Security problem when Shared App Pool

[Luiz_Gustavo]

Hello,

I create 2 websites in Plesk Windows for testing, both in the plesk default app pool (shared) and for my big surprise, I can write any files in SITE2 area from SITE1 subscription, using .NET script .

I do not want to use a Dedicated App Pool for each subscrition to preverse memory. Are there a solution for this "security issue"?


Regards,

Luiz

 

[IgorG]

both in the plesk default app pool (shared) and for my big surprise, I can write any files in SITE2 area from SITE1 subscription, using .NET script .

Hmm... why "big surprise"? It is default behaviour of shared pool. Shared means "shared" There is the same system user. Moreover - crashing of one application will crash whole pool.
If you need isolation - use dedicated pool.

 

[Luiz_Gustavo]

The big surprise because a realize Plesk to not implement security in shared pools. It perfectly possible to prevent this problem creating a unique user for each subscription and configure this user in Anonymous User and Physical Path credentials, and Impersonate the user in ASP.NET. Each subscription directory has NTFS permissions just for the unique user and this procedure permit many sites in shared app pool with no write acess from one site to another.

Well, if plesk do not permit this, I will isolete him in dedicated pool, but this this is a waste of system memory for low budget subscription sites.

 

[IgorG]

BTW, dedicated pool is option, recommended by Microsoft.