locked
BUG – Permissions removed from an application root folder RRS feed

  • Question

  • User1908682588 posted

    Hello, 

    After publishing of DotNetNuke application all permissions inherited from the parent folder are removed by WebMatrix from the application root folder. Even the permissions for Administrators and SYSTEM ! Which means that even a Windows Administrator cannot navigate through the physical directory structure of the website !<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    I think that all inherited permissions from the parent folder should not be modified by WebMatrix.<o:p></o:p>

    It should be fixed ASAP.

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Sunday, May 8, 2011 7:57 AM

All replies

  • User-1918935842 posted

    I can confirm this issue. In my opinion WebMatrix should not change any permissions in any case. WebMatrix publishing feature is intended to be used with hosting companies which are for sure setting proper permissions during their clients website and directory structure creation so there is no need to modify them because it will cause more problems than advantages. I'm wondering why this permissions are even changed? What hosting company is allowing to do that?

    Sunday, May 8, 2011 1:06 PM
  • User-1918935842 posted
    Maybe this problem could be solved by adding additional attribute to publishing profile? Something like changePermissions = false?
    Monday, May 9, 2011 7:18 AM
  • User1908682588 posted

    DotNetNuke installation package comes with the following Manifest.xml file :<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    <o:p> </o:p>

    MSDeploy.iisApp><o:p></o:p>

      <iisapp path="DotNetNuke" /><o:p></o:p>

      <setAcl path="DotNetNuke" setAclAccess="Modify" /><o:p></o:p>

    </MSDeploy.iisApp><o:p></o:p>

    <o:p> </o:p>

    So it seems that it is clearly Webmatrix bug (requested Acl is “Modify” not “Read&Write”).<o:p></o:p>

    <o:p> </o:p>

    <o:p>Edit : see also this thread : http://forums.iis.net/t/1178034.aspx</o:p>

    <o:p></o:p> 

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Monday, May 9, 2011 7:25 AM
  • User178678205 posted

    Hi Maciej and GrZeCh,

    I will certainly look into these issues with permissions being removed (or the other thread about the wrong permissions being set) and post-back with an explanation or plan of action - but generally speaking it is considered a feature of Web Deploy publishing that the applications can determine ACLs that they will require for the application pool identity and that they get set on the destination site to ensure the application will work - this is a plus from FTP publishing, where these ACLs otherwise need to be adjusted manually by the user. The ACLs are defined by the application owners as requirements for their application working.

    The server administrator can choose not to allow these ACLs to be changed (particularly on the root) by giving the publishing user limited ACLs (such as Modify rather than Full Control) - but I believe most of those in the hosting gallery do give Full Control to make sure publishing of applications with root-level setAcls still works without error. Server owners can also choose to deny any setAcl operation by Web Deploy, or for specific users, by using Delegation rules (this is akin to the suggested changePermissions=false setting, and is fully controlled by the server admin) - but as most OSS applications in the gallery use setAcls, this limits what applications can be published without error.

    Thanks,

    Kristina

    Monday, May 9, 2011 2:53 PM
  • User-1918935842 posted

    Hello,

    can you give us some sample setAcl example which will allow to install DNN but not allow to remove existing permissions? I was trying "Read, Modify" but WebMatrix is only allowing to publish when there is "*" or "Read, Write" set. Maybe instead of changePermissions property there could be something like "allowPublishingWihoutSettingPermissions" (I know it's too long :) but you know what I mean) ?

    Do you know how many hosting companies allow WebMatrix to change permissions? I still think that if this feature is intended to be used with professional hosting providers then all proper permissions should be already set when customers are creating their websites in hosting control panels.

    Monday, May 9, 2011 3:48 PM
  • User1908682588 posted

    Hello,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    Moreover, in some cases the professional hosting company has to set some special permissions, which should never be removed. For instance, because of well-known bug in ASP.NET 2.0 running under Medium Trust whereby a security exception is raised in mscorlib 2.0.0.0 when calling CreateDirectory method if the application pool identity has no rights defined in one of the parent directories. Note that CreateDirectory is used by DotNetNuke installer in order to check the permissions setting. As a workaround for this bug in ASP.NET 2.0 (fixed in ASP.NET 4.0), read permission for app pool identity has to be set in the parent folder of the application root folder.<o:p></o:p>

    So let me to repeat : the permissions already set in the application root folder (inherited or not from its parent folder) should NEVER be removed. Moreover : the inheritance of these permissions should not be broken.<o:p></o:p>

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Monday, May 9, 2011 5:33 PM
  • User178678205 posted

    Hi Maciej and GrZeCh,

    I have been trying to reproduce this scenario, where the permissions are removed, but am not seeing the behavior you describe where SYSTEM or Administrator accounts are removed. Could either of you please provide some additional information about the steps or settings you are using?

