Discussion:
關於ftproot這個資料夾的權限問題
(时间太久无法回复)
Yagami
2006-07-25 08:48:03 UTC
Permalink
裝好IIS 6.0
ftp後,預設的目錄是inetpub\ftproot,該目錄並沒有讓iusr_computername可以讀取或寫入的權限,是特殊的目錄嗎?
我使用"有效權限",並選取iusr_computername 去查,發現這個user可以讀取、寫入ftproot這個資料夾。
Bernard Cheah [MVP]
2006-07-26 05:43:47 UTC
Permalink
Don't quite get you. by default iusr doesn't has permission to write on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
žËŠnIIS 6.0
ftp«á¡A¹w³]ªº¥Ø¿ý¬Oinetpub\ftproot¡AžÓ¥Ø¿ýšÃšSŠ³Åýiusr_computername¥i¥HŪšú©ÎŒg€JªºÅv­­¡A¬O¯S®íªº¥Ø¿ý¶Ü?
§ÚšÏ¥Î"Š³®ÄÅv­­"¡AšÃ¿ïšúiusr_computername ¥h¬d¡Aµo²{³o­Óuser¥i¥HŪšú¡BŒg€Jftproot³o­Óžê®Æ§š¡C
Yagami
2006-07-26 07:27:02 UTC
Permalink
抱歉提了一個模糊的問題
如果我在IIS的設定中允許寫入的權限,那Client端用anonymous就可以upload檔案上來
但是ftproot這個資料夾並沒有允許iusr可以存取的權限ㄚ,Guests也沒有,所以這不是很奇怪嗎?
ftproot的ACLs為
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute 特殊(建立檔案&建立資料夾)

用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪.........


"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to write on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
裝好IIS 6.0
ftp後,預設的目錄是inetpub\ftproot,該目錄並沒有讓iusr_computername可以讀取或寫入的權限,是特殊的目錄嗎?
我使用"有效權限",並選取iusr_computername 去查,發現這個user可以讀取、寫入ftproot這個資料夾。
Bernard Cheah [MVP]
2006-07-26 10:18:54 UTC
Permalink
This is not possible. Unless iusr_computername is part of the administrator
group.

what do you mean by this part ?
"¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç"

Sorry, don't quite get Š³®ÄÅv­­. how do you login to the ftp and write file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
ŠpªG§ÚŠbIISªº³]©w€€€¹³\Œg€JªºÅv­­¡AšºClientºÝ¥ÎanonymousŽN¥i¥HuploadÀÉ®×€WšÓ
Šý¬Oftproot³o­Óžê®Æ§ššÃšSŠ³€¹³\iusr¥i¥HŠsšúªºÅv­­£«¡AGuests€]šSŠ³¡A©Ò¥H³o€£¬O«Ü©_©Ç¶Ü?
ftprootªºACLs¬°
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute ¯S®í(«Ø¥ßÀÉ®×&«Ø¥ßžê®Æ§š)
¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç.........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to write on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
žËŠnIIS 6.0
ftp«á¡A¹w³]ªº¥Ø¿ý¬Oinetpub\ftproot¡AžÓ¥Ø¿ýšÃšSŠ³Åýiusr_computername¥i¥HŪšú©ÎŒg€JªºÅv­­¡A¬O¯S®íªº¥Ø¿ý¶Ü?
§ÚšÏ¥Î"Š³®ÄÅv­­"¡AšÃ¿ïšúiusr_computername ¥h¬d¡Aµo²{³o­Óuser¥i¥HŪšú¡BŒg€Jftproot³o­Óžê®Æ§š¡C
Yagami
2006-07-27 02:28:01 UTC
Permalink
確實很奇怪,等於NTFS的權限失效了,只能靠IIS的權限來控制.....
有效權限:
在ftproot按右鍵-->內容-->安全性-->進階-->有效權限
選擇iusr_computername後,他會顯示iusr_computername有寫入檔案的權限...........

