Running command from ASP.NET App Pool Identity

Question

I am running an executable process from my ASP.NET application when a user clicks a button. This process creates several files and serves them up to the end-user. I can't really see what the process is or isn't doing, but it didn't work until I specified the admin user as the application pool identity on the server. I am using IIS7.

 using (var proc = new Process())
 {
    proc.StartInfo.FileName = Server.MapPath("~/Testing/Demo/MyExe.exe");
    proc.StartInfo.Arguments = String.Format("\"{0}\"", commandFilePath);
    proc.StartInfo.UseShellExecute = true;
    proc.Start();
    proc.WaitForExit();
 }

I'm assuming that this is generally a bad thing to do. Can you give me insight into what needs to be done in order to enable this for the normal ApplicationPoolIdentity account?

Thanks!

Answer 1

Thank you all for your help. All I needed to do was set the StartInfo.WorkingDirectory to somewhere that I was able to write.

        using (var proc = new Process())
        {
            proc.StartInfo.FileName = Server.MapPath("~/Testing/Demo/MyEXE.exe");
            proc.StartInfo.Arguments = String.Format("\"{0}\"", commandFile);
            proc.StartInfo.WorkingDirectory = savePath;
            proc.Start();
            proc.WaitForExit();
        }

This causes the temp files to be written to a non-system folder and thus does not need any elevated permissions for the application pool.

Answer 2

First of all, why you need the Shell to execute it ? Isn't a console application - do you open any window ?

Second you need to redirect the input and the output.

And final, what you need to do, is to place on the directory that your script runs, permission for the user under witch your pool is run. And remove the Admin from your pool.

proc.StartInfo.UseShellExecute = false;
proc.StartInfo.CreateNoWindow = false;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.RedirectStandardInput = true;

proc.Start();

proc.StandardInput.Flush();
proc.StandardInput.Close();

proc.WaitForExit();
proc.Close();

So for example, if you add your pool to run under the UserA, then go to your directory that your program runs and add permission for the UserA to been able to execute programs on that directory. If your program also use other directories to read and write, also add permission to the UserA for that ones.

I can't really see what the process is or isn't doing

You can take a look if you use on the server the Process Explorer and see if its runs, if its close, if its stop but stay there.

Answer 3

It is likely a file/execution permissions issue. Try granting execute permissions to the ApplicationPoolIdentity to ~/Testing/Dema/MyExe.exe and read permissions to commandFilePath. You mentioned that your process creates files. You will need to grant either modify or full control permissions to the ApplicationPoolIdentity on the folder where the files will be created. Here is a matrixed list of permissions.

See assign permissions to ApplicationPoolIdentity account for information on granting permissions.

The security event log should capture permission denied errors. Check there to see if you have access permission issues. The System and application logs might also contain information on the problem.

Process Explorer can also show File Access requests. Here is a technet article on troubleshooting with Process Explorer.

Answer 4

Whenever you run any process from an ASP.NET page, it runs under the security context of the worker process, the privilege of your app pool account. It is not like you normally running the MyExe.exe, in that case it will run using logged in account. It is because of this, your code worked when you gave Admin account to app pool.

There are many ways to solve this issue.

One of the easiest would be to change your app pool identity to Network Service and add the Network Service to permissions of the folders in which the MyExe.exe will be accessing files form.

Hope it helps.