Have multiple sites (2) hosted on IIS with PHP. Each site runs under its own application pool, therefore each instance of w3wp.exe (IIS Worker Process) and php-cgi.exe runs under the respective Application Pool Identity.
I have a folder C:\Web, containing the webserver related files. Directory structure is as follows:
C:\WEB├───AVP│├───1.0││└───wwwroot││├───api││├───images││├───scripts││└───styles│├───PHPLogs│└───Sessions├───Dev01│├───PHPLogs│├───Sessions│└───wwwroot└───IISLogs├───W3SVC└───W3SVC1.oldI am trying to set my permissions so that each site cannot access other sites files, in case a script on one site has a vulnerability.
What I have tried:Removed permissions from the 'Users' group on C:\Web, as App Pool Identities are a member of the Users group. Then, I would add explicit permission for each App Pool Identity for it's own directory. I.E 'IIS AppPool\Site1' would have Read/Write permissions on C:\Web\AVP, but not on C\Web\Dev01. However, there is a complication: The C:\Web folder is also shared over the network - This is used so I can edit the webfiles from other machines. I have done this with the 'Advanced sharing' menu, and I have assigned a share permission to a user:
This works, however if I only remove the 'Users' group from C:\Web (& subfolders), PHP instances can still access the files. I have to also remove permissions from 'Authenticated Users' (Which I don't fully understand) to stop my App Pool Identities having access to the files. However doing this breaks access over the network...
What is the best way of doing this?