IIS - Microsoft Internet Information Services

HomeForumsIIS 7.0IIS 7 - FastCGI ModuleProblems with FCGI/PHP file permissions [Bug?]

Previous Next

Thread: Problems with FCGI/PHP file permissions [Bug?]

Last post 06-24-2008 8:13 AM by knagis. 2 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (3 items)

Sort Posts:

  • 06-21-2008, 2:49 PM

    • knagis
    • Not Ranked
    • Joined on 06-21-2008, 2:41 PM
    • Posts 4

    Problems with FCGI/PHP file permissions [Bug?]

    Reply Contact

    Problem: Need to disable access to a fast cgi handler for some application pools / sites.

    My solution: deny user (app pool identity) file system permissions to the executable (php-cgi.exe or php.exe for php4).

    Strange: if I deny access to the user directly to the executable, all is ok - the fast cgi fails with an unexpected error. But - if I deny access to a group that contains the user, fast cgi continues to work fine.

    Strange no.2: if the permissions to the php folder is System, Administrators - full control, users - read and execute, fast cgi works. If I remove the users group but add another that contains all the same users (and even everyone) - fast cgi fails. The user from the app pool for the site is not a member of the users group. the users group contains only Aspnet, authenticated users and interactive.

    Environment: Vista x64 SP1, PHP 5.2.6, 4.4.8.

  • 06-23-2008, 9:26 PM In reply to

    • anilr
    • Top 10 Contributor
    • Joined on 05-23-2006, 10:13 PM
    • Redmond, WA
    • Posts 1,097

    Re: Problems with FCGI/PHP file permissions [Bug?]

    Reply Contact

    First of all the app-pool user is member of the Users group - actually all tokens on the system are - since the Users group contains "authenticated users" which contains all tokens on the system.  Also, your other symptoms seem to be related to token caching by WAS - search for FlushTokenCache regarding how to get WAS to flush cached app-pool identity tokens.

    Anil Ruia
    Senior Software Design Engineer
    IIS Core Server

  • 06-24-2008, 8:13 AM In reply to

    • knagis
    • Not Ranked
    • Joined on 06-21-2008, 2:41 PM
    • Posts 4

    Re: Problems with FCGI/PHP file permissions [Bug?]

    Reply Contact

    Yes, FlushTokenCache was a solution.

    Here is a sample: http://blogs.iis.net/mailant/archive/2007/10/02/new-api-to-avoid-restarting-iis-when-you-add-a-new-app-pool-windows-server-2008-rc0.aspx, or my version:

    public static void FlushTokenCache(this ServerManager sm)
    {
        sm.ApplicationPools.ChildElements[    "applicationPoolsControl"].Methods["FlushTokenCache"].CreateInstance().Execute();
    }

    Just a thing to note - after flushing the application pool has to be recycled otherwise it will still use the old tokens.

    Now another question: is it possible to flush the tokens just for one application pool?
Page 1 of 1 (3 items)

Powered by IIS7   Powered by ASP.NET 2.0

Copyright © 2008 Microsoft Corporation. All Rights Reserved. | Terms of Use | Privacy Statement | About our Team
Questions/Problems with www.iis.net? | Interested in Advertising with us? | Hosted by OrcsWeb | Ads served by BanManPro

Page view counter