Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: Located the problem and have been able to fix it. I am using a special user for my Application Pool (say AppPoolUser), so PHP runs as this user. The new exec function uses CreateProcessAsUser() with impersonation. This means that the AppPoolUser must have the right to change the process level token. You can assign this right to the user in the "Local Security Settings" -> User Rights Assignment. I have granted my AppPoolUser the "Replace a process level token" setting -> fork error has gone. Thought this might be useful information, so access is required to cmd.exe but in addition the "Replace a process level token" setting. Previous Comments: [2010-03-25 00:45:36] paj...@php.net I will repeat a last time :) It does work here using IIS6 and the exact same windows version of FastCGI. The other users with issues with that have solved the problem as well using latest 5.3 and the right configuration. There are differences between 5.2 and 5.3, a lot. One of them is a working impersonation (which is not only about exec). [2010-03-25 00:40:55] heer2351 at zonnet dot nl Thanks for your help. I think there are still more people with the same problem. I will try to find a solution and will post here if I find one. For now I stick with 5.2.13 I am not convinced it is a config problem. Will dig into SVN and find what the difference is between the two versions. [2010-03-25 00:30:20] paj...@php.net I don't know either and hard to say why it does not work for you but for us (same config). I feel like you actually configure it wrong. impersonation in 5.2 was not fully working and was not doing the right thing (not only for exec&co). I can't help further without more details about how you configure the impersonation or having a remote access to debug. [2010-03-25 00:17:50] heer2351 at zonnet dot nl Changed to your suggestion with \\, same error. Changed to 5.2.13 ran my version and your version both echo the correct username. [2010-03-25 00:13:31] heer2351 at zonnet dot nl What I do not understand is that 5.2.13 works and 5.3.2 (or 5.3.3) does not work with the same configuration. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1
ID: 27051
Comment by: heer2351 at zonnet dot nl
Reported by: ghoffer at globalscape dot com
Summary: Impersonation with FastCGI does not EXEC process as
impersonated user
Status: Feedback
Type: Bug
Package: CGI related
Operating System: Windows
PHP Version: 5.3
Assigned To: pajoye
New Comment:
Thanks for your help. I think there are still more people with the same
problem. I will try to find a solution and will post here if I find
one.
For now I stick with 5.2.13
I am not convinced it is a config problem. Will dig into SVN and find
what the difference is between the two versions.
Previous Comments:
[2010-03-25 00:30:20] paj...@php.net
I don't know either and hard to say why it does not work for you but for
us (same config).
I feel like you actually configure it wrong. impersonation in 5.2 was
not fully working and was not doing the right thing (not only for
exec&co).
I can't help further without more details about how you configure the
impersonation or having a remote access to debug.
[2010-03-25 00:17:50] heer2351 at zonnet dot nl
Changed to your suggestion with \\, same error.
Changed to 5.2.13 ran my version and your version both echo the correct
username.
[2010-03-25 00:13:31] heer2351 at zonnet dot nl
What I do not understand is that 5.2.13 works and 5.3.2 (or 5.3.3) does
not work with the same configuration.
[2010-03-25 00:11:56] paj...@php.net
echo exec('c:\Windows\System32\whoami'); can't work.
echo exec('c:\\Windows\\System32\\whoami'); should work.
[2010-03-25 00:09:56] heer2351 at zonnet dot nl
Box is behind a company firewall so you can unfortunately not access
it.
This is an intranet site.
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=27051
--
Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1
ID: 27051
Comment by: heer2351 at zonnet dot nl
Reported by: ghoffer at globalscape dot com
Summary: Impersonation with FastCGI does not EXEC process as
impersonated user
Status: Feedback
Type: Bug
Package: CGI related
Operating System: Windows
PHP Version: 5.3
Assigned To: pajoye
New Comment:
Changed to your suggestion with \\, same error.
Changed to 5.2.13 ran my version and your version both echo the correct
username.
Previous Comments:
[2010-03-25 00:13:31] heer2351 at zonnet dot nl
What I do not understand is that 5.2.13 works and 5.3.2 (or 5.3.3) does
not work with the same configuration.
