ID: 41768 Updated by: [EMAIL PROTECTED] Reported By: aheckmann at m-s dot de -Status: Open +Status: Bogus Bug Type: IIS related Operating System: Windows 2000 / IIS PHP Version: 5.2.3 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. Please report this to Zend. PHP doesn't know about things like a "impersonated security context". Previous Comments: ------------------------------------------------------------------------ [2007-06-21 18:16:25] aheckmann at m-s dot de Description: ------------ I run php as fastcgi on Win2000 / IIS with Zend Enabler (FASTCGI-Handler). The Webserver uses impersonation for its virtual hosts, the worker process is running as user IWAM_SERVERNAME the scripts (.asp/.php) impersonate to the security context of user IUSR_SERVERNAME. In fastcgi.conf (for ZendEnabler) Impersonate="1" is set, in php.ini fcgi.impersonate=1 is set. So the php scripts now also use the impersonated security context. (As expected.) But if I start a external process (Imagemagick) with exec(),passthru(),popen() or proc_open() this external process uses the default security context in my example the user IWAM_SERVERNAME. So all the permissions set for the virtual host user (IUSR_SERVERNAME) do not work for the external process because it runs as IWAM_SERVERNAME and so I get a permission denied. As I understand this is the default behaviour in windows process modell when creating a new process with WinApi-function CreateProcess(). In my opinion it would be better to use CreateProcessAsUser() in php so the new Process will also use the impersonated SecurityContext. (when php.ini fcgi.impersonate=1 is set) I think this feature would be very useful to keep security in virtual hosting environments on IIS high (seperate permissions for virtual hosts), with the upcoming Microsoft-FCGI-ISAP-Handler the IIS installations with PHP will surely raise and this feature will become much more relevant. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=41768&edit=1
