CODEWITHSUNDEEP
nantfile-permissions
Julien N
Julien N

Reputation: 3920

Nant : change file permission

I have an ASP.NET application. Basically the delivery process is this one :

My problem is that with this process I have an Unauthorized access error when I try to open the website. It seems that the files need to have a permission set for the user "IIS_WPG".

I don't have the power to change IIS configuration so I have to manually change the permissions of each file. And each time I replace the files the permissions are removed and I need to set them again.

So I have two questions :

Upvotes: 8

Views: 2446

Answers (4)

Ted Spence
Ted Spence

Reputation: 2678

CACLS is now deprecated. Here's a version that uses ICACLS, the replacement.

Let's say we have the following:

  • The root folder of our installation is "c:\inetpub\wwwroot", and it's stored in the NANT variable ${paths.myprogram.inetpub}
  • The folder we want to modify is called "uploads", and it's stored in ${upload.foldername}
  • The user we want to grant access to is "IIS_UPLOAD_USER", stored in ${iis.upload.user}
  • The permission level we want to grant is "M", for "modify" permissions, stored in ${iis.user.permissionlevel}

With these assumptions, our task is this:

<exec program="icacls">
    <arg value="${path::combine(paths.myprogram.inetpub, upload.foldername)}" />
    <arg value="/grant" />
    <arg value="${iis.upload.user}:${iis.user.permissionlevel}" />
</exec>

Hope this helps!

Upvotes: 2

Julien N
Julien N

Reputation: 3920

@Jeff Fritz Ouch... Your suggestion is the right solution but the parameters are... dangerous :).

On dev computers I'm logged as administrator and I tried your suggestion with cmd.

  • It replaces all the permissions set in order to set only the ones defined in the command (so, after the command, accessing files resulted in a "Access denied" even with my admin user)
  • It applied on the C:\WINDOWS\ directory, while I called the command from the wwwroot folder. :)

So, after some tests, the right command is :

cacls [full folder path] /T /E /G IIS_WPG:F
  • /T : applies on specified folder and subfolders
  • /E : edits the ACL instead of replacing it :)

Upvotes: 7

Scott Saad
Scott Saad

Reputation: 18372

We ended up writing our own task for this with some fairly straight forward code:

[TaskName("addusertodir")]
public class AddUserToDirectorySecurity : Task
{
    [TaskAttribute("dir", Required=true)]
    public string DirPath { get; set; }

    [TaskAttribute("user", Required=true)]
    public string UserName { get; set; }

    protected override void ExecuteTask()
    {
        FileSystemAccessRule theRule1 = new FileSystemAccessRule(UserName, FileSystemRights.ListDirectory, AccessControlType.Allow);
        FileSystemAccessRule theRule2 = new FileSystemAccessRule(UserName, FileSystemRights.ReadAndExecute, AccessControlType.Allow);
        FileSystemAccessRule theRule3 = new FileSystemAccessRule(UserName, FileSystemRights.Read, AccessControlType.Allow);

        DirectorySecurity theDirSecurity = new DirectorySecurity();
        theDirSecurity.AddAccessRule(theRule1);
        theDirSecurity.AddAccessRule(theRule2);
        theDirSecurity.AddAccessRule(theRule3);
        Directory.SetAccessControl(DirPath, theDirSecurity);
    }
}

Then you can write a nant script that loads the custom task and executes:

<loadtasks>
    <fileset>
        <include name="MyTask.dll"/>
    </fileset>
</loadtasks>

<addusertodir dir="MyDir" user="IIS_WPG"/>

Obviously, this could be modified for your certain rules or you could even parameterize this in the task if you so wish. We preferred this over the using the exec task as it have us a bit more control over permissions that were being applied.

Upvotes: 3

Jeff Fritz
Jeff Fritz

Reputation: 9861

You need to run the CACLS program in windows to grant permissions to files and folders. From Nant, you can do this with the EXEC task.

Try a tag block like:

<exec program="cacls">
    <arg value="*" />
    <arg value="/G IIS_WPG:F" />
</exec>

Upvotes: 4

Related Questions