"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the administrator
group.
what do you mean by this part ?
"用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪"
Sorry, don't quite get 有效權限. how do you login to the ftp and write file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
抱歉提了一個模糊的問題
如果我在IIS的設定中允許寫入的權限,那Client端用anonymous就可以upload檔案上來
但是ftproot這個資料夾並沒有允許iusr可以存取的權限ㄚ,Guests也沒有,所以這不是很奇怪嗎?
ftproot的ACLs為
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute 特殊(建立檔案&建立資料夾)
用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪.........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to write on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
裝好IIS 6.0
ftp後,預設的目錄是inetpub\ftproot,該目錄並沒有讓iusr_computername可以讀取或寫入的權限,是特殊的目錄嗎?
我使用"有效權限",並選取iusr_computername 去查,發現這個user可以讀取、寫入ftproot這個資料夾。
Bernard Cheah [MVP]
2006-07-27 06:03:00 UTC
Permalink
Errr. do you mean you add the account in the 'effective permissions' of the
Advanced security dialog box of the ftp root directory?
in that case - this is NTFS permissions, right?

if you have grant iusr 'WRITE' permissions. of coz the account will be able
to write file......

if i'm wrong. pls post a picture of the Š³®ÄÅv­­ that you are talking about.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
œT¹ê«Ü©_©Ç¡Aµ¥©óNTFSªºÅv­­¥¢®Ä€F¡A¥u¯àŸaIISªºÅv­­šÓ±±šî.....
Šbftproot«ö¥kÁä-->€º®e-->Šw¥þ©Ê-->¶i¶¥-->Š³®ÄÅv­­
¿ïŸÜiusr_computername«á¡A¥L·|Åã¥Üiusr_computernameŠ³Œg€JÀɮתºÅv­­...........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the
administrator
group.
what do you mean by this part ?
"¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç"
Sorry, don't quite get Š³®ÄÅv­­. how do you login to the ftp and write file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
ŠpªG§ÚŠbIISªº³]©w€€€¹³\Œg€JªºÅv­­¡AšºClientºÝ¥ÎanonymousŽN¥i¥HuploadÀÉ®×€WšÓ
Šý¬Oftproot³o­Óžê®Æ§ššÃšSŠ³€¹³\iusr¥i¥HŠsšúªºÅv­­£«¡AGuests€]šSŠ³¡A©Ò¥H³o€£¬O«Ü©_©Ç¶Ü?
ftprootªºACLs¬°
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute ¯S®í(«Ø¥ßÀÉ®×&«Ø¥ßžê®Æ§š)
¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç.........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to write on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
žËŠnIIS 6.0
ftp«á¡A¹w³]ªº¥Ø¿ý¬Oinetpub\ftproot¡AžÓ¥Ø¿ýšÃšSŠ³Åýiusr_computername¥i¥HŪšú©ÎŒg€JªºÅv­­¡A¬O¯S®íªº¥Ø¿ý¶Ü?
§ÚšÏ¥Î"Š³®ÄÅv­­"¡AšÃ¿ïšúiusr_computername ¥h¬d¡Aµo²{³o­Óuser¥i¥HŪšú¡BŒg€Jftproot³o­Óžê®Æ§š¡C
Yagami
2006-07-27 06:39:01 UTC
Permalink
圖片如下
http://www.pixnet.net/displayimage.php?pos=-34887231

我並沒有把iusr_computername加入到任何一個group,他應該只屬與guests吧....
但是,有效權限的頁面中,我選取iusr_computername這個帳號
卻發現他有好多的權限.....
當然我也沒有賦予這個帳號任何權限
只是單純把IIS裝起來,就是這樣......
是只有我這樣嗎? 還是這是.....BUG???

