Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user

Wed, 24 Mar 2010 15:05:09 -0700 

Edit report at http://bugs.php.net/bug.php?id=27051&edit=1

 ID:               27051
 Comment by:       heer2351 at zonnet dot nl
 Reported by:      ghoffer at globalscape dot com
 Summary:          Impersonation with FastCGI does not EXEC process as
                   impersonated user
 Status:           Closed
 Type:             Bug
 Package:          CGI related
 Operating System: Windows
 PHP Version:      5.3
 Assigned To:      pajoye

 New Comment:

FastCGI impersonation is configured correctly and ProcMon shows that
cmd.exe is started with the correct user. The fork error however still
shows.



I am now downloading the php-5.3.3-dev-nts-Win32-VC9-x86-dfsfix.zip file
and will check if that solves the problem.


Previous Comments:
------------------------------------------------------------------------
[2010-03-24 22:51:11] [email protected]

See my comment and related link in #50542

------------------------------------------------------------------------
[2010-03-24 22:48:17] [email protected]

Again, I did check in all possible configurations and it does work.



However please configure impersonation correctly for FastCGI (that's not
the App pool settings).

------------------------------------------------------------------------
[2010-03-24 22:45:31] heer2351 at zonnet dot nl

Thanks for your fast response.



I am running the website using an application pool and have configured a
special user for that pool. I use the same user for anonymous access. So
both the website as well as PHP use the same identity. This user has all
the required rights. 



Just to test I have given this user rights to %COMSPEC% using cacls.
Same error.

Gave IUSR_xxx rights, same error.

Gave IWAM_xxx rights, same error.



Please check what has changed between 5.2.13 and 5.3.2

------------------------------------------------------------------------
[2010-03-24 22:14:23] [email protected]

Let me copy my note here as well:



Quick note here. It is necessary to give a given IUSR_* the permission

to use cmd.exe (%COMSPEC%). It is recommended not to do it as it may

introduce security issues, obviously. But if you really want to do it,

use:



cacls %COMSPEC% /E /G IUSR_xxxx:R

------------------------------------------------------------------------
[2010-03-24 22:09:25] [email protected]

you have >to give< the permission

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    http://bugs.php.net/bug.php?id=27051


-- 
Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1

Reply via email to