Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    37
    Rep Power
    6

    PHP system() with access denied error in IIS7


    Hello,

    We just upgrade our webserver and we encountered this issue when using PHP to call system command.

    OLD server setting:
    IIS6
    PHP 5.3.1
    WindowsXP

    New Server:
    IIS7
    PHP 5.4
    Windows Server 2008

    The same code was working perfect in the old server.
    But when we moved to the new server, when PHP tried to call system(), it gives me "access Denied" error.

    Here is teh PHP file test.php:
    PHP Code:
    <?php
    system
    ('C:\Inetpub\wwwroot\vi\wotx.lnk 2>&1');
    ?>
    If I run this PHP program in command line like this:
    C:\PHP\php-cgi.exe C:\Inetpub\wwwroot\test.php
    It works perfect.
    But If I run it from browser, http://localhost/test.php, it shows error "access denied".

    I have tried to change permissions for the wotx.lnk file, but somehow I could not solve the issue.

    Could you please help with me on this? Thank you very much.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,232
    Rep Power
    593
    The .lnk indicates a shortcut. Changing permissions on that won't help. I suggest you call the application directly. Also you will need to look at the permissions on the application itself.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    667
    Rep Power
    6
    With a full Windows setup, there is a bit more to look into than an Apache run. For my Windows servers, I set my stuff up to cleanly run from 2 locations. More basic/default/Windows items runs from the system or system32 folder, while added third-party items run from within an 'app' folder located at my drive's root. If set up like this, permissions/locations are easier to define and configure.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    37
    Rep Power
    6
    Originally Posted by gw1500se
    The .lnk indicates a shortcut. Changing permissions on that won't help. I suggest you call the application directly. Also you will need to look at the permissions on the application itself.
    Thank you very much for your reply.
    I have changed the permission on the application too.
    Here is the shortcut for wotx.lnk
    S:\MAS90\Home\pvxwin32.exe ..\LAUNCHER\SOTA.INI ..\SOA\STARTUP.M4P -ARG DIRECT UIOFF **** ***** **** **** AUTO

    I gave the same permission as wotx.lnk for pvxwin32.exe.
    The application is in a network drive, not in the webserver machine, is it going to cause problem? Thanks.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,232
    Rep Power
    593
    Not if you call it directly. Don't use a shortcut in 'system'.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    37
    Rep Power
    6
    Originally Posted by gw1500se
    Not if you call it directly. Don't use a shortcut in 'system'.
    Thank you very much for your reply.
    I tried to call it directly like this:
    system("\\\server-name\MAS90\Home\pvxwin32.exe ..\LAUNCHER\SOTA.INI ..\SOA\STARTUP.M4P -ARG DIRECT UIOFF **** **** **** *** AUTO 2>&1");

    But I got the error: The network name cannot be found.

    I changed the server name into the mapped network name which is S drive, I got the error "the network path was not found".
    system("\\\S:\MAS90\Home\pvxwin32.exe ..\LAUNCHER\SOTA.INI ..\SOA\STARTUP.M4P -ARG DIRECT UIOFF **** **** **** *** AUTO 2>&1");

    Any help will be highly appreciated. Thanks.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,232
    Rep Power
    593
    It would appear that the user trying to access that application is not authorized to access that server. If you are using apache then you need to get the provider to authorize read access to whatever user is running apache.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    37
    Rep Power
    6
    Originally Posted by gw1500se
    It would appear that the user trying to access that application is not authorized to access that server. If you are using apache then you need to get the provider to authorize read access to whatever user is running apache.
    I am running IIS7, I tried to modified the permission, I have gave full permission for IUSR, but still does not work. I even tried to give full permission for everyone, it still does not work. I think there must be some setting either in IIS or PHP.
    Before the server upgrade, it works perfect. After we upgrade to a new server with Win2008, it stops working.

    Do you have any suggestions? Thank you very much for your help.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    667
    Rep Power
    6
    To try to make it simple, can you list the name of each server? Where are you setting permissions? If the .exe file is on server B, and you are trying to set it from A, this is not possible. (I'm not saying that directly, since there are always ways.) If you are setting Everyone to have read, execute, it should work. With the actions of pvxwin32.exe, will it require write permissions as well?
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    37
    Rep Power
    6
    Originally Posted by Triple_Nothing
    To try to make it simple, can you list the name of each server? Where are you setting permissions? If the .exe file is on server B, and you are trying to set it from A, this is not possible. (I'm not saying that directly, since there are always ways.) If you are setting Everyone to have read, execute, it should work. With the actions of pvxwin32.exe, will it require write permissions as well?
    Here are the structure:

    2 servers:
    Webserver
    Fileserver: is mapped as S drive in Webserver

    In Webserver
    c:/inetpub/wwwroot/vi/testrun.php: call the wotx.lnk
    c:/inetpub/wwwroot/vi/wotx.lnk: a short cut to pvxwin32.exe in fileserver

    Filesever:
    Fileserver/MAS90/Home/pvxwin32.exe

    When I tried to run testrun.php from browser, it got "access denied".
    But if I run the php file in command line in webserver, it works fine.

    The whole thing was working perfect before we upgrade our webserver from winXP, IIS6, PHP 5.3 to Win2008, IIS7, PHP 5.4

    Here is my crazy permission settings just for testing
    Webserver:
    wotx.lnk: everyone Full control

    FileServer:
    pvxwin32.exe: everyone full control

    But it still does not working.
    I am not sure if it is related to some setting in IIS7.

    Thank you very much for your help.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    667
    Rep Power
    6
    This is sounding odd. fileserver\Everyone has full access, so webserver\User can process everything just fine, but webserver\iis7 can't? In the end it sounds the only difference between runing via browser or via command line is meerly the user, yet Everyone supposedly has access. Hmmm...

    On Fileserver/MAS90/Home/pvxwin32.exe, are all permissions set directly, or inheriting? Perhaps some inherited permissions overpower others? If inherited, remove such setting and set single user Everyone to full control.
  22. #12
  23. No Profile Picture
    Stumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,409
    Rep Power
    4538
    You might want to check that the web server user account also has permissions to the windows %TEMP% directory, particularly if you're using any ODBC database drivers.

    Just a guess.
    ======
    Doug G
    ======
    It is a truism of American politics that no man who can win an election deserves to. --Trevanian, from the novel Shibumi
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2008
    Posts
    37
    Rep Power
    6
    Thanks for your suggestion. I just added permission for webserver account for windows/temp/, but it still does not work.

    Here are some configuration in webserver:
    Default Application Pool --> Identity is set to Mydomain\webserver
    webserver is a domain account, not a local account

    Permission setting for wotx.lnk:
    webserver@Mydomain.local full control

    Permission setting for pvxwin32.exe in fileserver:
    webserver@Mydomain.local full control

    Any help will be highly appreciated. Thanks.
  26. #14
  27. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,232
    Rep Power
    593
    While there may be some Windows gurus here that might help I think this thread has gone beyond the scope of this forum. You might get better answers by posting this problem on a Windows forum now that you have a better handle on where the problem lies.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2009
    Posts
    667
    Rep Power
    6
    Just curious. Your user you are assigning is webserver\webserver? I can see this processing as a local account, allowing you to run this script logged in as a user. I HIGHLY doubt this is the user running your IIS or whatever may be making the file call via a browser...

    Maybe check out your php.exe n match permissions since your server has correct access to that executable?
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo