Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Isis 21 posts 42 karma points
    Aug 24, 2011 @ 15:57
    Isis
    0

    Umbraco resets permissions for user on content saved

    Hello there, I don’t usually have much success with your support, but here goes:

    • ·         A client called to say they couldn’t access their site, it was suddenly asking for Windows authentication username and password.
    • ·         She clicked cancel to entering the credentials and the page err’d stating that `access to the App_Data\umbraco.config` is denied.
    • ·         I checked permissions on the server and noticed a `CreatorUser` type of account, it had NO permissions to do anything.
    • ·         I allowed the user read, execute and write permissions and loaded the site without any problems.
    • ·         I logged into Umbraco and changed some content (added a period to the end of a paragraph) and hit Save and Publish.
    • ·         The page then popped up the Windows authentication dialog to which I clicked cancel.
    • ·         The page then (the content area of it, at least) turned into the yellow error screen with the same access issue mentioned above.
    • ·         I tried to load the public side of the site, now it asks for credentials in the Windows authentication dialog, cancelling brings the error.
    • ·         I can fix it by setting permissions again for that user from within IIS
    • ·         No matter what content is saved within the CMS, it resets the permissions and breaks the site.

    We use Umbraco 4.5.2, on Windows 2000 server with MSSQL 2005.

    So to break it down a little more concisely, I think:

    • ·         Site suddenly asks to login via Windows authentication
    • ·         Manually specifying appropriate user permissions fixes it
    • ·         Changing anything and saving within Umbraco resets the permissions
    PS From someone having a terrible time with Umbraco and lack of support, this is an awful forum format that is tedious to use and the editor is decidedly, disastrously useless.

  • Rich Green 2246 posts 4008 karma points
    Aug 24, 2011 @ 16:07
    Rich Green
    2

    Hi Grant,

    Sorry to hear you're having problems.

    Are you saying Umbraco is altering your Windows permissions? If so I'd find that very very strange and the only thing I can think of would be some 3rd party code which runs on the save event, even then it would be the first time I've ever heard of it. In essence an Umbraco site is just a standard ASP.NET website and doesn't do anything that would alter Windows permissions AFAIK.

    Could there be anything else on your server causing permission problems, do you have any non Umbraco sites running, are they having any problems? Did anyone install anything on the server, are you using a Control Panel (Plesk?)

    Rich

     

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 10:39
    Isis
    0

    Rich, thank you for the response...

    • Based on my previous post, it seems it could only have been Umbraco changing the settings (I manually change them, 'save' in Umbraco then it breaks.)
    • There is no third party code running, the site is a primitive one and goes to no such extent as to hooking into save and publish events.
    • There aren't any other third party elements, such as Contour - it's a basic site.
    • We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues.
    • We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)
    • The server is not the problem, we are not using a Control Panel.

    In the meantime, a colleague of mine took the same steps I did, but on the Users group permissions (as opposed to the CreatorUser mentioned above) and this seems to have resolved the issue (we can access the site, and save + publish without issue) - but I am concerned that this doesn't help us determine what originally changed the permissions to disable access, and hence why it happened. And it still doesn't offer any answer as to how the other user settings were changing on save.

    The has been published for a while now and no development been done since deployment - only the client using their Umbraco CMS.

  • Tim 1193 posts 2675 karma points MVP 4x c-trib
    Aug 25, 2011 @ 13:17
    Tim
    3

    Hiya,

    The user account that actually edits the access config file is the one that ASP.Net runs under (usually either NETWORK SERVICE, or the App Pool Identity account if you're on IIS7). If that account doesn't have access to the file, it'll give the error. That user account needs to have read/write/modify access on the App_Data folder for Umbraco to work properly, as that's where it saves all the XML caches. I'm not sure why you were cerating another user, as that wouldn't have any effect on Umbraco, unless the website app pool was running as that user!

    As for the permissions changing, that's not something Umbraco has the ability to do, to change the windows user permissions, Umbraco would have to be running under Administrator Privelidges, which it normally wouldn't be (and there's no code in the Umbraco code base that I've ever seen to do this). My best bet for the cause of the permissions change would be someone changing something on the server. If its a shared box, the hosting company could have applied server wide permissions changes as part of an update/security fix, which may have altered stuff.

