Having been forced to use IIS for a PHP project ;-), I have a sticky
configuration issue with IIS under Windows 2000 SP6.
My PHP script does an Exec() of a Win32 utility executable that reads
and modifies the registry. The registry reads work fine, but when
modifying, the executable errors out with an error 5 ("Access
denied").
This despite the fact that I've added the anonymous user to the admin
group, made sure that the folder is accessible to the anonymous user,
etc. Basically have given the anonymous user - at least for testing
purposes - full power on the box.
So... why can't PHP get the executable to run in the correct security
context?
Any ideas appreciated - I need all of the steps necessary to ensure
that the exec has enough power to get the job done (i.e., change
registry settings that the same interactive user can perform)...
Thx |
Request for Question Clarification by
webadept-ga
on
09 Oct 2003 19:20 PDT
Just to make this clear, you are trying to alter the registry on the
"server" that is running the IIS webserver. And you have the IIS
server running as the annonymous user you created with full admin
rights. So when IIS is running and PHP makes the call, the user it is
doing this under is the annonymous user you created, and it is trying
to change the registery on the same physical box that the IIS
webserver is running on.
Also, could you please run this PHP script on that box and post the
reply to a web page I can get to? Edit out the IP addresses for your
security, I just need to see the other settings.
<?php
phpinfo();
?>
Run that, use the View Source to copy the HTML version and save the
HTML version as a file on the internet some where (editing it to take
out the IP addresses) and post a link here so I can take a look at it.
Make sure all that is correct, and I'm looking into this now for you.
webadept-ga
|
Clarification of Question by
ame1o-ga
on
09 Oct 2003 19:42 PDT
Here's a little more info:
1) I have a command-line executable that both reads and writes the
registry and reports results to stdout. This is running on the same
server as IIS, so there are not remoting issues.
2) Running the command-line executable - from the command-prompt - and
reading/writing the registry works perfectly; the executable works
fine.
3) From the IIS/PHP interface, the exec and the registry reads work
perfectly - it is able to read all of the registry keys and values
through PHP's exec() function. When I attempt to change a key or
value, however, through the web interface, the executable reports an
error 5, correctly. This is a Win32 "access denied" error.
4) I do not currently have access to the machine, but I will dump a
phpinfo for you later tomorrow.
Thanks.
|
Clarification of Question by
ame1o-ga
on
09 Oct 2003 19:55 PDT
Actually, I was able to Terminal Services into the box and run
phpinfo. You can find the output here:
http://badblue.com/temp.htm
Thanks.
|
Request for Question Clarification by
webadept-ga
on
09 Oct 2003 21:35 PDT
Okay, I have that.. as soon as you can, take that temp page down.. no
need to advertise things.
webadept-ga
|
Request for Question Clarification by
webadept-ga
on
09 Oct 2003 22:08 PDT
Okay,
Run this script and see who the box thinks the user is. Do this as a
webpage, not from the command line. We need to know who IIS thinks it
is running as. Something tells me that the permission problem you are
having is because the box thinks you are someone else.
<?php
echo '<pre>';
system('set', $retval);
echo ' </pre>';
?>
Now, if you have it setup for a user that would be able to edit the
registery, then you should get a line from that that says USERNAME. My
guess is no such line is going to show up, meaning that you are not
who you think you are. :-)
But lets find out first.
webadept-ga
|
Request for Question Clarification by
webadept-ga
on
09 Oct 2003 22:16 PDT
Example output we are looking for :
USERDOMAIN=KANGA
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT
That line USERNAME is the key, the system I have using IIS doesn't
show that line, because you are not a user on the system. Using apache
it doens't show that line either, even though Apache is set as a
User:Apache. Other settings need to be set for that line to show up.
webadept-ga
|
Clarification of Question by
ame1o-ga
on
10 Oct 2003 08:27 PDT
The USERNAME line does _not_ appear in the output...??
|
Clarification of Question by
ame1o-ga
on
10 Oct 2003 09:36 PDT
Here's the full output.
ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=NMACSTEST
ComSpec=C:\WINNT\system32\cmd.exe
CONTENT_LENGTH=0
GATEWAY_INTERFACE=CGI/1.1
HTTPS=off
HTTP_ACCEPT=image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
HTTP_ACCEPT_LANGUAGE=en-us
HTTP_CONNECTION=Keep-Alive
HTTP_HOST=localhost
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP_ACCEPT_ENCODING=gzip, deflate
INSTANCE_ID=1
LOCAL_ADDR=127.0.0.1
NUMBER_OF_PROCESSORS=1
Os2LibPath=C:\WINNT\system32\os2\dll;
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PATH_INFO=/dougphp2.php
PATH_TRANSLATED=c:\inetpub\wwwroot\dougphp2.php
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0208
ProgramFiles=C:\Program Files
PROMPT=$P$G
REMOTE_ADDR=127.0.0.1
REMOTE_HOST=127.0.0.1
REQUEST_METHOD=GET
SCRIPT_NAME=/dougphp2.php
SERVER_NAME=localhost
SERVER_PORT=80
SERVER_PORT_SECURE=0
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=Microsoft-IIS/5.0
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\Default User.WINNT
windir=C:\WINNT
|
Request for Question Clarification by
webadept-ga
on
10 Oct 2003 19:27 PDT
I figured it wasn't going to, since you don't have rights. Looking at
the output of the Registry is okay for any user, including default,
but you have to have admin rights to change it. So, IIS, needs to be
running with Admin rights. I'll need to do some research to find out
how to do this and I'll get back to you when I find something.
At least we know what the problem is now, just need to find the
solution.
* Just a side note here.. I'm sure you understand that running IIS
with Admin rights on a server that could be gotten to from the outside
world (meaning it is not sitting in a closet somewhere with no
Internet connection at all), is really cyber suicide. I'll find the
setup for you, but I believe it is my responsibility to at least point
this out to you. No amount of security in place on that server is
going to save it, if it is running under Admin rights. Any code will
have some hole in it some where (and if it doesn't the OS will), and
most likely, you won't know where it is until it is already exploited.
It may be better to describe what you are trying to achieve by
altering the registry and perhaps I could find an alternative to this
need.
Okay, with that said I'll find the solution for you.
webadept-ga
|
Request for Question Clarification by
webadept-ga
on
23 Oct 2003 20:19 PDT
Hi,
I have not been able to find a stable method of doing this, hopfully
one of the other researchers will be able to, and they are just
waiting on me to admit it :-) Normally we answer questions that have
not been answered, if we have the information, but sometimes the
others wait if someone has obviously been working with a client.
So, the question is open if anyone wishes to help this person out..
and now it is in black and white.
webadept-ga
|
