Hmm, these are new to me as I think they must have just been added in 4.10. I would imagine you need write to Views if you're creating Views through the UI. I'm guessing App_Plugins might eventually be used for packages, so you'll probably need there as well (though I could be wrong). I don't think you need execute on any.
I've also looked but haven't found any information similar/parallel to this in the "official" installation instructions at http://our.umbraco.org/documentation/Installation/ , so probably this forum post and that old wiki page I mentioned will continue to get found by people wondering about this until then?
Although, I'm wondering... is it perhaps easier to just give full access (read/write/modify/execute) to the entire site root and all children, instead of keeping this specific list up to date? I've considered simplifying my life by doing this but have hesitated since I'm not sure if is really a good idea and since my hodge-podge permission-setting process has been working for me so far. But if you think about it, the fact that App_Code gets full modify/execute permissions is reason enough to not worry about any other folder in your site, since from here you can do pretty much whatever you want? Any thoughts on this from someone more knowledgeable about any potential hazards with this? (OK, second thoughts on this before I hit submit, maybe we don't want execute permissions on several user-updatable folders e.g., Media, but all others than those maybe?)
P.S., I compared my simple BAT file of folder permissions settings to what you wrote, Arjan, and wanted to say what you wrote looks great and in fact is organized much nicer than what I have been doing. If I could give you 2 high fives I would!
I actually also just noticed that Tom posted a link to a page in this site that I'd never seen before, http://our.umbraco.org/wiki/reference/files-and-folders/permissions ,which seems pretty helpful and certainly something I might have found helpful a year or so ago when I started with Umbraco... Sorry I did not consider that in my long-winded reply just a moment ago, as I posted before apparently reading the whole thread? Anyway, thank you both!
I've actually just been working on something similar but using the "send to" approach based on @matbrailsford and @cultiv's discussion on Matt's page. If you want to have a look and see if we could refine it better then please feel free to fork!
Thanks Jon. That script basically does the same as the script I'm using. Although I did notice the /umbraco folder is given MODIFY permissions, whereas in my script I'm only allowing READ permissions. MODIFY is probably better, because some packages need to copy files into the /umbraco folder. In that same light, I don't understand why they'd set the /usercontrols folder to READ permissions only. Anyway, the "problem" is that some folders don't even need MODIFY permissions for basic Umbraco operation, they only need it when you're installing a package or doing Umbraco upgrades:
Cheers for the heads up on the redundant call, I've now removed that from the repo.
I've also removed the elevation script due to it moving the command prompt from the "send to" location back to the %windir%\system32 location. This was not an error in as much as what seems to be needed due to on elevation check it then opens a new prompt. If I can figure out how to pass the path from the first window to the next then I'll add that back in.
For now I've included a path check and will update when, and if, able.
As for the changes in READ v. MODIFY not having to go back in and make changes manually was the main reason, but on retrspective I think I'll write another batch that would update those to only the read OR modify based on the then current status?
Will keep all posted, or feel free to add to the repo or throw me a pull request!
File and folder permissions for Umbraco 4.10.x?
What are the appropriate file/folder permissions for running Umbraco 4.10.x on IIS 7.5?
I'm currently using this setup:
READ only access
. (root)
\umbraco
READ & EXECUTE, WRITE and MODIFY access
\app_browsers
\app_code
READ, WRITE and MODIFY access
\app_data
\app_plugins
\bin
\config
\css
\data
\images
\macroScript
\masterpages
\media
\scripts
\usercontrol
\views
\xslt
\web.config
Hi,
This looks fine to me. You shouldn't need write to "images" (this isn't managed by Umbraco).
You can check out this wiki (or this one) for more info but your setup looks fine.
-Tom
Thanks for the reply, Tom. I already read the wiki's you suggested.
I actually set up a batch script based on this blog:
http://blog.vizioz.com/2009/10/umbraco-permissions-script-secure.html
But I'm especially interested in permissions for recently added folders like:
\app_plugins
\views
These aren't mentioned in any of the wiki's/blogs yet.
Does anyone know if these folders need EXECUTE permissions?
I believe there were some older packages that installed images in the \images directory, but you're right I could leave that one out.
Hmm, these are new to me as I think they must have just been added in 4.10. I would imagine you need write to Views if you're creating Views through the UI. I'm guessing App_Plugins might eventually be used for packages, so you'll probably need there as well (though I could be wrong). I don't think you need execute on any.