"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Errr. do you mean you add the account in the 'effective permissions' of the
Advanced security dialog box of the ftp root directory?
in that case - this is NTFS permissions, right?
if you have grant iusr 'WRITE' permissions. of coz the account will be able
to write file......
if i'm wrong. pls post a picture of the 有效權限 that you are talking about.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
確實很奇怪,等於NTFS的權限失效了,只能靠IIS的權限來控制.....
在ftproot按右鍵-->內容-->安全性-->進階-->有效權限
選擇iusr_computername後,他會顯示iusr_computername有寫入檔案的權限...........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the administrator
group.
what do you mean by this part ?
"用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪"
Sorry, don't quite get 有效權限. how do you login to the ftp and write file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
抱歉提了一個模糊的問題
如果我在IIS的設定中允許寫入的權限,那Client端用anonymous就可以upload檔案上來
但是ftproot這個資料夾並沒有允許iusr可以存取的權限ㄚ,Guests也沒有,所以這不是很奇怪嗎?
ftproot的ACLs為
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute 特殊(建立檔案&建立資料夾)
用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪.........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to write on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
裝好IIS 6.0
ftp後,預設的目錄是inetpub\ftproot,該目錄並沒有讓iusr_computername可以讀取或寫入的權限,是特殊的目錄嗎?
我使用"有效權限",並選取iusr_computername 去查,發現這個user可以讀取、寫入ftproot這個資料夾。
Bernard Cheah [MVP]
2006-07-27 06:44:32 UTC
Permalink
So I was correct. Well.... what do you have in Users group?
Authenticated user? if yes, once anonymous user succesfully authenticated,
the user is effected as 'authenticated user'.
but I see your user group has R&E permission only.
But you have another creator owner full control. take it out and test...

NTFS is the final level of file access, if the user don't have permission,
he/she will not be able to write file. simple as that.
if the anonymous account can write, meaning somewhere the permissions was
inherited.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
¹Ï€ùŠp€U
http://www.pixnet.net/displayimage.php?pos=-34887231
Šý¬O¡AŠ³®ÄÅv­­ªº­¶­±€€¡A§Ú¿ïšúiusr_computername³o­Ó±bž¹
«oµo²{¥LŠ³ŠnŠhªºÅv­­.....
·íµM§Ú€]šSŠ³œá€©³o­Ó±bž¹¥ôŠóÅv­­
¥u¬O³æ¯Â§âIISžË°_šÓ¡AŽN¬O³oŒË......
¬O¥uŠ³§Ú³oŒË¶Ü? ÁÙ¬O³o¬O.....BUG???
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
Errr. do you mean you add the account in the 'effective permissions' of the
Advanced security dialog box of the ftp root directory?
in that case - this is NTFS permissions, right?
if you have grant iusr 'WRITE' permissions. of coz the account will be able
to write file......
if i'm wrong. pls post a picture of the Š³®ÄÅv­­ that you are talking about.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
œT¹ê«Ü©_©Ç¡Aµ¥©óNTFSªºÅv­­¥¢®Ä€F¡A¥u¯àŸaIISªºÅv­­šÓ±±šî.....
Šbftproot«ö¥kÁä-->€º®e-->Šw¥þ©Ê-->¶i¶¥-->Š³®ÄÅv­­
¿ïŸÜiusr_computername«á¡A¥L·|Åã¥Üiusr_computernameŠ³Œg€JÀɮתºÅv­­...........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the administrator
group.
what do you mean by this part ?
"¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç"
Sorry, don't quite get Š³®ÄÅv­­. how do you login to the ftp and write file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
ŠpªG§ÚŠbIISªº³]©w€€€¹³\Œg€JªºÅv­­¡AšºClientºÝ¥ÎanonymousŽN¥i¥HuploadÀÉ®×€WšÓ
Šý¬Oftproot³o­Óžê®Æ§ššÃšSŠ³€¹³\iusr¥i¥HŠsšúªºÅv­­£«¡AGuests€]šSŠ³¡A©Ò¥H³o€£¬O«Ü©_©Ç¶Ü?
ftprootªºACLs¬°
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute ¯S®í(«Ø¥ßÀÉ®×&«Ø¥ßžê®Æ§š)
¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç.........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to
write
on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
žËŠnIIS 6.0
ftp«á¡A¹w³]ªº¥Ø¿ý¬Oinetpub\ftproot¡AžÓ¥Ø¿ýšÃšSŠ³Åýiusr_computername¥i¥HŪšú©ÎŒg€JªºÅv­­¡A¬O¯S®íªº¥Ø¿ý¶Ü?
§ÚšÏ¥Î"Š³®ÄÅv­­"¡AšÃ¿ïšúiusr_computername ¥h¬d¡Aµo²{³o­Óuser¥i¥HŪšú¡BŒg€Jftproot³o­Óžê®Æ§š¡C
Yagami
2006-07-27 07:09:02 UTC
Permalink
這位前輩,您說對了
Users Group裡面有NT AUTHORITY\Authenticated Users..........
而Users Group有R&E 之外,還有寫入檔案與寫入資料夾的權限,是繼承C:\的權限
雖然我心中的迷惑解開了,但是,微軟這個預設值是好的做法嗎??
無論如何,感謝您費心的一直為我解惑~
Thank You very much....

