|
|
Posted by FrobinRobin on 03/07/06 13:10
Hi James,
What version of IIS are you using? What is HCPanel? Plus you are
missing code from this post so we dont know how you are authenticating.
Are you using PHP to send http authentication headers to authenticate
the required IIS permissions? (That is probably what I would do)
Does that user have permissions across all site folders?
My first suggestions would be to check the IIS permissions, IIS 6.0
creates three accounts on the local server when it is initally
installed IUSR, IWAM and WPG.
Only when you apply the permission in IIS, will the folder ACL be
changed (by IIS).
Also, it looks like you are using require(), try include() because it
doesnt halt on error?
Good luck
- Robin
James Beilby wrote:
> Hello people,
>
> It's been a long time since I've asked any techie questions on Usenet but I
> am under pressure to finish a project and the following issue has me
> stumped. I appreciate that it's a bit long-winded but I'd be much obliged if
> anyone could shed any light...
>
> I am currently developing a PHP-based site for a client on IIS. It might be
> worth pointing out here that, from a Linux background, I am no expert on IIS
> or NTFS permissions.
>
> The site includes an /admin/ folder that I wish to secure with a password.
> The contents of this folder includes non-web files that I wish to protect,
> so application-level password protection implemented in PHP is not suitable.
> To secure the folder at the IIS/NTFS level, I enabled a "WWW Password" in a
> web control panel (HCPanel) for the admin folder. Am I right in thinking
> that this would probably create an IUSR account on the server, and modify
> the admin folder's ACL to restrict access to this account only?
>
> Anyway, this works great for static content and some PHP files, but I have
> come across the following issue...
>
> When a PHP file in the protected area (e.g. /admin/index.php) tries to
> include() or require() a PHP file outside that protected area (e.g.
> /include/config.php), an error occurs:
>
> Warning: main(../include/config.php) [function.main]: failed to create
> stream: No such file or directory in
> c:\websites\clientusername\clientdomain.com\admin\index.php on line 3
> Fatal error: main() [function.main]: Failed opening required
> '../include/config.php' (include_path='.;c:\php4\pear') in
> c:\websites\clientusername\clientdomain.com\admin\index.php on line 3
>
> This occurs only when the admin area is protected; removing the protection
> allows the script to run normally. Changing '../include/config.php' to an
> absolute path changes the first error to a "Permission Denied" warning.
>
> To me, it's logical that /include/config.php might not be able to include
> /admin/index.php as it does not have permissions, but why does the
> 'priviledged' user /admin/index.php not have access to /include/config.php?
>
> I recognise that there are ways to work around this e.g. creating a copy of
> the included files under the admin folder, or resorting to application-level
> password protection, but I'd hope that there is a more elegant resolution.
>
> Many thanks,
>
> James Beilby
Navigation:
[Reply to this message]
|