    I agree that the removal of the existing ACLs is a serious issue, but it is not being experienced by everyone; I'd like to determine why the two of you are seeing this behavior as there may be a simple explanation or setting that we're missing.

    GrZeCh - for the setAcl example are you referring to a delegation rule format or the user ACLs on the directory? For the directory ACLs, you can do "modify" only on the parent directory of the highest-level setAcl. For example, if there are root setAcls for the application, the user would need either full control on the root of the site, or modify permission on the parent directory to the site root.  A delegation rule will allow or deny the use of the provider, but not selectively deny one provider while allowing the rest of a WebMatrix publish (which includes other providers) to work. This was considered something the client could just choose to omit if they wanted. We can consider this as a potential feature for the next version (to add the ability within WebMatrix to exclude setAcls when publishing) - but I fear this will not be seen as a common use case for the WebMatrix user given that our Hosting Gallery recommended hosting providers do allow these setAcl operations. 

    For other clients, such as the web deploy cmd line, it is possible to easily just remove the setAcl entries from the manifest on the client or to skip them to get around this type of problem.  Would you be interested in learning how to do command line publishing as an alternative?

    Also - for the other thread - I'll try to post an update there tomorrow. It is a bug, and I can give you a workaround that will at least avoid manual ACL updates for future publishes.

    Thanks,

    Kristina 

    Monday, May 9, 2011 10:00 PM
  • User1908682588 posted

    First at all : an issue observed by one or two persons is always an issue. <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    <o:p> </o:p>

    Here are my setting :<o:p></o:p>

    Windows Web Server 2008 R2 + WebSitePanel control panel.<o:p></o:p>

    ASP.NET running in Medium Trust.<o:p></o:p>

    Fully qualified path to the root of the application: ‘D:\HostingSpaces\toto\titi.com\wwwroot\’<o:p></o:p>

    Permissions set by server Admin (before publish):<o:p></o:p>

       Full control for Administrators and SYSTEM on ‘D:\’<o:p></o:p>

       Read permission for NETWORK SERVICE on ‘D:\HostingSpaces’ (workaround for ‘CreateDirectory’ ASP.NET 2.0  bug)<o:p></o:p>

    Permissions set by customer using WebsitePanel (before publish):<o:p></o:p>

       Modify permission for FTP user account on ‘D:\HostingSpaces\toto\’<o:p></o:p>

       Modify permission for NETWORK SERVICE on ‘D:\HostingSpaces\toto\titi.com\wwwroot\’<o:p></o:p>

       Modify permission for anonymous IIS account belonging to IIS_IUSRS on ‘D:\HostingSpaces\toto\titi.com\wwwroot\’<o:p></o:p>

    Application Pool identity is NETWORK SERVICE, ASP.NET is set to 2.0 Integrated Pipeline<o:p></o:p>

    <o:p> </o:p>

    These settings resume in the following effective permissions on the ‘D:\HostingSpaces\toto\titi.com\wwwroot\’ folder :<o:p></o:p>

    Full control : SYSTEM (inherited), Administrators (inherited)<o:p></o:p>

    Modify : SYSTEM (inherited), Administrators (inherited), NS, account belonging to IIS_IUSRS, FTP account (inherited)<o:p></o:p>

    Read & execute : SYSTEM (inherited), Administrators (inherited), NS, account belonging to IIS_IUSRS, FTP account (inherited)<o:p></o:p>

    List folder contents : SYSTEM (inherited), Administrators (inherited), account belonging to IIS_IUSRS, FTP account (inherited)<o:p></o:p>

    Read : SYSTEM (inherited), Administrators (inherited), NS (inherited), account belonging to IIS_IUSRS, FTP account (inherited)<o:p></o:p>

    Write : SYSTEM (inherited), Administrators (inherited), NS, account belonging to IIS_IUSRS, FTP account (inherited)<o:p></o:p>

    <o:p> </o:p>

    Web Matrix settings :<o:p></o:p>

    DotNetNule installed and configured with SQL Server database (not SQL Express). Running on localhost without any issue.<o:p></o:p>

    <o:p> </o:p>

    Publish from Web Matrix : all files and database, publish successful.<o:p></o:p>

    <o:p> </o:p>

    Effective permissions on ‘D:\HostingSpaces\toto\titi.com\wwwroot\’ after publish:<o:p></o:p>

