My site uses the database is SQLExpress, when publishing encountered "Cannot update the database" ... MDF "Because the database is read-only" issue. Writing permissions to Internet guests is not possible.
Search on the Internet, are said to the MDF directory (such as: App_Data) set permissions, so that everyone has write permission.
This is not good, although most servers prohibit the Guest account, but this is still very dangerous. In fact, there is no need for everyone except Internet guests, only the ASPNET account is required.
There are a few things to note:
1, without full control, as long as there is write permission;
2, also need not to that directory, as long as the MDF and LDF this two files can;
In addition, when you visit your Web page, from a performance perspective, there is information in memory, which includes permission information. At this point, even if you modify the directory or file access rights, will not immediately take effect, to wait for that information from memory disappear, if you can't wait to restart IIS.
However, this also shows that ASP.net's low-level code actually has a lot of power, access to the file is its own based on permission information constraints themselves, it seems not to be constrained by the system, which can not be said to be a terrible loophole