Greetings. > -----Original Message----- [...] > Apparently permissions on winNT is something > unexpected and new for those who are used to older win32 systems. > Moreover, error_log usually tells what the exact problem is when the > code is written properly to report errors (e.g., checking the return > status of system()). My guess is that this should work on winNT too.
I am a little late on this one (vacations) however, it may be of general [win32] interest highlighting the fact that the "allow service to interact with desktop" thingy is just the start of a more general can of worms that Win{Nt,2K} permissions and general system interaction open up. (None of these is mp specific, so sue me :-) ) For documentation purposes I am listing my most popular pet peeves below: i) "allow service to interact with desktop" Not only an issue with GUI-enbled apps, but also with apps that like to use popups (say, through MsgBox) and hang forever waiting fot somebody to press "OK" ii) Access to networked disks/resources NT services, by default, run as user LocalSystem which is pretty powerful on the local machine and totally powerless network-wide. This means that most accesses to network resources *WILL* fail UNLESS the service is being told to impersonate a specific user, whose password must be known and typed in the like-labeled entry. If this course of action is chosen, then a special user should be created for this purpose: this will prevent "mysterious" failures when a sysadmin changes a password...But read on. iii) DCOM configuration. This can kick in for applications using out-of-process COM servers, most often after the impersonation thing (see (ii)) has been set up. The fact that DCOM is involved is a little puzzling, however WinNT and siblings enforce DCOM security rules also across process boundaries. Basically, one needs to be sure that the user (LocalSystem or whatever) that the apache service impersonates is also in the access/launch/configure list for the needed COM servers (this is tipically the default security list, but an application is permitted to specify its own). Sounds horrid enough? Wait 'til you've seen the interface of DCOMCNFG.exe - the application that is used to configure DCOM security... (by the way, to invoke this one, ypu need to type "dcomcnfg" in the Start->Run... dialog. It is not on any menu/control panel applet I know of). iv) Mounted drives Drives that are permanently assigned a letter will not be available when noone is logged on - this cannot be solved by impersonation and I do not know wether a workaround is available. Finding these pitfalls is particularly tricky because they tend to disappear if someone is logged on the machine, or if apache is run manually rather than as a service etc. With regard to point (iii) it is interesting to note that IIS works around it by creating a special user it runs under (IUSR_fubar). Cheers, alf