[2010-03-25 00:11:56] paj...@php.net
echo exec('c:\Windows\System32\whoami'); can't work.
echo exec('c:\\Windows\\System32\\whoami'); should work.
[2010-03-25 00:09:56] heer2351 at zonnet dot nl
Box is behind a company firewall so you can unfortunately not access
it.
This is an intranet site.
[2010-03-25 00:08:31] heer2351 at zonnet dot nl
This is what I ran:
ProcMon shows cmd.exe being started by php-cgi.exe
A thread is created running as the correct user.
Excecuted command is: cmd.exe /c "c:\Windows\System32\whoami"
I do notice that the process exits with Exit Status 5, which is normally
access denied.
I have however already tried to give Everyone full access to the whole
machine, i.e. all drives. Still the same error.
[2010-03-25 00:04:10] paj...@php.net
btw, is it possible to access this box? I could try to debug what's
wrong there as it works just fine with the same constellation here (same
windows, IIS and fcgi versions).
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=27051
--
Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1
ID: 27051
Comment by: heer2351 at zonnet dot nl
Reported by: ghoffer at globalscape dot com
Summary: Impersonation with FastCGI does not EXEC process as
impersonated user
Status: Feedback
Type: Bug
Package: CGI related
Operating System: Windows
PHP Version: 5.3
Assigned To: pajoye
New Comment:
What I do not understand is that 5.2.13 works and 5.3.2 (or 5.3.3) does
not work with the same configuration.
Previous Comments:
[2010-03-25 00:11:56] paj...@php.net
echo exec('c:\Windows\System32\whoami'); can't work.
echo exec('c:\\Windows\\System32\\whoami'); should work.
[2010-03-25 00:09:56] heer2351 at zonnet dot nl
Box is behind a company firewall so you can unfortunately not access
it.
This is an intranet site.
[2010-03-25 00:08:31] heer2351 at zonnet dot nl
This is what I ran:
ProcMon shows cmd.exe being started by php-cgi.exe
A thread is created running as the correct user.
Excecuted command is: cmd.exe /c "c:\Windows\System32\whoami"
I do notice that the process exits with Exit Status 5, which is normally
access denied.
I have however already tried to give Everyone full access to the whole
machine, i.e. all drives. Still the same error.
[2010-03-25 00:04:10] paj...@php.net
btw, is it possible to access this box? I could try to debug what's
wrong there as it works just fine with the same constellation here (same
windows, IIS and fcgi versions).
[2010-03-25 00:00:09] paj...@php.net
It is not the same context using runas or impersonate.
Did you use "c:\\\\whoami" or "cmd /c..."?
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=27051
--
Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: Box is behind a company firewall so you can unfortunately not access it. This is an intranet site. Previous Comments: [2010-03-25 00:08:31] heer2351 at zonnet dot nl This is what I ran: ProcMon shows cmd.exe being started by php-cgi.exe A thread is created running as the correct user. Excecuted command is: cmd.exe /c "c:\Windows\System32\whoami" I do notice that the process exits with Exit Status 5, which is normally access denied. I have however already tried to give Everyone full access to the whole machine, i.e. all drives. Still the same error. [2010-03-25 00:04:10] paj...@php.net btw, is it possible to access this box? I could try to debug what's wrong there as it works just fine with the same constellation here (same windows, IIS and fcgi versions). [2010-03-25 00:00:09] paj...@php.net It is not the same context using runas or impersonate. Did you use "c:\\\\whoami" or "cmd /c..."