    Basically someone has changed the permissions on the server so that the App Pool identity account no longer has access to write to App_Data. I would check with the host/adminstrator of the server to see if anyone has done anything that would have changed the permissions on the site. To be on the safe side, you may also want to check if media items can be saved through the media library, as if they changed the permissions, they may have killed the ability to write/modify to that folder to.

    Hope that helps and that you get to the bottom of who changed the permissions!

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 13:38
    Isis
    0

    Tim, you're side-stepping the problem here:

    "I'm not sure why you were cerating another user, as that wouldn't have any effect on Umbraco, unless the website app pool was running as that user!"

    No, we didn't create any user - the users are already there by default in Permissions (probably due to inheriting roles), but this is as standard on creating a site, no extra configuration or extra users added. Furthermore, the application pool is running under NetworkService.

     

    "As for the permissions changing, that's not something Umbraco has the ability to do"

    One moment everything is OK, we click 'save' in Umbraco and we ge the error, and upon checking, the user permissions are changed. No one changed the user permissions manually and no server-wide update was applied, the site hasn't even been touched by anyone other than the client using the CMS until they reported this problem. But at this point it is reproducible! Two points include the fact that the user permissions were altered without any human intervention with the server (FACT), and the fact that you say "Umbraco can't do that", - well, frankly, I could shoot you a video to prove that it can, and does (FACT). Also, our server is our own, dedicated box.

    "Basically someone has changed the permissions on the server so that the App Pool identity account no longer has access to write to App_Data"

    This is an entirely presumptuous assertion with absolutely no basis in fact - NetworkService DOES NOT change at all, so that blows your theory out of the water for starters; something DID change the User permissions which made this break (and, as above, it wasn't us!); and I can actually reproduce this by applying the permissions to CreatorUser, hitting Save in Umbraco, then watching it break, then checking the server to see that, indeed, the permissions I just added have been removed!

    As I said, please don't provide invalid assertions that are nothing more than foolish presumptions - nothing has changed on our end - if yo ucare to look into the issue seriously from the Umbraco end, or help us do so, then please do, but please refrain from this nonsense.

  • Tim 1193 posts 2675 karma points MVP 4x c-trib
    Aug 25, 2011 @ 13:55
    Tim
    3

    Hi Grant,

    Appologies, I misread your O.P. and thought you'd CREATED, a creator owner user account. Although my original point, that it's the network service account that needs the permissions is still valid. I wasn't sidestepping the issue, I was just offering you some possible reasons why the permissions might have changed on the server. If you'd mentioned it was a dedicated server, I wouldn't have suggested that it ay have been the hosting company.

    Not quite sure why you're being rude to someone who's trying to help, but hey ho. Lets have a look at the issue:

    Based on the information that you provided, network service (for whatever reason) DOES NOT (or did not if you've fixed it now) have access to write/modify the App_Data folder. I know this because when you save and publish a document in Umbraco, the system writes to the umbraco.config XML file that is stored in the App_Data folder. If it can't do that, and you get a permissions error, then someone (or something) has changed the user permissions for network service. Most cases where this occurs is down to human intervention. Windows permissions don't magically change themselves! Another option could be a MS security patch or the server lockdown tool, both of which are capable of changing user permissions on the server (including the network service account).

    If you reset the permissions for the app_data folder so that the network service user can write/and modify to it, does save and publish work? Once you've done that, can you save and publish other pages? If the answer is yes, then try and set the permissions for the page as your client did, and see if that works. If it does, then it's obviously not Umbraco resetting the user permissions. If it does throw the same error, write down the steps to reproduce, with as much detail as possible, and log it as a bug on umbraco.codeplex.com so that the core team are aware of the issue and can look into it.

    Hope that helps!

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 14:06
    Isis
    0

    Tim, firstly, apologies for coming across as rude - I am simply trying to be as direct as possible and, frustrations aside, it isn't my intention.

    "I know this because when you save and publish a document in Umbraco, the system writes to the umbraco.config XML file that is stored in the App_Data folder. If it can't do that, and you get a permissions error, then someone (or something) has changed the user permissions for network service."

