• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 437
  • Last Modified:

Security first, creating & deleting files on server *without* 777 permissions in classic ASP

Attached is code I use in my sites for creating, updating and deleting a file/folder. I need to know how I can run these scripts to a folder on a server (shared server, I cannot mod server settings) without having 777 as my folder/file permissions. The host is The Rackspace Cloud (formerly Mosso) if that helps. Details of hybrid servers then run etc can be found at:

Can anyone tell me what permission to use that will be secure to hacks/injection but run all this code please? I need the websites to be fully viewable by website visitors. These scripts will only be ran by admins logged in to a secure backend.

' Create a folder example
Set fso = CreateObject("Scripting.FileSystemObject")
  fso.CreateFolder(Application("ServerRoot") & "myNewFolder")
Set fso = Nothing

' Modify a file
Const ForReading = 1 : Const ForWriting = 2
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(Application("ServerRoot") & "myNewFolder\index.asp", ForReading)
strText = objFile.ReadAll
strNewText = Replace(strText, "ReplaceThisLine","WithThis")
Set objFile = objFSO.OpenTextFile(Application("ServerRoot") & "myNewFolder\index.asp", ForWriting)
objFile.WriteLine strNewText
Set objFSO = Nothing

' Delete a file
Set fso = CreateObject("Scripting.FileSystemObject")
fso.DeleteFile(Application("ServerRoot") & "myNewFolder/index.asp")
Set fso = Nothing

' Copy a file
Set f2 = fso.GetFile(Application("ServerRoot") & "myNewFolder\pageTemplate.asp")
f2.Copy (Application("ServerRoot") & "myNewFolder\index.asp")
Set f2 = nothing
Set fso = nothing

Open in new window

  • 3
1 Solution
744 would give owner full permissions, group and others read permissions. Or if it is strictly private to admins: 700 would give owner full permissions and all others no access.

For reference, in case you need to try other permissions see: http://www.zzee.com/solutions/unix-permissions.shtml

tobzzzAuthor Commented:
thanks rdivilbiss but 744 just doesn't allow me to run my code. "Permission denied" errors. I believe this is because anyone running scripts is set as user = "PCUSER", whereas when I upload files via FTP, the user = "MYNAME". The hosting company is saying "absolutely do not use 777 under any circumstances" but I cannot run any of my code/sites without that! What can I do?
tobzzzAuthor Commented:
I believe my hosting co. have Perists ASPupload, could I use impersonation to do it? How would I apply this to my code if so? Is there any other way?
tobzzzAuthor Commented:
I've worked on this for an afternoon now - it seems ASPupload impersonation is the only way to:
Create folder
Delete folder
Delete file

It requires different code in places if I want 744 permission (full RWX for owner and just R for groups and Public. Otherwise I will just get permissions errors.

I will provide the code to do it for anyone else to learn from and close the question. Although I don't feel rdivilbiss answers the question, the link and info he provides is useful, so thank you rdivilbiss.
' Set fso to Persits.Upload, not FileSystemObject
Set fso = Server.CreateObject("Persits.Upload")
  ' Add login details for impersonation (I leave "domain" blank)
  fso.LogonUser "domain", "ownerNameHere", "passwordHere"
  ' Create a folder (false means folders won't be replaced if exist)
  fso.CreateDirectory ServerRoot & "myNewFolder", False
  ' Delete a file
  fso.DeleteFile ServerRoot & "myNewFolder\test.txt"
  ' Delete a folder
  fso.RemoveDirectory ServerRoot & "myNewFolder"
Set fso = Nothing

' Note: copying a file and modifying a line in it can be done the usual way as per my code in original question on 744 permissions.

Open in new window


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now