? [2010-03-24 23:58:27] heer2351 at zonnet dot nl Result: PHP Warning: exec(): Unable to fork [c:\Windows\System32\whoami] in D:\Web\Public\Typo3\v4_2_6\fdha_hr\hr\forkTest.php on line 2 [2010-03-24 23:56:20] heer2351 at zonnet dot nl BTW if I run the same script on the webserver using fakeCGI and runas to run as the application pool user it works. Fake FastCGI web server FCGI_PARAMS sent FCGI_STDIN sent Launching receive loop FCGI_STDOUT: X-Powered-By: PHP/5.3.2 Content-type: text/html; charset=utf-8 Hello World!" FCGI_END_REQUEST received killing app FastCGI process exited with 0 So the problem is definitely in the combination IIS6 and PHP 5.3 The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: This is what I ran: ProcMon shows cmd.exe being started by php-cgi.exe A thread is created running as the correct user. Excecuted command is: cmd.exe /c "c:\Windows\System32\whoami" I do notice that the process exits with Exit Status 5, which is normally access denied. I have however already tried to give Everyone full access to the whole machine, i.e. all drives. Still the same error. Previous Comments: [2010-03-25 00:04:10] paj...@php.net btw, is it possible to access this box? I could try to debug what's wrong there as it works just fine with the same constellation here (same windows, IIS and fcgi versions). [2010-03-25 00:00:09] paj...@php.net It is not the same context using runas or impersonate. Did you use "c:\\\\whoami" or "cmd /c..."? [2010-03-24 23:58:27] heer2351 at zonnet dot nl Result: PHP Warning: exec(): Unable to fork [c:\Windows\System32\whoami] in D:\Web\Public\Typo3\v4_2_6\fdha_hr\hr\forkTest.php on line 2 [2010-03-24 23:56:20] heer2351 at zonnet dot nl BTW if I run the same script on the webserver using fakeCGI and runas to run as the application pool user it works. Fake FastCGI web server FCGI_PARAMS sent FCGI_STDIN sent Launching receive loop FCGI_STDOUT: X-Powered-By: PHP/5.3.2 Content-type: text/html; charset=utf-8 Hello World!" FCGI_END_REQUEST received killing app FastCGI process exited with 0 So the problem is definitely in the combination IIS6 and PHP 5.3 [2010-03-24 23:53:10] paj...@php.net Can you try using: c:\Windows\System32\whoami please? The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: Result: PHP Warning: exec(): Unable to fork [c:\Windows\System32\whoami] in D:\Web\Public\Typo3\v4_2_6\fdha_hr\hr\forkTest.php on line 2 Previous Comments: [2010-03-24 23:56:20] heer2351 at zonnet dot nl BTW if I run the same script on the webserver using fakeCGI and runas to run as the application pool user it works. Fake FastCGI web server FCGI_PARAMS sent FCGI_STDIN sent Launching receive loop FCGI_STDOUT: X-Powered-By: PHP/5.3.2 Content-type: text/html; charset=utf-8 Hello World!" FCGI_END_REQUEST received killing app FastCGI process exited with 0 So the problem is definitely in the combination IIS6 and PHP 5.3 [2010-03-24 23:53:10] paj...@php.net Can you try using: c:\Windows\System32\whoami please? [2010-03-24 23:50:21] heer2351 at zonnet dot nl I am using a simple test script to do the test: FastCGI impersonation: In PHP.ini fastcgi.impersonate = 1 IIS: Anonymous Authentication = On User is same user as Application Pool user User has been added to IIS_WPG [2010-03-24 23:40:45] paj...@php.net And how exactly did you configure FCGI (impersonation). As your configuration is exactly one of my tests configuration, and it works just fine. [2010-03-24 23:39:38] paj...@php.net Yes, which command do you call? The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: BTW if I run the same script on the webserver using fakeCGI and runas to run as the application pool user it works. Fake FastCGI web server FCGI_PARAMS sent FCGI_STDIN sent Launching receive loop FCGI_STDOUT: X-Powered-By: PHP/5.3.2 Content-type: text/html; charset=utf-8 Hello World!" FCGI_END_REQUEST received killing app FastCGI process exited with 0 So the problem is definitely in the combination IIS6 and PHP 5.3 Previous Comments: [2010-03-24 23:53:10] paj...@php.net Can you try using: c:\Windows\System32\whoami please? [2010-03-24 23:50:21] heer2351 at zonnet dot nl I am using a simple test script to do the test: FastCGI impersonation: In PHP.ini fastcgi.impersonate = 1 IIS: Anonymous Authentication = On User is same user as Application Pool user User has been added to IIS_WPG [2010-03-24 23:40:45] paj...@php.net And how exactly did you configure FCGI (impersonation). As your configuration is exactly one of my tests configuration, and it works just fine. [2010-03-24 23:39:38] paj...