    Again, upon getting the error and looking at NetworkService, the permissions for that are not changed. Enabling permissions for the other user (for which they have been removed) resolves the issue (temporarily.) I'm 100% certain that MS security patches are not being installed each time we hit the 'save' button, likewise with the security lockdown tool being invoked.

    "If you reset the permissions for the app_data folder so that the network service user can write/and modify to it, does save and publish work?"

    Again, the NetworkService permissions do not change. Once I add the permissions for the other user, I can access Umbraco again within requiring the login with Windows Authentication; if I hit 'save' again (or 'save and publish') then the permissions are removed from that user - but not NetworkService.

    "If the answer is yes, then try and set the permissions for the page as your client did"

    The client didn't try to change any page permissions, nor did we.

  • jaygreasley 416 posts 403 karma points
    Aug 25, 2011 @ 14:16
    jaygreasley
    0

    Grant, 

    I do have to point out that this forum is not an official support channel and you did come across as being rude.

    Anyone posting here does so voluntarily.

    As for the issue itself, to try and get a better picture:

    Do you have other Umbraco sites running on the same Win2k server? Is it IIS5?

    I ask because I have not run Umbraco on anything older than Win2k3 and am unsure of the compatibility on Win2k.

    Jay

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 14:38
    Isis
    0

    Jay, I'm not sure if you want me to apologise to you now too? Well, either way, apologies for you suffering my impoliteness by-proxy.

    Just to note, I'm anyone, and I'm only posting here by necessity.

    We run IIS6, and, to answer your other questions, may I politely refer you to my second post:

             "We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues.

    • We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)"
    It is worth pointing out that I typoed on the server: it is 2003.
  • jaygreasley 416 posts 403 karma points
    Aug 25, 2011 @ 14:54
    jaygreasley
    0

    Grant,

    No need to apologise to me.

    Useful to know it is Win 2003.

    And do you have other sites on the same server? This may help rule out any server wide config issues.

    Does the site run under it's own app pool?

    Jay

  • jaygreasley 416 posts 403 karma points
    Aug 25, 2011 @ 14:58
    jaygreasley
    0

    The fact you get the Windows Authentication dialog - have you checked the IIS authentication settings?

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 15:04
    Isis
    0

    Jay, yes, IIS auth settings don't change between issues, and they match up well with other sites (including Umbraco ones.)

    At risk of being rude, though that is entirely perceptual, and with respect, you obviously aren't reading my replies:

                    "We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues."

                "We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)"

    The site does run within its own application pool.

  • jaygreasley 416 posts 403 karma points
    Aug 25, 2011 @ 15:08
    jaygreasley
    0

    I had read your reply but it didn't confirm if this site was on the *same* server as other Umbraco sites.

     

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 15:08
    Isis
    0

    Jay,

    At risk of being rude, though that would be entirely perceptual, and with respect, you're asking questions that have been covered multiple times in this very thread; it is hard to hold respect for people's time when my own seemingly isn't respected, and my input neglected.

    So, again, may I politely refer you to my second post:

     

             "We have loads of non-Umbraco sites running with great uptime, and absolutely no related issues.

    • We have some other Umbraco sites running without any related issues (plenty of other issues, but not related.)"
    • The site is running under its own application pool.
    (Third attempt at this post, will it work? Umbraco only knows... Highly irritating considering there are inumerous tried and tested forum solutions out there)
    EDIT: Oh, and now I learn it folded onto another page, the buttons deceptively discreet...

     

  • Tim 1193 posts 2675 karma points MVP 4x c-trib
    Aug 25, 2011 @ 15:10
    Tim
    0

    If you right click on the "App_Data" folder click properties, and select the "security" tab, does the network services account show up in the list? If so, click it and see what permissions it has selected for the folder. Does it have "Read", "Write" and "Modify" ticked? If it doesn't, edit the account and make sure those three items are checked. Check the same permissions for the umbraco.config and access.config files inside the folder (it should inherit the permissions from the parent folder, but best to double check). If the account isn't in the list, add it and make sure it has those permissions. Let me know!

