Az IIS7-ben megoldották, hogy hiába egy account alatt fut sok worker processz, akkor SEM tudják egymás védett fájljait olvasni. Így el lehet szigetelni a webappokat annak ELLENÉRE, hogy egy account alatt futnak (még ha nem is a javasolt konfig hosztereknek). De hogy a csudába? Eddig nem tudtam, de most megtaláltam a választ: Service SID.
“Service SIDs protect access to resources owned by a particular service, but by default services still have access to all the objects that the user account in which they run can access. For example, a service running in the Local Service account might not be able to access resources created by another service running as Local Service in a different process that has protected its objects with permissions referencing a service SID, however, it can still read and write any objects to which Local Service (and any groups to which Local Service belongs, like the Service group) has permissions.
Windows Vista therefore introduces a new restricted service type called a write-restricted service that permits a service write access only to objects accessible to its service SID, the Everyone group, and the SID assigned to the logon session. To accomplish this, it uses restricted SIDs, a SID type introduced back in Windows 2000. When the process opening an object is a write-restricted service, the access-check algorithm changes so that a SID that has not been assigned to a process in both restricted and unrestricted forms cannot be used to grant the process write access to an object. ”
Már csak az nem vili, hogy ezt hogyan használják fel az IIS wp-ek esetén, azok ugyanis nem szervizek. Ha egyszer megtalálom a választ, leírom.
Could you hire me? Contact me if you like what I’ve done in this article and think I can create value for your company with my skills.
LEAVE A COMMENT
1 COMMENTS
bezony jo dolog a Service SID, pl. azert is, mert igy a tuzfalban is azonosithatova, illetve szabalyozhatova valnak a service-ek.