@php.net Yes, which command do you call? [2010-03-24 23:22:18] heer2351 at zonnet dot nl Maybe superfluous, but the only change I make is in the fcgiext.ini I change the ExePath from: ExePath=D:\PHP\PHP_5_2_13\php-cgi.exe No fork error To ExePath=D:\PHP\PHP_5_3_3_dev\php-cgi.exe Fork error Rights are assigned on D:\PHP and inherit down, so that can not be the problem. No other changes to my environment for the problem to appear. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: I am using a simple test script to do the test: FastCGI impersonation: In PHP.ini fastcgi.impersonate = 1 IIS: Anonymous Authentication = On User is same user as Application Pool user User has been added to IIS_WPG Previous Comments: [2010-03-24 23:40:45] paj...@php.net And how exactly did you configure FCGI (impersonation). As your configuration is exactly one of my tests configuration, and it works just fine. [2010-03-24 23:39:38] paj...@php.net Yes, which command do you call? [2010-03-24 23:22:18] heer2351 at zonnet dot nl Maybe superfluous, but the only change I make is in the fcgiext.ini I change the ExePath from: ExePath=D:\PHP\PHP_5_2_13\php-cgi.exe No fork error To ExePath=D:\PHP\PHP_5_3_3_dev\php-cgi.exe Fork error Rights are assigned on D:\PHP and inherit down, so that can not be the problem. No other changes to my environment for the problem to appear. [2010-03-24 23:17:05] heer2351 at zonnet dot nl 5.3.3.dev did not solve the problem Had most versions in my first post: PHP 5.3.2 (cgi-fcgi) (built: Mar 3 2010 20:47:00) FastCGI DLL Version 7.5.7693.0 Microsoft Windows Server 2003R2 IIS6 - dll's have version 6.0.3790.1830 Do you need anymore information? [2010-03-24 23:07:38] paj...@php.net Then I need more details about your exact configuration (windows version, IIS version, fastcgi version, etc.) The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: Maybe superfluous, but the only change I make is in the fcgiext.ini I change the ExePath from: ExePath=D:\PHP\PHP_5_2_13\php-cgi.exe No fork error To ExePath=D:\PHP\PHP_5_3_3_dev\php-cgi.exe Fork error Rights are assigned on D:\PHP and inherit down, so that can not be the problem. No other changes to my environment for the problem to appear. Previous Comments: [2010-03-24 23:17:05] heer2351 at zonnet dot nl 5.3.3.dev did not solve the problem Had most versions in my first post: PHP 5.3.2 (cgi-fcgi) (built: Mar 3 2010 20:47:00) FastCGI DLL Version 7.5.7693.0 Microsoft Windows Server 2003R2 IIS6 - dll's have version 6.0.3790.1830 Do you need anymore information? [2010-03-24 23:07:38] paj...@php.net Then I need more details about your exact configuration (windows version, IIS version, fastcgi version, etc.) [2010-03-24 23:04:59] heer2351 at zonnet dot nl FastCGI impersonation is configured correctly and ProcMon shows that cmd.exe is started with the correct user. The fork error however still shows. I am now downloading the php-5.3.3-dev-nts-Win32-VC9-x86-dfsfix.zip file and will check if that solves the problem. [2010-03-24 22:51:11] paj...@php.net See my comment and related link in #50542 [2010-03-24 22:48:17] paj...@php.net Again, I did check in all possible configurations and it does work. However please configure impersonation correctly for FastCGI (that's not the App pool settings). The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: 5.3.3.dev did not solve the problem Had most versions in my first post: PHP 5.3.2 (cgi-fcgi) (built: Mar 3 2010 20:47:00) FastCGI DLL Version 7.5.7693.0 Microsoft Windows Server 2003R2 IIS6 - dll's have version 6.0.3790.1830 Do you need anymore information? Previous Comments: [2010-03-24 23:07:38] paj...@php.net Then I need more details about your exact configuration (windows version, IIS version, fastcgi version, etc.) [2010-03-24 23:04:59] heer2351 at zonnet dot nl FastCGI impersonation is configured correctly and ProcMon shows that cmd.exe is started with the correct user. The fork error however still shows. I am now downloading the php-5.3.3-dev-nts-Win32-VC9-x86-dfsfix.zip file and will check if that solves the problem. [2010-03-24 22:51:11] paj...