Best NTFS permission settings for Access 2KXP database

xiaoxiao2021-04-01  209

We already know that ASP.NET uses ADO.NET to access the database, access to the Access database via OLEDB - we are very commonly used in one of the low-end databases. This article discusses a number of error prompts that may see in ASP.NET, see the database files created from Access 2000 and Access XP, and there is less than an error message when an error occurs. I hope to be helpful. Another point is that you want to pass this article, you have a new understanding of NTFS permissions for ASP.NET in ASP.NET.

(1) Experimental process

To describe convenience, a specific example is made: the application is / test, the data inventory is placed in D: / wwwroot/test/data/db1.mdb, we already know that in the ASP.NET is called ASPNET virtual users. If you have access to the database, we need to give this account with a specific NTFS permission to make the ASP.NET program running normally.

In order to get the most stringent NTFS permission setting, we will give the program's lowest NTFS permissions when the experiment begins:

a) D: / wwwroot / test / data / folder to the user ASPNET as follows:

Allow rejection

Full control □

Modify □

Reading and running √ □

List the folder directory √ □

Read √ □

Write □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

1.1 For an ASPX program containing only the "Select" command, the above permissions set the run without obstacles, namely: the above authority has met the operation of such programs.

1.2 For ASPX programs that contain commands such as "update" "INSERT" UPDATE ",

(a) If db1.mdb is the database created by Access 2000, the following error appears:

Server errors in the "/ TEST" application.

---------------------------------------

Microsoft Jet Database Engine does not open file 'D: / wwwroot / test / data /'. It has been opened by other users, or no access to data.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBException: Microsoft Jet Database Engine does not open file 'D: / wwwroot / test / data /'. It has been opened by other users, or no access to data.

(b) If db1.mdb is the database created by Access XP, the following error appears:

Server errors in the "/ TEST" application.

----------------------------------------------

Operation must use an updateable query.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBException: Action must use an updateable query.

(c) Cause Preliminary analysis: Because including "Update" "INSERT" "UPDATE", you need to write a write operation on the database file itself, so the above permissions cannot meet this requirement, and we need to further release permissions.

We let go of some permissions,

a) d: / wwwroot / test / data / folder unchanged:

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET to the following permissions: Allow full control □□

Modify □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

1.3 Continue experimentation after disconnection

(a) If db1.mdb is the database created by Access 2000, the following error appears:

Server errors in the "/ TEST" application.

------------------------------------------

Can't lock the file.

Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBexception: You cannot lock the file.

(b) If db1.mdb is the database created by Access XP, there is no error.

(c) Cause Preliminary analysis: We found that when opening the Access database, we will generate a * .ldb file in the directory, which is an Access's lock tag. In view of this, when we guess, when the user ASPNET accesss the Access database, it is also necessary to generate a lock tag, and the directory does not allow it to write, so an error. As for the database created by Access XP, why not know this error, the reason is not known.

We further release permissions,

a) D: / wwwroot / test / data / folder to the user ASPNET to use the following permissions: Allow rejection

Full control □

Modify □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

1.4 Continue experimentation, discovering the error has been resolved, then this permissions are the "minimum authority" we need to release.

(a) If db1.mdb is a database created by Access 2000, we will find a small problem: generated * .ldb files do not delete themselves, the file still exists after access, but this problem does not affect the normal ASP.NET run.

(b) If db1.mdb is the database created by Access XP, there is no similar problem.

(c) Cause Preliminary analysis: We just gave the ASPNET to write the authority of the folder, did not give it the permissions to modify, so once the file was written, it could not modify its content, *. ldb also deleted it.

If you do not solve this problem, further release of permissions is:

a) D: / wwwroot / test / data / folder to the user ASPNET to use the following permissions: Allow rejection

Full control □

Modify √ □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

1.5 Announced, the experiment: We use db1.mdb to open edit in Access, and access ASP.NET.

(a) If db1.mdb is the database created by Access 2000, we have found that there is no problem.

(b) If db1.mdb is the database created by Access XP, the following error appears:

Server errors in the / zhao application.

------------------------------------------------

Can't use ''; files are already in use. Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.

Abnormal Details: System.Data.Oledb.oledBexception: You cannot use ''; files are already in use.

(c) Cause Preliminary analysis: Access database is a single-user single-threaded database. When we open an edit database file in Access, it is actually in the current Windows user (such as Administrator), and ASP.NET uses ASPNET virtual User (belonging to the user group), the level is lower than the Administrator, cannot be "robbed", so there is a conflict error. As for the case of Access 2000 Ignore this problem, we don't have to discuss it, it may be that access 2000 does not consider so many factors.

1.6 Reconstruction: Change the attribute of DB1.mdb to "Read", whether it is Access 2000 or Access XP will appear the same error prompts as the respective errors in 1.2.

(2) Experimental conclusion

1. We first summarize the origin of the NTFS permission settings of the Access database file:

In ASP.NET, the default is to access the identity of a virtual user called ASPNET, and you can operate the database, you can "Control Panel" - "Administrative Tool" - "Local User and Group" - "User "See this user, by default:

Full name: ASP.NET Computer Account

Described as: an account for running an ASP.NET Assist Process (ASPNET_WP.EXE).

Belong to: Users group.

With such a user who belongs to the User group to perform file operations, the risk of database operation is much smaller than the risk of users with an Administrators group, which is also a consideration of ASP.NET in security.

Since it is such a user who needs access, the database file itself needs, then we need to give it a certain NTFS permission to allow it to access. Obviously there is no NTFS permission license, ASPNET cannot access, operate the database, will appear in the above experiment.

2. After the above experiment, we already know that the following NTFS permission settings can meet the general needs:

a) D: / wwwroot / test / data / folder to the user ASPNET to use the following permissions: Allow rejection

Full control □

Modify □

Reading and running √ □

List the folder directory √ □

Read √ □

Write √ □

b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:

√ Allows the transmission of can inheritance from the parent to this object

At the same time, we also noticed whether DB1.mdb has a "read-only" file to ASPNET access.

3. The above permissions settings can be directly set to the ASPNET user yourself, or it can be set to the User Group, or directly to the above-described permissions directly. Because the ASPNET is part of the UserS group, you can set permissions to the ASPNET through the user group.

4. NTFS permission is set in the "Properties" dialog box obtained after the file or folder - The "Security" tab is set. In general, consider it to the Adminitrators group to "fully control", do not easily " Refused "Tips for NTFS permission settings, you can consult network administrators, network security experts.

Note: NTFS permissions are not supported in the partition in the FAT, FAT32 format.

5. Windows 2000 series, the "Security" tab of the Windows Server 2003 series is easy to find, but the "Security" tab in Windows XP Professional tab is off, you can "Control Panel" - "folder option "-" Advanced Settings "in the" Advanced Settings "in the" 高 "removal," OK "," OK ", and then follow the" Security "tab again according to the above method. .

转载请注明原文地址:https://www.9cbs.com/read-131127.html

New Post(0)