The environment is Windows 2008 R2, ASP.NET 4, IIS 7. I have a scenario where a user submits some settings to the server, and the server generates a file based on the settings (either a bitmap or an SVG file) and saves the file into a folder. The image is generated by writing a bitmap and the SVG file is generated by using File.WriteAllText. The user is then redirected to that file.
What I did not expect is that the server was able to create the file without me giving write permissions to the folder. Things I checked:
- w3wp.exe is running under the IIS AppPool/MyUser, the correct app pool identity
- IIS AppPool/MyUser has read permissions to the folder — if I go to Security/Advanced/Effective Persmissions and check the permissions for MyUser on the folder, I get List Folder/Read Data, Read attributes, Read extended attributes and Read permissions
- If I grab System.Security.Principal.WindowsIdentity.GetCurrent().Name right before the file is written, it’s correctly set to the application pool identity.
- The created file’s owner is MyUser
What I don’t understand is why ASP.NET can create a file in a folder to which the application pool has read-only access?
Turns out the Users group had Special permissions of Create File on the folder. Not sure why that is added by default in Windows 2008 — on all my server boxes, new folders are created with Users having Special permissions of Create Files and some others. The behavior is different on Windows 7 — no special permissions are added to the Users group.
Anyways, removing that permission addressed the issue.
Thanks.