"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
So I was correct. Well.... what do you have in Users group?
Authenticated user? if yes, once anonymous user succesfully authenticated,
the user is effected as 'authenticated user'.
but I see your user group has R&E permission only.
But you have another creator owner full control. take it out and test...
NTFS is the final level of file access, if the user don't have permission,
he/she will not be able to write file. simple as that.
if the anonymous account can write, meaning somewhere the permissions was
inherited.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
圖片如下
http://www.pixnet.net/displayimage.php?pos=-34887231
我並沒有把iusr_computername加入到任何一個group,他應該只屬與guests吧....
但是,有效權限的頁面中,我選取iusr_computername這個帳號
卻發現他有好多的權限.....
當然我也沒有賦予這個帳號任何權限
只是單純把IIS裝起來,就是這樣......
是只有我這樣嗎? 還是這是.....BUG???
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Errr. do you mean you add the account in the 'effective permissions' of the
Advanced security dialog box of the ftp root directory?
in that case - this is NTFS permissions, right?
if you have grant iusr 'WRITE' permissions. of coz the account will be able
to write file......
if i'm wrong. pls post a picture of the 有效權限 that you are talking about.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
確實很奇怪,等於NTFS的權限失效了,只能靠IIS的權限來控制.....
在ftproot按右鍵-->內容-->安全性-->進階-->有效權限
選擇iusr_computername後,他會顯示iusr_computername有寫入檔案的權限...........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the administrator
group.
what do you mean by this part ?
"用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪"
Sorry, don't quite get 有效權限. how do you login to the ftp and write
file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
抱歉提了一個模糊的問題
如果我在IIS的設定中允許寫入的權限,那Client端用anonymous就可以upload檔案上來
但是ftproot這個資料夾並沒有允許iusr可以存取的權限ㄚ,Guests也沒有,所以這不是很奇怪嗎?
ftproot的ACLs為
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute 特殊(建立檔案&建立資料夾)
用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪.........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to
write
on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
裝好IIS 6.0
ftp後,預設的目錄是inetpub\ftproot,該目錄並沒有讓iusr_computername可以讀取或寫入的權限,是特殊的目錄嗎?
我使用"有效權限",並選取iusr_computername 去查,發現這個user可以讀取、寫入ftproot這個資料夾。
Bernard Cheah [MVP]
2006-07-27 08:46:37 UTC
Permalink
Mm... I'm sure so much about the default setup?
coz, for me after each setup, I will reapply NTFS permissions myself. hardly
use the 'default' one :)
and definitely this 'users' group will not be in the ACLs.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
³oŠì«eœú¡A±z»¡¹ï€F
Users GroupžÌ­±Š³NT AUTHORITY\Authenticated Users..........