@php.net See my comment and related link in #50542 [2010-03-24 22:48:17] paj...@php.net Again, I did check in all possible configurations and it does work. However please configure impersonation correctly for FastCGI (that's not the App pool settings). [2010-03-24 22:45:31] heer2351 at zonnet dot nl Thanks for your fast response. I am running the website using an application pool and have configured a special user for that pool. I use the same user for anonymous access. So both the website as well as PHP use the same identity. This user has all the required rights. Just to test I have given this user rights to %COMSPEC% using cacls. Same error. Gave IUSR_xxx rights, same error. Gave IWAM_xxx rights, same error. Please check what has changed between 5.2.13 and 5.3.2 The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Closed Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: FastCGI impersonation is configured correctly and ProcMon shows that cmd.exe is started with the correct user. The fork error however still shows. I am now downloading the php-5.3.3-dev-nts-Win32-VC9-x86-dfsfix.zip file and will check if that solves the problem. Previous Comments: [2010-03-24 22:51:11] paj...@php.net See my comment and related link in #50542 [2010-03-24 22:48:17] paj...@php.net Again, I did check in all possible configurations and it does work. However please configure impersonation correctly for FastCGI (that's not the App pool settings). [2010-03-24 22:45:31] heer2351 at zonnet dot nl Thanks for your fast response. I am running the website using an application pool and have configured a special user for that pool. I use the same user for anonymous access. So both the website as well as PHP use the same identity. This user has all the required rights. Just to test I have given this user rights to %COMSPEC% using cacls. Same error. Gave IUSR_xxx rights, same error. Gave IWAM_xxx rights, same error. Please check what has changed between 5.2.13 and 5.3.2 [2010-03-24 22:14:23] paj...@php.net Let me copy my note here as well: Quick note here. It is necessary to give a given IUSR_* the permission to use cmd.exe (%COMSPEC%). It is recommended not to do it as it may introduce security issues, obviously. But if you really want to do it, use: cacls %COMSPEC% /E /G IUSR_:R [2010-03-24 22:09:25] paj...@php.net you have >to give< the permission The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: Closed Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: Thanks for your fast response. I am running the website using an application pool and have configured a special user for that pool. I use the same user for anonymous access. So both the website as well as PHP use the same identity. This user has all the required rights. Just to test I have given this user rights to %COMSPEC% using cacls. Same error. Gave IUSR_xxx rights, same error. Gave IWAM_xxx rights, same error. Please check what has changed between 5.2.13 and 5.3.2 Previous Comments: [2010-03-24 22:14:23] paj...@php.net Let me copy my note here as well: Quick note here. It is necessary to give a given IUSR_* the permission to use cmd.exe (%COMSPEC%). It is recommended not to do it as it may introduce security issues, obviously. But if you really want to do it, use: cacls %COMSPEC% /E /G IUSR_:R [2010-03-24 22:09:25] paj...@php.net you have >to give< the permission [2010-03-24 22:08:58] paj...@php.net It works just fine and you have the permission to the IIS user to execute the shell. See the other reports about that, I added the explanation and how to configure it correctly there. [2010-03-24 21:43:39] heer2351 at zonnet dot nl PHP 5.3.2 (cgi-fcgi) (built: Mar 3 2010 20:47:00) FastCGI DLL Version 7.5.7693.0 Microsoft Windows Server 2003R2 IIS6 Exact same problem - PHP Warning: exec(): Unable to fork Changed PHP back to: PHP 5.2.13 (cgi-fcgi) (built: Feb 24 2010 14:37:42) No fork problem, so it is not a configuration problem. [2010-02-10 01:00:00] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=27051 -- Edit this bug report at http://bugs.php.net/bug.php?id=27051&edit=1