    Full control : <o:p></o:p>

    Modify : account belonging to IIS_IUSRS<o:p></o:p>

    Read & execute : account belonging to IIS_IUSRS<o:p></o:p>

    List folder contents : account belonging to IIS_IUSRS<o:p></o:p>

    Read : NS (not inherited ! - overwritten), account belonging to IIS_IUSRS<o:p></o:p>

    Write : NS, account belonging to IIS_IUSRS<o:p></o:p>

    <o:p> </o:p>

    NOTE : I don’t observe described issue when publishing Web Matrix website created from Web Matrix template.<o:p></o:p>

    <o:p> </o:p>

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Tuesday, May 10, 2011 2:27 AM
  • User178678205 posted

    Hello Maciej,

    Thank you for the additional details.

    Please let me apologize for my previous wording - I was not trying to imply that this is not a major issue; we are very concerned by it and we really appreciate your taking the time to let us know about it! The fact that you are experiencing it where we are not is worrisome as it means we may be missing an important setting or detail and under-testing it.

    We're looking at it to see if we can reproduce these conditions, based on the information you've provided, but we may ask for other specific details if still unable to get the same behavior.

    Thank you for your help on this.

    -Kristina

    Tuesday, May 10, 2011 6:35 PM
  • User1908682588 posted

    Please note, that with removed permissions for Admin and SYSTEM it is not possible to backup the website.

    A hotfix is really needed !

    Best Regards,

    Maciej

    Wednesday, May 11, 2011 9:43 AM
  • User1908682588 posted

    Any news on this issue, please ?

    Were you able to reproduce it ?

    Best Regards,

    Maciej

    Friday, May 13, 2011 7:00 AM
  • User1387288263 posted

    We're having the same issue as well. after removing the "User" group NTFS permission, now any time someone uses WebMatrix or webDeploy with Visual Studios all inherited permissions are removed exept for the app pool user and the webdeploy user.

    This issue is causing alot of additional work.

    Wednesday, June 1, 2011 11:02 AM
  • User1387288263 posted

    Anyone? No one has this issue where the inherited “System” and “Administrators” permissions are being removed after web deploy either by WebMatrix or Visual Studios?

    Monday, June 13, 2011 8:42 AM
  • User-1918935842 posted

     I've also experienced VisualStudio WebDeploy problem where mentioned permissions where removed from user directory.

    Monday, June 13, 2011 8:45 AM
  • User1908682588 posted

    Same thing here. I was directly contacted by Escalation Services team for WebDeploy and WebMatrix but no news so far. It seems they are not able to reproduce the issue ...

    BR,

    Maciej

    Monday, June 13, 2011 10:25 AM
  • User1387288263 posted

    Do you guys have the local "Users" group in your parent hosting space i.e. d:\hostingSpaces ? If the IIS team would remove the "Users" group from their parent directory they should be able to reproduce the issue right away.

    Monday, June 13, 2011 11:53 AM
  • User1908682588 posted

    As EVERYBODY KNOWS it is a good practice to not to give any permissions to Users group on the root folder !

    Best Regards,
    Maciej

    Monday, June 13, 2011 1:07 PM
  • User-1918935842 posted

    Hello Maciej,

    have you maybe solved this problem with removing permissions from website root folder?

    Thursday, July 28, 2011 4:58 PM
  • User1908682588 posted

    Hello GrZeCh,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    If only I could access the source code of the WebMatrix …<o:p></o:p>

    On May, 25<sup>th</sup> I was contacted by Jeremy Phelps from the Escalation Services team for WebDeploy and WebMatrix who told me that this issue is still under investigation. No news so far. Yesterday, I have sent several emails to jeremy.phelps@microsoft.com, no response so far. I will continue to send emails every day …<o:p></o:p>

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Friday, July 29, 2011 2:06 AM
  • User1908682588 posted

    Below is a copy of Jeremy’s email. Because he didn’t contact me, I ASSUME THEY WERE ABLE TO REPRODUCE THE ISSUE.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    <o:p> </o:p>

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    <o:p> </o:p>

    Sent From: Jeremy Phelps
    Subject: BUG - Permissions removed from an application root folder
    __________________________________<o:p></o:p>

    Hi Maciej,<o:p></o:p>

    I'm Jeremy with the Escalation Services team for WebDeploy and WebMatrix and I wanted to follow up with you and let you know that we are still investigating it. We have not yet reproduced this. If we are unable to get a repro soon, would you be available to run some tools to collect more data from your system? <o:p></o:p>

     thx,<o:p></o:p>

    j <o:p></o:p>

    Sunday, July 31, 2011 2:19 AM
  • User1908682588 posted

    I am still sending one or two emails per day. No response so far …<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Wednesday, August 3, 2011 6:14 AM
  • User1908682588 posted