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 15:14
    Isis
    0

    Tim, NetworkService has "Full Control" on the elements you specify to check - and this doesn't change, even between the error and the 'fix'.

  • Drew 165 posts 340 karma points
    Aug 25, 2011 @ 15:14
    Drew
    0

    In regards to file/folder permissions changing themselves:

    Maybe try checking the Event Logs on the server to see if there's anything interesting in there?
    You may be able to set up monitoring to see:
    1) If anyone else has, or is, logged onto that server
    2) If anyone (or an process) is altering file/folder permissions. If so, you can lookup the date/time against your own actions to see if theres a correlation.

    If not, there's probably a fair amount of software available online (or you might always use some) that can monitor all aspects of your server, including file permission changes, etc.

  • Isis 21 posts 42 karma points
    Aug 25, 2011 @ 15:19
    Isis
    0

    Drew,

    This is a live deployment server with up to 100 sites running, which, for the most part (some dodgy programming aside!), are entirely stable - we know that no-one has has been on the server (no-one else can) and we simply never have had such permission altering software running, we simply can't afford to have intrusive software likfe that running - also, for it to happen in between button clicks (correlating precisely to my actions explained above) is much more than coincidental, and would seem to need a process reacting to events when a button in Umbraco is clicked (which we don't have.)

    Thanks, though, and I'm keeping my eyes open on the event logs.

     

    PS: Rudness aside, it seems karma doesn't mind ;) (shouldn't I actually have to do something useful to gain that?)

  • Dan 1288 posts 3921 karma points c-trib
    Jul 18, 2012 @ 12:43
    Dan
    0

    At the expense of dragging up an ugly thread ;) ...

    I just had the exact same thing with a client site which was hosted by a third party on a shared server.  Everything was fine until saving/publishing a node, then BAM it gave a YSOD saying there was insufficient permissions on the App_Data/umbraco.config file - both front-end and back office.  Permissions were apparently fine and visually correct - having been checked, double-checked and triple-checked by numerous people, but until the app pool was restarted it would just error.  On restarting the app pool it would be back to normal but each time a node was saved/published it did the same thing again instantly: YSOD permissions errors.

    Although I frustratingly didn't have access to the server directly, the issue was eventually fixed by the server admin by removing all permissions and re-applying them from scratch.

    There's a bug in there somewhere or an issue in the way in which the permissions are applied somehow, but it is ultimately permissions related - starting with a clean slate in this case flushed it out.

    I hope this helps ease frustrations if anyone comes across the same issue in future.

  • Nicolai Winch Kristensen 50 posts 70 karma points
    Dec 11, 2012 @ 16:43
    Nicolai Winch Kristensen
    0

    Hi Dan adn Co.

    I have the exact same problem as Dan describes. when publishing a certain node (I can actually save it without publishing) on the customers own production server (it works perfect on our own development server) I get the: 

    Website\App_Data\umbraco.config' is denied.

     

    restarting the app in IIS makes it work again until I try and publish this node again

     

    and NETWORK SERVICE is for sure set with full right. 

     

    Is anyone closer to an explanation / solution of this problem since this thread was last created?

    And Dan, Im not 100% I understand what you did:  what did you do delete the "NETWORK SERVICE" on the folder and apply them once again?

     

    Best Regards :-)

    Nicolai

     

     

  • Dan 1288 posts 3921 karma points c-trib
    Dec 11, 2012 @ 17:14
    Dan
    0

    Hi Nicolai,

    I was never able to access the server directly - the client's server admin eventually did it.  So I don't know exactly what was done unfortunately.

    Sorry I can't be of more help.

  • Nicolai Winch Kristensen 50 posts 70 karma points
    Dec 12, 2012 @ 09:08
    Nicolai Winch Kristensen
    0

    HI

    Thx for replying Dan!

    I actually managed to get it working. But... I still cant expalin what happens. I changed the AppPool used, and then it worked. (it must be some rights stuff, even though and cant put a finger on where. - and strange that restart the app makes it work ??) - (changing the app pool created problems other places, but these where easyier to sovle than this one ;-)

     

    best regards

    Nicolai

     

Please Sign in or register to post replies

Write your reply to:

Draft