Administration > Documentation/FAQ

ImageMagick Installed, Still No Thumbs

(1/1)

jasonboche:
Sorry for bumping an old thread but this issue has been killing me for the past few days.  I spent a total of probably 6 hours today to resolve this issue plus another couple of hours the last few days casually troubleshooting.  It was very frustrating so I'm going to spend a little time here posting to help others so that maybe they won't waste as much time on this as I did.
My setup:
Windows 2000 Server SP4
IIS 5.0
Current on all security patches
Perl 5.8.3.809 using perlis.dll <all> for the ISS Application Configuration perl mapping to .pl file types
ImageMagick-6.1.9-Q16-windows-dll.exe
MySQL 4.0.18
PHP 4.3.10

What I used for testing and troubleshooting:
VMware
Sysinternals Filemon
Windows auditing and event viewer

Ultimately this problem is caused by the Microsoft IIS Lockdown Tool 2.1 which also installs URLScan.  URLScan is not the issue.  The issue is one of the components of the lockdown tool and the effect that this component has on the Imagemagick thumbnail making process.  As others have pointed out, generating the thumbnails manually at a command prompt on the server console works fine, however, something in the IIS engine (dllhost.exe, the anonymous IUSR_, etc.) is not able to perform the same task.  Bobbit album and Imagemagick were working fine on my web server up until sometime last fall.  What caused the software to break was the installation of IIS Lockdown tool, however, I hadn't noticed the album broke until several days after the IIS lockdown tool install and so unfortunately the lockdown tool installation was gone from my short term memory as having been installed recently.  Had I remembered this installation, the light bulb above my head probably would have gone on a lot quicker.

So here's what happens when you install the lockdown tool.  You are asked to choose a template that best describes your web server's function.  For me, that template is the Static Web Server template.  Before clicking next, check the box below that says "View template settings".  This is basically an advanced/custom install of the lockdown tool.

On the following screens, go with your gut instinct on what makes sense on your server, however stop when you get to a screen that looks like this:

[See below]

By default, the box is checked next to "Running system utilities (for example Cmd.exe, Tftp.exe).  This is what is killing the Imagemagick thumbnail making process.  The iusr_ and iwam_ accounts need READ (RX) access to cmd.exe.  Note that I have also unchecked the box next to "Writing to content directories as this normally raises hell with UBB forums where anonymous (IUSR_) needs to be able to write to flat data files in the web directory.

If you failed to do the above, check the installation log for the IIS Lockdown tool which is located at c:\winnt\system32\inetsrv\oblt-rep.log

The log file will look something like the following:

Changes service msftpsvc startup type from Automatic to Disabled.
Backed up metabase
Locked httpext.dll
Locked idq.dll
Disabled Internet Printing
Installed URLScan
Removed script map: .asp, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .cer, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .cdx, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .asa, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .htr, C:\WINNT\System32\inetsrv\ism.dll
Removed script map: .idc, C:\WINNT\System32\inetsrv\httpodbc.dll
Removed script map: .shtm, C:\WINNT\System32\inetsrv\ssinc.dll
Removed script map: .shtml, C:\WINNT\System32\inetsrv\ssinc.dll
Removed script map: .stm, C:\WINNT\System32\inetsrv\ssinc.dll
Removed script map: .printer, C:\WINNT\System32\msw3prt.dll
Removed script map: .asp, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .cer, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .cdx, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .asa, C:\WINNT\System32\inetsrv\asp.dll
Removed script map: .htr, C:\WINNT\System32\inetsrv\ism.dll
Removed script map: .idc, C:\WINNT\System32\inetsrv\httpodbc.dll
Removed script map: .shtm, C:\WINNT\System32\inetsrv\ssinc.dll
Removed script map: .shtml, C:\WINNT\System32\inetsrv\ssinc.dll
Removed script map: .stm, C:\WINNT\System32\inetsrv\ssinc.dll
Removed script map: .printer, C:\WINNT\System32\msw3prt.dll
Removed printer virtual dir (/LM/W3SVC/1/ROOT/Printers)
Set Deny All ACE for anonymous web users on system utilities under C:\WINNT
Set Deny Write ACE for anonymous web users under C:\Inetpub\wwwroot\test
Lockdown finished.
Details have been written to the log that is used for undoing the changes (oblt-log.log).  Note: modifying or erasing oblt-log.log will prevent the tool from being able to successfully undo the results of this lockdown.