-Tom
High five to Arjan H. for coming up first in google on this (seemingly?) common question... I have referred to this other old reference page in the past : http://our.umbraco.org/wiki/install-and-setup/set-umbraco-folder-permissions-from-command-line ; but it looks long-forgotten and doesn't include some of the newer directories in 4.10+...
I've also looked but haven't found any information similar/parallel to this in the "official" installation instructions at http://our.umbraco.org/documentation/Installation/ , so probably this forum post and that old wiki page I mentioned will continue to get found by people wondering about this until then?
Although, I'm wondering... is it perhaps easier to just give full access (read/write/modify/execute) to the entire site root and all children, instead of keeping this specific list up to date? I've considered simplifying my life by doing this but have hesitated since I'm not sure if is really a good idea and since my hodge-podge permission-setting process has been working for me so far. But if you think about it, the fact that App_Code gets full modify/execute permissions is reason enough to not worry about any other folder in your site, since from here you can do pretty much whatever you want? Any thoughts on this from someone more knowledgeable about any potential hazards with this? (OK, second thoughts on this before I hit submit, maybe we don't want execute permissions on several user-updatable folders e.g., Media, but all others than those maybe?)
P.S., I compared my simple BAT file of folder permissions settings to what you wrote, Arjan, and wanted to say what you wrote looks great and in fact is organized much nicer than what I have been doing. If I could give you 2 high fives I would!
I actually also just noticed that Tom posted a link to a page in this site that I'd never seen before, http://our.umbraco.org/wiki/reference/files-and-folders/permissions ,which seems pretty helpful and certainly something I might have found helpful a year or so ago when I started with Umbraco... Sorry I did not consider that in my long-winded reply just a moment ago, as I posted before apparently reading the whole thread? Anyway, thank you both!
I'm currently using this customized batch script to set permissions on an Umbraco v4.10 or higher installation:
http://pastebin.com/JXvEQ3r1
Arjan, et al,
I've actually just been working on something similar but using the "send to" approach based on @matbrailsford and @cultiv's discussion on Matt's page. If you want to have a look and see if we could refine it better then please feel free to fork!
https://github.com/jonrandahl/Umbraco-Semi-Automatic-Permissions ;
Thanks Jon. That script basically does the same as the script I'm using. Although I did notice the /umbraco folder is given MODIFY permissions, whereas in my script I'm only allowing READ permissions. MODIFY is probably better, because some packages need to copy files into the /umbraco folder. In that same light, I don't understand why they'd set the /usercontrols folder to READ permissions only. Anyway, the "problem" is that some folders don't even need MODIFY permissions for basic Umbraco operation, they only need it when you're installing a package or doing Umbraco upgrades:
/bin
/config
/umbraco
/umbraco_client
/usercontrols
/web.config
Source: http://our.umbraco.org/wiki/reference/files-and-folders/permissions
So best security practice would be to switch from READ to MODIFY and back only when needed. But that's just too cumbersome most of the time.
Arjan,
Cheers for the heads up on the redundant call, I've now removed that from the repo.
I've also removed the elevation script due to it moving the command prompt from the "send to" location back to the %windir%\system32 location. This was not an error in as much as what seems to be needed due to on elevation check it then opens a new prompt. If I can figure out how to pass the path from the first window to the next then I'll add that back in.
For now I've included a path check and will update when, and if, able.
As for the changes in READ v. MODIFY not having to go back in and make changes manually was the main reason, but on retrspective I think I'll write another batch that would update those to only the read OR modify based on the then current status?
Will keep all posted, or feel free to add to the repo or throw me a pull request!
Jon
Jon, I customized (and simplified) your script to my needs.
The UmbracoSetPermissions.bat sets the permissions needed for basic Umbraco operations. So I only set READ permissions on these files/folders:
/bin
/config
/umbraco
/umbraco_client
/usercontrols
/web.config
But I added 2 additional scripts:
I've placed all 3 files in the SendTo directory:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\SendTo
I have also removed the elevation check code, because I already know I have administrator rights on the server.
Arjan,
That's some nice work there cheif!
I'll be porting those changes onto the repo tonight as well as adding the enable/disables too.
I'll still keep my conditionals as I want to be able to streamline this for any build I might need but I see how sleek you've set yours to be.
Thanks for jumping on-board to help!
Jon
Anytime!
is working on a reply...