aspnet/DataProtection

PersistKeysToFileSystem requires read access to every folder in the folder hierarchy

Closed this issue · 2 comments

kiwiant commented

Title

PersistKeysToFileSystem requires read access to every folder in the folder hierarchy

Functional impact

No functionality impact but makes securing the web server painful and is not "secure by default". High potential for people to open up access too far. Services should only require the minimum rights to perform their task.

Minimal repro steps

  1. Create a folder d:\Data\SharedConfig\DataProtection\AppName
  2. Grant write access to this specific folder for the "IIS AppPools\AppName" identity
  3. Spin up the web site.

Expected result

I would expect the site to access the folder directly without requiring access to parent folders.

Actual result

Log shows "System.UnauthorizedAccessException: Access to the path 'd:\Data\SharedConfig\DataProtection\AppName\794a2410-c4e1-43c2-9e31-0867c8dd6cb7.tmp' is denied."

Further technical details

Workaround is to grant read access to every parent folder for the "IIS AppPools\AppName" identity. This means adding an ACL entry for d:, Data, SharedConfig and DataProtection folders. Obviously we don't want the identity to be able to access other folders such as the DataProtection keys for other sites so inheritance must be removed for each folder.

This is only for a single site so imagine the mess for 10 or 100 sites?

Direct access to a folder without parent access works fine with a simple c# console app. The example below will succeed without permission to the parent folder. Accessing the parent folder directly will result in an exception.
var folder = new DirectoryInfo(@"C:\Temp\parent\child");
Console.WriteLine(folder.Exists);
foreach (var file in folder.EnumerateFiles())
Console.WriteLine(file.Name);

natemcmaster commented

@kiwiant I'm trying to repro using the steps you've provided but have not succeeded in producing the same error. I'm using DataProtection 1.1.1. Can you tell me if this setup matches what you are seeing?

 services.AddDataProtection()
                .PersistKeysToFileSystem(new DirectoryInfo(@"C:\Data\WebSite\keys"));

ACL

- C:\            
  - data          IIS APPPool\dataprotection - Deny all permissions   
     - WebSite    (Inherited)
       - keys     IIS APPPool\dataprotection - Read, write, modify   (No inheritance)

OS Windows 10 x64 Creators Update
IIS 10
.NET Core 1.1.1

natemcmaster commented

@kiwiant I'm going to close this as no-repro for now. We will re-open for more investigation when you can provide additional details per my previous comment: #194 (comment)