Analyzing the log above, the entry "Set Deny Write ACE for anonymous web users under C:\Inetpub\wwwroot\test" is a result of leaving the box checked for Writing to content directories.

And finally here's the needle in the haystack, what is breaking Imagemagick:
The entry "Set Deny All ACE for anonymous web users on system utilities under C:\WINNT" results in all script, console, and executable files under the entire \winnt\ tree being flagged at the NTFS file leve as DENY ALL security attributes for the IUSR_ and IWAM_ accounts.

How to fix this. 

Well, if you're on Windows 2000 running IIS5 and you installed the IIS Lockdown tool, the fix is easy.  Uninstall the IIS Lockdown tool by simply running the install program again for it.  Providing you have not deleted or altered the oblt-log.log  file, you will be able to easly undo the changes that IIS Lockdown tool made.  Simply uninstall the IIS Lockdown tool, then re-install the IIS Lockdown tool based on my recommendation of NOT allowing it to disable Running System Utilities.
-or-
You can try leaving the IIS lockdown tool installed, and simply grant READ (RX) permission to the iusr_ and iwam_ accounts to %systemroot%\system32\cmd.exe

If you're on Windows Server 2003, you basically have the IIS Lockdown tool installed by default.  Simply grant READ (RX) permission to the iusr_ and iwam_ accounts to %systemroot%\system32\cmd.exe

Want to know a list of all the system utilities that get deny all ACEs applied?  Take a look at obit-undo.log which is located in %systemroot%\system32\inetsrv\

Ahh... my photo album is working once again! :D

I meant to add to this post at the very end (but forgot to) the required permissions on key directories on the Windows server that I was testing with.  I basically took a brand new Windows server in VMWare and built a Bobbit photo album from the ground up.  Noting the NTFS permissions required to make everything work.  Here are my notes on that.  Out of the box, Windows 2000 Server grants everyone full control at the root drive letter level for all data partitions added after the install of Windows 2000 such as D:, E:, F:, etc.  I can't remember if it also does this for C: where normally the boot partition is located.  But my point is that when I build an installation of Windows 2000, I remove the everyone/full control ACL and ACE but I add back in system/full control and administrators/full control.  While your album software and all of its components will work properly if you leave everyone/full control on their installation directories, they will surely "break" by removing everyone/full control and one or more pieces of bobbit forums and image magick will not work right.  Leaving the ACL everyone/full control on a server does not make it very secure.

If you remove the everyone/full control ACL like I do, here are the minimum set of permissions required in order for Bobbit album and Image Magick to work properly (also note that these permissions should also be cascaded down the rest of the directory structure without breaking permission inheritance for child folders and files):

PERL
<drive letter:>\perl\
Administrators/Full Control
SYSTEM/Full Control
IUSR_<servername>/Read (RX)

Bobbit album software
Bobbit album root web folder (ie c:\inetpub\wwwroot\bobbitalbum\
Administrators/Full Control
SYSTEM/Full Control
IUSR_<servername>/Read (RX)
IWAM_<servername>/Modify (RWXD)

Image Magick
<drive letter:>\imagemagick\
Administrators/Full Control
SYSTEM/Full Control
Users/Read (RX)

%systemroot%\system32\cmd.exe
Administrators/Full Control
SYSTEM/Full Control
IUSR_<servername> and IWAM_<servername> need Read (RX) or alternatively you can leave the default ACL of Everyone/Read (RX) which will include IUSR_<servername> and IWAM_<servername>.  Just remember that this is the ACL that the IIS 2.1 lockdown tool is breaking by adding DENY ALL permissions to IUSR_<servername> and IWAM_<servername> so one method or another needs to be done here.  As I suggest above, the easiest way is to not let the IIS 2.1 Lockdown Tool wreak havoc on your %systemroot% utilities permissions.

edit 2/10/05:  Everything you wanted to know about the IIS lockdown tool http://www.iisanswers.com/articles/IIS_Lockdown/IISLockdown.htm

Jason Boche

Mike Bobbitt:
Jason,

That is simply amazing! We've seen this issue many times and this is the first time anyone has found the cause (let alone documented it in great detail).

Simply fantastic, thanks for taking the time to do this... I'm moving this thread to the FAQ...

Navigation

[0] Message Index