permission denied on file write only when running browser on application server

raccardi has asked for the wisdom of the Perl Monks concerning the following question:

I have a simple test script that attempts to create a file and to append an existing file. This is a web-based script hosted by IIS.

When I call this script by putting its URL into a browser running on my PC, the tests pass: one file is created, the other file is appended to. However, if I run a browser on the application server and access the script using a "localhost" URL, I get a permission denied error on both file operations.

If I run the script from the command line on the server, either as an elevated (Run as Administrator) command line or not, the script is able to write to both files

The script is running under IIS's CGI module, not FastCGI, with the Impersonate User option enabled. The site uses Windows Authentication. In both cases, regardless of which browser I use to run the script, I see that the perl.exe process is running as my domain user. I can't figure out why I get different behavior when access the script from a browser running on the server versus a browser running on my own PC. Has anyone ever seen anything like this?

I used the Errno library to get some more info about the permission denied error when opening the files for write/append:

13 Permission denied
5 Access is denied
EVENT_SYSTEM_CONTEXTHELPEND
EMARCH_ENC_I17_IMM5C_INST_WORD_POS_X
EMR_SETBRUSHORGEX
EACCES
ERROR_INVALID_DATA

By the way, my specific Windows user account has explicit access to the folder I'm trying to write to.

As an experiment, I turned off Impersonate User on IIS's CGI module. The perl interpreter runs as DefaultAppPool and does have permission to write to the files.

THANK YOU

Comment on permission denied on file write only when running browser on application server

Replies are listed 'Best First'.
Re: permission denied on file write only when running browser on application server by davido (Cardinal) on Jul 08, 2020 at 06:31 UTC
Knowing nothing about IIS webservers, I would be inclined to add this to my CGI code: `warn join(":", scalar(getpwuid($<)), scalar(getgrgid($())), "\n"` And then look at the logs when making a request. Then verify your upload directory is writable by the user/group that showed up in the logs. Dave	[reply] [d/l]
Re^2: permission denied on file write only when running browser on application server by Anonymous Monk on Jul 08, 2020 at 16:29 UTC
getpwuid and getgrgid are unimplemented by ActivePerl for Windows. Instead I used Win32::LoginName and I see my personal user ID. This agrees with several variables found in %ENV such as AUTH_USER LOGON_USER REMOTE_USER except those variables also include the domain name ("DOMAIN\userid"). The USERNAME environment variable is showing as the server name ("MYSERVER$") and I think perhaps this is a remnant of the IIS process before it invoked the CGI module and impersonated the remote user making the request. Maybe there's something else in a Win32 module that I can use to diagnose the situation. For example, I'll use Win32::File to check whether the folder has the readonly attribute set.	[reply]
Re: permission denied on file write only when running browser on application server by perlfan (Vicar) on Jul 09, 2020 at 04:44 UTC
>By the way, my specific Windows user account has explicit access to the folder I'm trying to write to. Is it turtles all the way down. What I mean, does the app user have permission to access the full path? Idk anything about Windows permissions, but my initial thought is it's buried under something with a hard shell.	[reply]
A reply falls below the community's threshold of quality. You may see it by logging in.


XP is just a number
	PerlMonks