Greetings.
> -----Original Message-----
[...]
> Apparently permissions on winNT is something
> unexpected and new for those who are used to older win32 systems.
> Moreover, error_log usually tells what the exact problem is when the
> code is written properly to report errors (e.g., checking the return
> status of system()). My guess is that this should work on winNT too.
I am a little late on this one (vacations) however, it may be of general
[win32] interest highlighting the fact that the "allow service to interact
with desktop" thingy is just the start
of a more general can of worms that Win{Nt,2K} permissions and general
system interaction open up.
(None of these is mp specific, so sue me :-) )
For documentation purposes I am listing my most popular pet peeves below:
i) "allow service to interact with desktop"
Not only an issue with GUI-enbled apps, but also with apps that like to use
popups (say, through
MsgBox) and hang forever waiting fot somebody to press "OK"
ii) Access to networked disks/resources
NT services, by default, run as user LocalSystem which is pretty powerful on
the local machine and
totally powerless network-wide. This means that most accesses to network
resources *WILL* fail UNLESS the service is being told to impersonate a
specific user, whose password must be known and typed in the like-labeled
entry. If this course of action is chosen, then a special user should be
created for this purpose: this will prevent "mysterious" failures when a
sysadmin changes a password...But read on.
iii) DCOM configuration.
This can kick in for applications using out-of-process COM servers, most
often after the impersonation thing (see (ii)) has been set up. The fact
that DCOM is involved is a little puzzling, however WinNT and siblings
enforce DCOM security rules also across process boundaries.
Basically, one needs to be sure that the user (LocalSystem or whatever) that
the apache service impersonates is also in the access/launch/configure list
for the needed COM servers (this is tipically the default security list, but
an application is permitted to specify its own).
Sounds horrid enough? Wait 'til you've seen the interface of DCOMCNFG.exe -
the application that is used to configure DCOM security... (by the way, to
invoke this one, ypu need to type "dcomcnfg" in the Start->Run... dialog. It
is not on any menu/control panel applet I know of).
iv) Mounted drives
Drives that are permanently assigned a letter will not be available when
noone is logged on -
this cannot be solved by impersonation and I do not know wether a workaround
is available.
Finding these pitfalls is particularly tricky because they tend to disappear
if someone is logged on the machine, or if apache is run manually rather
than as a service etc. With regard to point (iii) it is interesting to note
that IIS works around it by creating a special user it runs under
(IUSR_fubar).
Cheers,
alf