    Hello GrZeCh,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    <o:p> </o:p>

    Microsoft has published the solution on ‘Microsoft Connect’:<o:p></o:p>

    http://connect.microsoft.com/webmatrix/feedback/details/667307/inherited-permissions-removed-from-application-root-folder<o:p></o:p>

    <o:p> </o:p>

    Unfortunately, I can’t test it before the end of the next week. <o:p></o:p>

    GrZeCh, could you test this solution and post the result here, please?<o:p></o:p>

    <o:p> </o:p>

    Best Regards,<o:p></o:p>

    Maciej<o:p></o:p>

    Friday, August 5, 2011 2:01 AM
  • User-1918935842 posted

    Hello,

    have you tested fix from connect.microsoft.com website? I've applied id and so far it works.

    Sunday, September 4, 2011 6:51 AM
  • User1908682588 posted

    Not yet. Will try next week.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    Sunday, September 4, 2011 7:31 AM
  • User-1918935842 posted

     Hello maciejr,

    have you maybe checked mentioned solution? For me it looks like it is nor working correctly. Today one of my clients published Umbraco project and all of files located in wwwroot folder of application had removed permissions. I had to take ownership for whole directory to make it browsable again.

    Monday, November 7, 2011 4:25 PM
  • User1908682588 posted
    I can confirm that Microsoft's 'solution' is not working correctly. I think you should reopen a bug ticket on Microsoft Connect. I'm tired of the incompetence of Microsoft.
    Tuesday, November 8, 2011 3:17 AM
  • User-1385842204 posted

    Wow, I think that I have finally found the source of great frustration!  I have been troubleshooting my IIS folder permissions for months.  Everything would be working fine, and then I would check something, and boom, no more website.  I even told one of the MS Website spark hosting providers to shove it, cause they kept blaming it on me.

    Here's my situation:  I have an existing Wordpress Site that I host locally.  I had the great idea of making it faster by moving the site to a Website Spark hosting provider and then using webmatrix to make code edits and develop plugins and themes.  Every time I would turn around, the site would go down, and i could never track down the reason.  Apparently it was because I uploaded my locally tested code, and it changed all of my site permissions.  I knew it was a permissions issue, and tried to work with the hosting provider to resolve, but they insisted it wasn't their problem.  I thought that the hosting provider was to blame, bad hardware or something, but after reading this thread I am sure that it's webmatrix.  Moreover, I have recently had the SAME exact issue after I tried to view my site code locally in webmatrix.  It sounds like I'll be having the same trouble in VS which sadly brings me back to notepad or dreamweaver to do all of my site code.

    Wednesday, November 9, 2011 3:54 PM
  • User1908682588 posted

    All,

    I have received a private message from harshmittal (see below). Because I am really tired of the incompetence of Microsoft I think that I will abandon the Microsoft hosting solution an offer to my customers only LAMP solution. Anyone interested in continuing this thread is welcome.

    BR,

    Maciej

    My name is Harsh Mittal and I am Senior Program Manager with Web deploy team. First of all, I apologizethat solution provided by Microsoft did not resolve the issue.
    Beforeposting the solution to connect, team verifies that solution actually works forthe repro we have in house. But many a times our in house repro may not be the best representation of your environment.
    In order to proceed further and resolve the issuesyou are still facing, we will need detailed explanation of the current issue.
    Can you pleaseprovide us detailed repro steps and problem you are facing with current workaroind, so that WebDeploy team can work towards solving this issue?
    Thanks,
    Harsh

    Thursday, November 10, 2011 1:31 AM
  • User-2044424010 posted

    If anyone else is still experiencing the issue after applying the workaround, please share the description of the problem, either by re-opening the issue through connect or by directly messaging me. As I communicated to Maciej and few others privately that Webdeploy team is fully committed to resolve the issue.

     Regards,

    Harsh

    Monday, November 14, 2011 12:33 PM
  • User-1918935842 posted
    I've sent my observations to you as a response to your private message.
    Monday, November 14, 2011 4:45 PM
  • User-1918935842 posted

    Hello,

    I've sent you three private messages as a response to your message and still no response. If you need more detailed information beside what I've sent to you just say it and I will do my best to provide it but not I'm just wondering if you are really commited to solving this issue.

