locked
FileIOPermission CreateDirectory does not work as expected RRS feed

  • Question

  • User-1092336522 posted

    There appears to be a recent issue with how CreateDirectory resolves FileIOPermission that is causing issues on our server.
    Reading through some similar posts on the issue there is a lot of misinformation being given out, so I am hoping to get some kind of clarification.

    Given the following setup:

    1. Windows Server 2003 SP2 running IIS6 with latest version of .NET Framework 3.5 SP1 fully patched

    2. A web site created under IIS6 running under Medium Trust and with the Network Service user being given Full Control over the virtual directory.

    3. Running System.IO.Directory.CreateDirectory with the following code:

    System.IO.Directory.CreateDirectory(Server.MapPath("~/testfolder"))

    4. Fails with:

    [SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
       System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
       System.Security.CodeAccessPermission.Demand() +58
       System.IO.Directory.InternalCreateDirectory(String fullPath, String path, DirectorySecurity dirSecurity) +595
    

    It appears CreateDirectory is breaking the permissions somehow, as the medium trust rules are as follows:

     <IPermission version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$"/>

    These rules all point to being able to create directories within the virtual directory/application folder. In fact I am certain this has worked in the past, but recently has stopped working.
    Note that this is not an NTFS permissions issue, files can be written,read and deleted in the virtual directory, only CreateDirectory is restricted somehow.

    So what is going on, has a recent security update changed this functionality so that Medium Trust no longer has the ability to create directories?

    Thanks,

     

    Martin

     

     

    Wednesday, October 13, 2010 2:39 AM

Answers

  • User-1092336522 posted

    I have figured out my own solution for anyone else that has similar issues.

    The cause is the way the CreateDirectory function checks to see if folders exist before creating the folder in the virtual directory.
    It needs special ACL permissions on the root drive (i.e C:\ or D:\) in order to work correctly under medium trust.
    These permissions are sometimes removed by system administrators during the process of locking down a machine.

    To set these up again the following permissions are required:

    1. Under the security tab for the drive click Advanced.
    2. Click Add and type in Everyone as the user
    3. IMPORTANT: Change the Apply to: to "This folder only"
    4. Tick Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions

    For greater security the Everyone user could be replaced by the Application Pool Identity.



     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 14, 2010 2:07 AM

All replies

  • User-1092336522 posted

    I have figured out my own solution for anyone else that has similar issues.

    The cause is the way the CreateDirectory function checks to see if folders exist before creating the folder in the virtual directory.
    It needs special ACL permissions on the root drive (i.e C:\ or D:\) in order to work correctly under medium trust.
    These permissions are sometimes removed by system administrators during the process of locking down a machine.

    To set these up again the following permissions are required:

    1. Under the security tab for the drive click Advanced.
    2. Click Add and type in Everyone as the user
    3. IMPORTANT: Change the Apply to: to "This folder only"
    4. Tick Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions

    For greater security the Everyone user could be replaced by the Application Pool Identity.



     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, October 14, 2010 2:07 AM
  • User1776103803 posted

    Wow ! But CreateDirectory works fine when using ASP.NET 4.0 in Medium Trust without the need to add any special ACL permissions on the root drive !

    What is going on ? Is this a ASP.NET 2.0 bug ?

    Maciej

    Sunday, October 17, 2010 12:49 PM
  • User1776103803 posted

     Hello martin07,


    Don’t you think that adding on the root folder any other permission than Admin and System is dangerous on a web server?
    How could you suggest such a workaround????
    Any MVP to comment this 'solution' ???

    Maciej

    Monday, November 15, 2010 6:08 AM
  • User-1092336522 posted

    The permissions suggested in my solution are already installed on each drive on a default Windows Server install so they must be necessary for some reason.
    All other directories on a drive can be fully locked down, but the root directory requires these special permissions in order for CreateDirectory to work in Medium Trust.

    If you remove all default permissions from the root drive does ASP.NET 4.0 still work?

     

     

     

    Monday, November 15, 2010 6:28 AM
  • User1776103803 posted

    Martin,


    As I see you didn’t understand me.
    On the root folder of my server I granted the permission to Administrator and System only.
    CreateDirectory method works well under ASP.NET 4.0 but not under ASP.NET 2.0

    Maciej 

    Monday, November 15, 2010 7:46 AM
  • User1776103803 posted

    Martin,

    I followed up your ‘solution’ :

    1. Under the security tab for the drive click Advanced.
    2. Click Add and type in Everyone as the user
    3. IMPORTANT: Change the Apply to: to "This folder only"
    4. Tick Traverse Folder / Execute File, List Folder / Read Data, Read Attributes, Read Extended Attributes, Read Permissions

    And I am still not able to create a directory in the application folder in Medium Trust using ASP.NET 2.0 (it works well for ASP.NET 4.0).

    Could somebody help me, please ?

    What should be done in order to be able to create a directory in Medium Trust for ASP.NET 2.0 ?

    Regards,

    Maciej

    Thursday, December 23, 2010 2:33 AM