I'm a UNIX guy, and had a windows 2003 web edition server dropped in my lap.
It's going surprisingly well, with the exception of a log issue. The
machine is a shared hosting environment, under IIS6, and I can't seem to
find a way to allow customers to view their http logs. I am logging in the
W3C extended log format, and I can modify where the files are stored, but
when the files are created, their permissions don't allow the domain owner
to view them, even if located within the users domain space. I have spent
days poring over help files, Microsoft's site, and various and sundry IIS
tech sites, with no luck. What am I missing?

This is how the log file ACLs work:
- If the logging directory is created by IIS (actually, by HTTP.SYS, since
it is the one that does the logging), then it will be securely ACL'd to only
allow administrators and LocalSystem control.
- If the logging directory is already created, then the existing ACLs will
be used.

So, what you need to do is to create a folder in the domain owner's user
space and make sure it has NTFS ACL for that domain user. Thereafter,
logfiles created in that folder will inherit the domain owner's ACL.

Now, if you are in a situation that does not give real NT user accounts to
the customers, then your options are pretty limited because you cannot take
advantage of anything built into Windows to help isolate/protect the
customer accounts - you're basically doing custom
authentication/authorization yourself, so it only makes sense that you end
up rewriting large parts of Windows security to do things properly.

In a shared environment, you end up having to write code to remap your
logical domain users into fewer real NT user accounts. This means that from
a NT security perspective, multiple logical domain users all have rights to
the same log file... even if you logically do not want it to happen. It
means that you'll have to spend extra effort to hook in the right security
access protocol yourself.

It's the same problem no matter what OS you are running. The only difference
is whether custom code already exists and whether you can take it.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I'm a UNIX guy, and had a windows 2003 web edition server dropped in my lap.
It's going surprisingly well, with the exception of a log issue. The
machine is a shared hosting environment, under IIS6, and I can't seem to
find a way to allow customers to view their http logs. I am logging in the
W3C extended log format, and I can modify where the files are stored, but
when the files are created, their permissions don't allow the domain owner
to view them, even if located within the users domain space. I have spent
days poring over help files, Microsoft's site, and various and sundry IIS
tech sites, with no luck. What am I missing?