i think i have read something about
anonymous user accounts in this context in that document.

Not sure though if something exists for Windows Server 2008 specifically.
Perhaps it is time for me to start looking at IIS 7...

See this link for more information:
http://www.microsoft.com/serviceproviders/solutions/sharedwe bhostingguide.mspx

--
Regards,
Kristofer Gafvert
http://www.gafvert.info/iis/ - IIS Related Info


"Christophe Gosiau" skrev i meddelandet
news:1199976791.66455@bru-ix-srv240...
> Hi all,
> I'm testing the new Windows 2008 Server with IIS7. The goal is to create a
> stable shared hosting platform.
> So far I managed to configure multiple websites with each an application
> pool.
> I also installed PHP5 to run as FastCGI.
> Now I'm running into some security problems:
> PHP scripts that are running in an application pool, can access all files
> from other application pools.
> This means that I probably should create a user for each website and only
> grant this specific user all priviliges to his wwwroot.
> So far I haven't found any documentation where this plan is confirmed.
>
> Can someone help me with this question?
>
> thx
> Christophe