search

renan-guimaraes / dwscript

Automatically exported from code.google.com/p/dwscript
0 stars 0 forks source link

HttpSys2WebServer does not run under a limited account #329

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Build HttpSys2WebServer project
2. Run once as admin, as directed
3. Run normally

What is the expected output? What do you see instead?
Expected: The server will run on step 3.
Observed: The server crashes. The call to HttpAPI.AddUrlToUrlGroup in 
THttpApi2Server.AddUrl fails, resulting in:

Exception class EHttpApiServer with message 'HttpAddUrlToUrlGroup failed: 
Access is denied (5)'. Process DWSWebServer.exe (17420)

What version of the product are you using? On what operating system?
Latest SVN build, running on Windows 7 Professional.

Original issue reported on code.google.com by masonwhe...@gmail.com on 25 Jan 2013 at 4:18

GoogleCodeExporter commented 9 years ago 
Currently registration is not integrated in the server, you can register a 
service and adjust the ACL with HTTPSysManager f.i.

http://httpsysmanager.codeplex.com/

You should however be able to install as a service ("/install" parameter on the 
command line), and the corresponding service can run under the standard service 
account (without requiring administrator rights).

To run an https service, the certificate must be installed too
  http://msdn.microsoft.com/en-us/library/ms186362(v=sql.105).aspx
free SSL certificates can be obtained from StartCom
  http://www.startcom.org/?lang=fr
and are recognized by browsers.

I suppose a command line option could be added "/register" to have the exe 
register the url? I'm not sure about what the default ACL will be in that case 
though.

Original comment by zar...@gmail.com on 25 Jan 2013 at 4:28

GoogleCodeExporter commented 9 years ago 
All right, but what do Services have to do with anything? I'm running the 
server normally, (loading the EXE from Windows, or pressing F9 inside Delphi,) 
not as a Service.  The DPR says that it should be able to support both modes of 
execution.  Is it somehow ending up on a code path belonging to Services when I 
try to run it as an application?

Original comment by masonwhe...@gmail.com on 25 Jan 2013 at 6:18

GoogleCodeExporter commented 9 years ago 
As long as the URL isn't registered, an executable needs either to be running 
as an admin account or as a service. Registering the URL without a switch might 
be a little heavy handed, as if the user is unaware it should deregister the 
url, apps getting run at a later time would be allowed to use http.sys directly.

So far I've been running it either as admin (for debugging) or as a service (on 
a cloud VM). An alternative to registration is to set a manifest that requires 
elevation (this is what the mORMot demo does), but then the executable is no 
longer suitable for a "normal" service (one that runs without admin provileges).

Original comment by zar...@gmail.com on 25 Jan 2013 at 8:33

GoogleCodeExporter commented 9 years ago 
All right. In that case, the appropriate course of action would probably be 
simply to make that explicit.  When the comment in the DPR said "you first have 
to run this once as an administrator," I took it literally, and then was 
frustrated when I wasn't able to run as a non-admin application afterwards.

Original comment by masonwhe...@gmail.com on 25 Jan 2013 at 10:59

GoogleCodeExporter commented 9 years ago 
Updated comments

Original comment by zar...@gmail.com on 11 Jun 2013 at 7:01