I am running PHP via IIS and need a script to mkdir() on a network share, meaning I would need PHP to create the folder by running as a service account. Is this possible?
How do I change which Windows user PHP runs as?
131 Views Asked by user1765369 At
2
There are 2 best solutions below
0
On
It is possible with PHP to create folders by running as a service account. You can configure an application pool in IIS to run under a service account that has the necessary permissions to access network shares and create folders:
- Open IIS Manager and select the application pool your PHP application is using.
- Click "Advanced Settings" on the right.
- Under Process Model you can set the Identity property to the desired service account.
- Make sure the service account has the necessary permissions on the network share to create the folder.
A better solution might be to run a service that the running instance of PHP can communicate with to tell the service to create the directory for you. Changing the user that PHP is running as, changes the permissions that PHP has for doing things on your server/network. I realize that is kind of your goal because you want PHP to be able to do more than it can currently, but that can lead to a whole lot more harm. Let's say, for example, that a malicious person were to find a security hole and manage to get your web server to execute arbitrary code on your server. If PHP has elevated privileges, then the code that is executed can do additional harm to your system that it would not have been capable of with the more limited permissions.
You could do a service/scheduled task to read from the file/database to wait for those directory names to be written and then create the directories or a service that listens on 127.0.0.1:xxxx where xxxx is some random port over 1024 and allow PHP to communicate directly with that service to send requests for directory creation. I would make sure the account that the service/scheduled task runs under does not have more than necessary permissions and I would not allow PHP to supply commands, only new directory names that your service/scheduled task can only do mkdir() with what is supplied by PHP. I would also sanitize the directory names so someone couldn't pass
All of this may be more complicated than you wanted it to be, but the policy of least privilege would make you less vulnerable to attack. If you are not worried about security concerns then you can try changing the application pool identify, as Lex Li suggested.