Bug #27051 [Com]: Impersonation with FastCGI does not EXEC process as impersonated user
Edit report at http://bugs.php.net/bug.php?id=27051&edit=1 ID: 27051 Comment by: heer2351 at zonnet dot nl Reported by: ghoffer at globalscape dot com Summary: Impersonation with FastCGI does not EXEC process as impersonated user Status: No Feedback Type: Bug Package: CGI related Operating System: Windows PHP Version: 5.3 Assigned To: pajoye New Comment: PHP 5.3.2 (cgi-fcgi) (built: Mar 3 2010 20:47:00) FastCGI DLL Version 7.5.7693.0 Microsoft Windows Server 2003R2 IIS6 Exact same problem - PHP Warning: exec(): Unable to fork Changed PHP back to: PHP 5.2.13 (cgi-fcgi) (built: Feb 24 2010 14:37:42) No fork problem, so it is not a configuration problem. Previous Comments: [2010-02-10 01:00:00] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". [2010-02-03 00:38:52] paj...@php.net It works just fine here, 5.3.1 or later with II6/7. The initial It looks to a configuration problem to me. PLs double check it and come back if you still experience this problem. [2010-02-03 00:13:22] jfjauvin at gmail dot com This bug seems to be still there, no update for a while. From my Process Monitor logs, there is no apparent permission errors. It looks like cmd.exe is not event launched. PHP 5.3.1 MSVC9 FastCGI Microsoft-IIS/7.0 PHP Warning: exec() [function.exec]: Unable to fork ['cmd /c echo Hello World!] in D:\Inetpub\wwwroot\www.example.com\test.php on line 3 "Sequence","Time of Day","Process Name","PID","Operation","Path","Result","Detail" "n/a","12:04:43.1093656 PM","w3wp.exe","4064","CreateFile","D:\Inetpub\wwwroot\www.example.com\test.php\web.config","PATH NOT FOUND","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, AllocationSize: n/a, Impersonating: DOMAIN\www.example.com" "n/a","12:04:43.1095972 PM","w3wp.exe","4064","CreateFile","D:\Inetpub\wwwroot\www.example.com\test.php","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, No Buffering, Attributes: RE, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: DOMAIN\www.example.com, OpenResult: Opened" "n/a","12:04:43.1097796 PM","w3wp.exe","4064","QueryAllInformationFile","D:\Inetpub\wwwroot\www.example.com\test.php","BUFFER OVERFLOW","CreationTime: 7/10/2009 11:29:33 AM, LastAccessTime: 7/10/2009 11:29:33 AM, LastWriteTime: 2/2/2010 12:04:35 PM, ChangeTime: 2/2/2010 12:04:35 PM, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 43, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x1416b, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, No Buffering, AlignmentRequirement: Word" "n/a","12:04:43.1102377 PM","php-cgi.exe","2760","CreateFile","D:\Inetpub\wwwroot\www.example.com","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: DOMAIN\www.example.com, OpenResult: Opened" "n/a","12:04:43.1102797 PM","php-cgi.exe","2760","QueryDirectory","D:\Inetpub\wwwroot\www.example.com\test.php","SUCCESS","Filter: test.php, 1: test.php" "n/a","12:04:43.1103154 PM","php-cgi.exe","2760","CloseFile","D:\Inetpub\wwwroot\www.example.com","SUCCESS","" "n/a","12:04:43.1104406 PM","php-cgi.exe","2760","CreateFile","D:\Inetpub\wwwroot","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: DOMAIN\www.example.com, OpenResult: Opened" "n/a","12:04:43.1104738 PM","php-cgi.exe","2760","QueryDirectory","D:\Inetpub\wwwroot\www.example.com","SUCCESS","Filter: www.example.com, 1: www.example.com" "n/a","12:04:43.1105034 PM","php-cgi.exe","2760","CloseFile","D:\Inetpub\wwwroot","SUCCESS","" "n/a","12:04:43.1106205 PM","php-cgi.exe","2760","CreateFile","D:\Inetpub","SUCCESS","Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, Impersonating: DOMAIN\www.example.com, OpenResult: Opened" "n/a","12:04:43.1106537 PM","php-cgi.exe","2760","QueryDirectory","D:\Inetpub\wwwroot","SUCCESS","Filter: wwwroot, 1: wwwroot" "n/a","12:04:43.1106805 PM","php-cgi.exe","2760","CloseFile","