ŠÓUsers GroupŠ³R&E €§¥~¡AÁÙŠ³Œg€JÀÉ®×»PŒg€Jžê®Æ§šªºÅv­­¡A¬OÄ~©ÓC:\ªºÅv­­
ÁöµM§Ú€ß€€ªº°gŽbžÑ¶}€F¡AŠý¬O¡A·L³n³o­Ó¹w³]­È¬OŠnªº°µªk¶Ü??
Thank You very much....
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
So I was correct. Well.... what do you have in Users group?
Authenticated user? if yes, once anonymous user succesfully
authenticated,
the user is effected as 'authenticated user'.
but I see your user group has R&E permission only.
But you have another creator owner full control. take it out and test...
NTFS is the final level of file access, if the user don't have permission,
he/she will not be able to write file. simple as that.
if the anonymous account can write, meaning somewhere the permissions was
inherited.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
¹Ï€ùŠp€U
http://www.pixnet.net/displayimage.php?pos=-34887231
Šý¬O¡AŠ³®ÄÅv­­ªº­¶­±€€¡A§Ú¿ïšúiusr_computername³o­Ó±bž¹
«oµo²{¥LŠ³ŠnŠhªºÅv­­.....
·íµM§Ú€]šSŠ³œá€©³o­Ó±bž¹¥ôŠóÅv­­
¥u¬O³æ¯Â§âIISžË°_šÓ¡AŽN¬O³oŒË......
¬O¥uŠ³§Ú³oŒË¶Ü? ÁÙ¬O³o¬O.....BUG???
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
Errr. do you mean you add the account in the 'effective permissions'
of
the
Advanced security dialog box of the ftp root directory?
in that case - this is NTFS permissions, right?
if you have grant iusr 'WRITE' permissions. of coz the account will
be
able
to write file......
if i'm wrong. pls post a picture of the Š³®ÄÅv­­ that you are talking about.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
œT¹ê«Ü©_©Ç¡Aµ¥©óNTFSªºÅv­­¥¢®Ä€F¡A¥u¯àŸaIISªºÅv­­šÓ±±šî.....
Šbftproot«ö¥kÁä-->€º®e-->Šw¥þ©Ê-->¶i¶¥-->Š³®ÄÅv­­
¿ïŸÜiusr_computername«á¡A¥L·|Åã¥Üiusr_computernameŠ³Œg€JÀɮתºÅv­­...........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the administrator
group.
what do you mean by this part ?
"¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç"
Sorry, don't quite get Š³®ÄÅv­­. how do you login to the ftp and
write
file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
ŠpªG§ÚŠbIISªº³]©w€€€¹³\Œg€JªºÅv­­¡AšºClientºÝ¥ÎanonymousŽN¥i¥HuploadÀÉ®×€WšÓ
Šý¬Oftproot³o­Óžê®Æ§ššÃšSŠ³€¹³\iusr¥i¥HŠsšúªºÅv­­£«¡AGuests€]šSŠ³¡A©Ò¥H³o€£¬O«Ü©_©Ç¶Ü?
ftprootªºACLs¬°
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute ¯S®í(«Ø¥ßÀÉ®×&«Ø¥ßžê®Æ§š)
¥Î"Š³®ÄÅv­­"¡A¿ïŸÜiusr¡Aµo²{iusr¥i¥H«Ø¥ßÀɮסAı±o«Ü©_©Ç.........
"Bernard Cheah [MVP]" šÓšç¡G
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to
write
on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
žËŠnIIS 6.0
ftp«á¡A¹w³]ªº¥Ø¿ý¬Oinetpub\ftproot¡AžÓ¥Ø¿ýšÃšSŠ³Åýiusr_computername¥i¥HŪšú©ÎŒg€JªºÅv­­¡A¬O¯S®íªº¥Ø¿ý¶Ü?
§ÚšÏ¥Î"Š³®ÄÅv­­"¡AšÃ¿ïšúiusr_computername ¥h¬d¡Aµo²{³o­Óuser¥i¥HŪšú¡BŒg€Jftproot³o­Óžê®Æ§š¡C
Yagami
2006-07-27 08:55:02 UTC
Permalink
嗯嗯~了解!!
實在非常謝謝您!


