Page 1 of 1

PHP on IIS6 Vs IUSR_<MACHINENAME> account Question

Posted: Fri Sep 29, 2006 7:58 am
by satanicsurferz
Hello,

I'm new to the PHP/MySQL world.
I found a really cool open source Photo Album on the Web... and I tried to install it on my Windows 2003/IIS6 server.
Everything went fairly fine.

Now, I have one question.
Is it possible to run PHP code using a different user than the anonymous one (IUSR_<MACHINENAME>)?

Here's my problem.
The images used in my photo album are stored in a folder on my server hard drive. Inside the photo album, there's a security management that can prevent users from accessing some images. However, to be able to create image, I had to give "MODIFY" access on my images folder. So, If users bypass the PHP code, they can access them by just typing the complete URL in a browser.

In ASP.NET, we don't have to give access to the IUSR user since the user "NETWORK SERVICE" is used for running all ASP.NET code.

I was wondering if there's something similar in PHP?

Thanks!
Pascal

Posted: Fri Sep 29, 2006 8:28 am
by printf
PHP is a filter it has no system level access, so no, there is no way to do what you want. You have to understand anything Microsoft creates is embed into the operating system, so it rules and permissions are handled very differently than a ISAPI filter. Believe or not, that is one of the big reasons Windows has so many security flaws. Public web based applications should never be embedded into the OS kernel!

me!

Posted: Fri Sep 29, 2006 8:34 am
by satanicsurferz
OK, but how am I suppose to restrict access to my images then?
I can have the best PHP code to restrict access... but my images would still be open to everyone who knows or guess the URL to the images directly... or by Google.

I would really like to have a fool-proof security on my images since some of them are not for public purpose.
Another environment I'm familiar with is Lotus Domino where you can run script as either the current user (or anynymous) or as a pre-defined user with more rights in Domino. (and it has nothing to do with OS security)

Is that still possible?

Thanks for your answer!

Pascal

Posted: Fri Sep 29, 2006 8:52 am
by printf
The only way on IIS, because it doesn't support .htaccess, is to place the files offsite and feed them to the visitor using PHP GD! Other than that, there is one htaccess software for IIS, if you want to pay for it!

http://www.troxo.com/products/iispassword/

Another good option is the Sambar Server, it is very much like Apache and runs on Windows or Linux too! But I recommend Apache first!


me!

Posted: Fri Sep 29, 2006 8:57 am
by satanicsurferz
What is "PHP GD" ?
Are you telling me that it would be easier by using Apache?

Thanks again!

Pascal

Posted: Fri Sep 29, 2006 9:19 am
by printf
directory security should be implemented at the server level, no script based service can monitor direct access to a file or folder. Remember what I said, it's a filter, so it is only is given a request if the file extension *.php* matches the request. So it doesn't have directory or system file scope.

PHP GD is image extension, it allows you to load local or remote images and manipulate them, also it allows you to dump them to the browser so you can keep a set images off site and feed them to a page that calls them, example (reading a image from a offsite directory)...

// placed on a page (html, php), whatever

<img src='images.php?id=1' width='160' height='120' alt='' />

// image script

Code: Select all

<?php

// just for this example

$images = array ( 'cat.jpg', 'dog.png' );

// path to offsite image directory!

$path = 'c:/images/';

// default image if the request is missng the id, or it's invalid

$image = $images[0];

if ( isset ( $_GET['id'] ) )
{
	$id = intval ( $_GET['id'] );

	if ( isset ( $images[$id] ) )
	{
		$image = $images[$id];
	}
}

$type = substr ( $image, ( strrpos ( $image, '.' ) + 1 ) );

header ( 'Cache-control: max-age=31536000' );
header ( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );
header ( 'Content-Length: ' . filesize ( $path . $image ) );
header ( 'Content-Disposition: filename="' . $image . '"' );
header ( 'Content-Type: image/' . $type . '; name="' . $image . '"' );
readfile ( $path . $image );

?>

me!