    Regards

    Thursday, November 17, 2011 5:56 AM
  • User-2044424010 posted

    Hi GrZech,

    Sorry for delayed response, I was off from the work due to being sick. I am looking into the issue right away.

    Regards,

    Harsh

    Thursday, November 17, 2011 2:15 PM
  • User-1918935842 posted
    Ah. Ok. No problem. If you need anything specific then PM me.
    Thursday, November 17, 2011 2:38 PM
  • User-2044424010 posted

    We worked on this issue with GrZeCh offline and found that Webdeploy V3 beta has fix for this issue. Thanks GrZeCh for your help.

    Others who are facing this issue, please download V3 beta from http://www.microsoft.com/download/en/details.aspx?id=27430 and please report if it fixes the issue.

    Regards,

    Harsh 

    Monday, December 5, 2011 5:24 PM
  • User-1918935842 posted

    Hello,

    I've published 5 various apps using WebMatrix and I didn't faced permission removal problem. I'm waiting for response from my customers. It would be good if other people who experienced this issue could tell if installing WebDeploy v3b fixed their problem too.

    Regards

    Monday, December 5, 2011 5:29 PM
  • User1908682588 posted

    Thank you GrZeCh for your support to Microsoft.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

    Now, it is perhaps a right time to fix also the bug described below ?<o:p></o:p>

    http://forums.asp.net/p/1623437/4177355.aspx#4177355

     

    Regards,

    Maciej<o:p> </o:p>

    Monday, December 5, 2011 5:40 PM
  • User-619846739 posted

    I ran into this same issue today so I wanted to include a summary and some more details since this is a long thread.

    It’s a WebDeploy issue with Visual Studio, but not with WebMatrix because of the way they each update the permissions on deployment.  The issue is caused by the inherited permissions being dropped.  If you inherit permissions like SYSTEM, Administrator and other management accounts then they will be dropped with a Visual Studio WebDeploy publish.

    There are three possible solutions or workarounds (the 3rd is what I used):

    1) Update the server to use WebDeploy 3.0. 

    I haven’t tested but harshmittal mentioned above that V3 beta has a fix for this.

    2) Fix the ACLs on the site:

    The kicker is that for WebDeploy v2.0 and earlier the folder above the site root needs to have proper permission for the WebDeploy setAcl assigned user.  As an example, consider the case of WebsitePanel with the following structure: c:\HostingSpace\accountname\domain.com\wwwroot\.

    It’s ‘domain.com’ that needs to have proper permissions assigned.

    You would need to run the following:
    icacls c:\HostingSpaces\accountname\domain.com\ /grant management_account:(OI)(CI)(Rc,S)

    3) Update the Service Delegation rules

    My situation today is for WebsitePanel which sets the permissions on ‘domain.com’ automatically.  So I can’t use option #2 without applying code changes to WebsitePanel.  Instead, there is another option.

    If you used an identityType of CurrentUser for the setAcl provider then you can switch that to a SpecificUser which has permissions to the disk.  In this case of WebsitePanel it does need to be an administrator on the server, but the user can be used for just this specific task to minimize the footprint.

    Here’s the provider rule before:

    <rule enabled="true" providers="setAcl" actions="*" path="{userScope}" pathType="PathPrefix">
        <permissions>
            <user name="*" isRole="false" accessType="Allow" />
        </permissions>
        <runAs identityType="CurrentUser"  />
    </rule>

    And here’s the rule afterward

    <rule enabled="true" providers="setAcl" actions="*" path="{userScope}" pathType="PathPrefix">
        <permissions>
            <user name="*" isRole="false" accessType="Allow" />
        </permissions>
        <runAs identityType="SpecificUser" userName="iisAclUser" password="[enc:….=:enc]" />
    </rule>

    You can set the password using Management Service Delegation at the server level in IIS Manager.

    Monday, March 5, 2012 6:34 PM
  • User-1918935842 posted

    WebDeploy 3 RC has just been released:

    http://blogs.iis.net/msdeploy/archive/2012/04/19/announcing-web-deploy-3-0-release-candidate.aspx

    Maybe our problems will be solved

    Friday, April 20, 2012 5:51 AM
  • User-1918935842 posted

    According to readme from WebDeploy v3RC:

    http://learn.iis.net/page.aspx/1276/microsoft-web-deploy-v3-readme/

    this issue has been fixed:

    "Change: In some cases Web Deploy publishing removed inherited permissions on root folder of site. Web Deploy V3 fixes this issue. "

    Can someone confirm?

    Monday, April 23, 2012 9:08 AM