Security first, creating & deleting files on server *without* 777 permissions in classic ASP

Posted on 2010-01-07
Last Modified: 2013-12-02
Attached is code I use in my sites for creating, updating and deleting a file/folder. I need to know how I can run these scripts to a folder on a server (shared server, I cannot mod server settings) without having 777 as my folder/file permissions. The host is The Rackspace Cloud (formerly Mosso) if that helps. Details of hybrid servers then run etc can be found at:

Can anyone tell me what permission to use that will be secure to hacks/injection but run all this code please? I need the websites to be fully viewable by website visitors. These scripts will only be ran by admins logged in to a secure backend.

' Create a folder example

Set fso = CreateObject("Scripting.FileSystemObject")

  fso.CreateFolder(Application("ServerRoot") & "myNewFolder")

Set fso = Nothing

' Modify a file

Const ForReading = 1 : Const ForWriting = 2

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.OpenTextFile(Application("ServerRoot") & "myNewFolder\index.asp", ForReading)

strText = objFile.ReadAll


strNewText = Replace(strText, "ReplaceThisLine","WithThis")

Set objFile = objFSO.OpenTextFile(Application("ServerRoot") & "myNewFolder\index.asp", ForWriting)

objFile.WriteLine strNewText


Set objFSO = Nothing

' Delete a file

Set fso = CreateObject("Scripting.FileSystemObject")

fso.DeleteFile(Application("ServerRoot") & "myNewFolder/index.asp")

Set fso = Nothing

' Copy a file

Set f2 = fso.GetFile(Application("ServerRoot") & "myNewFolder\pageTemplate.asp")

f2.Copy (Application("ServerRoot") & "myNewFolder\index.asp")

Set f2 = nothing

Set fso = nothing

Open in new window

Question by:tobzzz
    LVL 29

    Expert Comment

    744 would give owner full permissions, group and others read permissions. Or if it is strictly private to admins: 700 would give owner full permissions and all others no access.

    For reference, in case you need to try other permissions see:

    LVL 11

    Author Comment

    thanks rdivilbiss but 744 just doesn't allow me to run my code. "Permission denied" errors. I believe this is because anyone running scripts is set as user = "PCUSER", whereas when I upload files via FTP, the user = "MYNAME". The hosting company is saying "absolutely do not use 777 under any circumstances" but I cannot run any of my code/sites without that! What can I do?
    LVL 11

    Author Comment

    I believe my hosting co. have Perists ASPupload, could I use impersonation to do it? How would I apply this to my code if so? Is there any other way?
    LVL 11

    Accepted Solution

    I've worked on this for an afternoon now - it seems ASPupload impersonation is the only way to:
    Create folder
    Delete folder
    Delete file

    It requires different code in places if I want 744 permission (full RWX for owner and just R for groups and Public. Otherwise I will just get permissions errors.

    I will provide the code to do it for anyone else to learn from and close the question. Although I don't feel rdivilbiss answers the question, the link and info he provides is useful, so thank you rdivilbiss.
    ' Set fso to Persits.Upload, not FileSystemObject
    Set fso = Server.CreateObject("Persits.Upload")
      ' Add login details for impersonation (I leave "domain" blank)
      fso.LogonUser "domain", "ownerNameHere", "passwordHere"
      ' Create a folder (false means folders won't be replaced if exist)
      fso.CreateDirectory ServerRoot & "myNewFolder", False
      ' Delete a file
      fso.DeleteFile ServerRoot & "myNewFolder\test.txt"
      ' Delete a folder
      fso.RemoveDirectory ServerRoot & "myNewFolder"
    Set fso = Nothing
    ' Note: copying a file and modifying a line in it can be done the usual way as per my code in original question on 744 permissions.

    Open in new window


    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    good comptia a+ teacher? 4 51
    Sonicwall Scheduling 4 16
    recover cisco router password 5 22
    Using querystring in a hyperlink 3 9
    #Citrix #Citrix Netscaler #HTTP Compression #Load Balance
    PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
    The viewer will learn how to count occurrences of each item in an array.
    The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now