"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Mm... I'm sure so much about the default setup?
coz, for me after each setup, I will reapply NTFS permissions myself. hardly
use the 'default' one :)
and definitely this 'users' group will not be in the ACLs.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
這位前輩,您說對了
Users Group裡面有NT AUTHORITY\Authenticated Users..........
而Users Group有R&E 之外,還有寫入檔案與寫入資料夾的權限,是繼承C:\的權限
雖然我心中的迷惑解開了,但是,微軟這個預設值是好的做法嗎??
無論如何,感謝您費心的一直為我解惑~
Thank You very much....
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
So I was correct. Well.... what do you have in Users group?
Authenticated user? if yes, once anonymous user succesfully
authenticated,
the user is effected as 'authenticated user'.
but I see your user group has R&E permission only.
But you have another creator owner full control. take it out and test...
NTFS is the final level of file access, if the user don't have permission,
he/she will not be able to write file. simple as that.
if the anonymous account can write, meaning somewhere the permissions was
inherited.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
圖片如下
http://www.pixnet.net/displayimage.php?pos=-34887231
我並沒有把iusr_computername加入到任何一個group,他應該只屬與guests吧....
但是,有效權限的頁面中,我選取iusr_computername這個帳號
卻發現他有好多的權限.....
當然我也沒有賦予這個帳號任何權限
只是單純把IIS裝起來,就是這樣......
是只有我這樣嗎? 還是這是.....BUG???
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Errr. do you mean you add the account in the 'effective permissions'
of
the
Advanced security dialog box of the ftp root directory?
in that case - this is NTFS permissions, right?
if you have grant iusr 'WRITE' permissions. of coz the account will
be
able
to write file......
if i'm wrong. pls post a picture of the 有效權限 that you are talking
about.
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
確實很奇怪,等於NTFS的權限失效了,只能靠IIS的權限來控制.....
在ftproot按右鍵-->內容-->安全性-->進階-->有效權限
選擇iusr_computername後,他會顯示iusr_computername有寫入檔案的權限...........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
This is not possible. Unless iusr_computername is part of the
administrator
group.
what do you mean by this part ?
"用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪"
Sorry, don't quite get 有效權限. how do you login to the ftp and
write
file?
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
抱歉提了一個模糊的問題
如果我在IIS的設定中允許寫入的權限,那Client端用anonymous就可以upload檔案上來
但是ftproot這個資料夾並沒有允許iusr可以存取的權限ㄚ,Guests也沒有,所以這不是很奇怪嗎?
ftproot的ACLs為
Administrators --> Full Control
Creator Owner --> Full Control
System --> Full Control
Users -->R&Execute 特殊(建立檔案&建立資料夾)
用"有效權限",選擇iusr,發現iusr可以建立檔案,覺得很奇怪.........
"Bernard Cheah [MVP]" 來函:
Post by Bernard Cheah [MVP]
Don't quite get you. by default iusr doesn't has permission to
write
on
ftproot.
you found out that you can write file otherwise?
what's the effective ACLs of the folder?
system - full control
administrator - xxxxxxx
etc
--
Regards,
Bernard Cheah
http://www.iis.net/
http://www.iis-resources.com/
http://msmvps.com/blogs/bernard/
Post by Yagami
裝好IIS 6.0
ftp後,預設的目錄是inetpub\ftproot,該目錄並沒有讓iusr_computername可以讀取或寫入的權限,是特殊的目錄嗎?
我使用"有效權限",並選取iusr_computername 去查,發現這個user可以讀取、寫入ftproot這個資料夾。
Loading...