I'm not using the NETWORK SERVICE account, but I configure a different user for each Application Pool and set the above file/folder permissions for that specific user.
These permission settings often interfere with package installation, but as a workaround I usually temporarily give Everyone full control during package installation.
I just found out deploying a website with Courier 2 Express doesn't work with the current file/folder permissions:
Umbraco.Courier.Core.Exceptions.PackageException: Unable to load item width id 'umbracoContour.RenderForm' from provider 'Macros' ---> System.UnauthorizedAccessException: Access to the path 'D:\UmbracoTest\usercontrols\umbracoContour\RenderForm.ascx' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy) at System.IO.FileStream..ctor(String path, FileMode mode) at Umbraco.Courier.Core.Helpers.IO.CheckSum(String absolutePath) in d:\TeamCity6\buildAgent\work\cecf55a7453a4685\Umbraco.Courier.Core\Helpers\IO\IO.cs:line 48
So I was wondering, what's the best practice for file/folder permissions if you still want to be able to install packages and use Courier 2 for deployment?
Courier 2 uses a folder-structure in /app_data/courier/ to store all revision data, apart from that it will require that the user associated with the application pool has rights to open and read the files you wish to transfer, if you wan to transfer your entire site, that will envolve quite a few folders
But out of the box, you should already have most of the permissions setup for this tho, as working with these elements in umbraco will also require the same level of access
You're right, not all of these folders have the appropriate (WRITE, MODIFY) permissions. And I should also set READ, WRITE and MODIFY permissions for the folder where the images for design are stored, as Tim Geyssens pointed out to me. I'm going to test again with the following settings:
Optimal file/folder permissions for Courier 2?
Hey guys and girls,
I'm using the following file/folder permissions for all our LIVE Umbraco websites:
http://blog.vizioz.com/2009/10/umbraco-permissions-script-secure.html
I'm not using the NETWORK SERVICE account, but I configure a different user for each Application Pool and set the above file/folder permissions for that specific user.
These permission settings often interfere with package installation, but as a workaround I usually temporarily give Everyone full control during package installation.
I just found out deploying a website with Courier 2 Express doesn't work with the current file/folder permissions:
Umbraco.Courier.Core.Exceptions.PackageException: Unable to load item width id 'umbracoContour.RenderForm' from provider 'Macros' ---> System.UnauthorizedAccessException: Access to the path 'D:\UmbracoTest\usercontrols\umbracoContour\RenderForm.ascx' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy)
at System.IO.FileStream..ctor(String path, FileMode mode)
at Umbraco.Courier.Core.Helpers.IO.CheckSum(String absolutePath) in d:\TeamCity6\buildAgent\work\cecf55a7453a4685\Umbraco.Courier.Core\Helpers\IO\IO.cs:line 48
So I was wondering, what's the best practice for file/folder permissions if you still want to be able to install packages and use Courier 2 for deployment?
Arjan
Hi Arjan
Courier 2 uses a folder-structure in /app_data/courier/ to store all revision data, apart from that it will require that the user associated with the application pool
has rights to open and read the files you wish to transfer, if you wan to transfer your entire site, that will envolve quite a few folders
/bin
/app_code
/masterpages
/css
/media
/usercontrols
/xslt
/macroScripts
/scripts
But out of the box, you should already have most of the permissions setup for this tho, as working with these elements in umbraco will also require the same level of access
Thanks for the reply Per.
You're right, not all of these folders have the appropriate (WRITE, MODIFY) permissions. And I should also set READ, WRITE and MODIFY permissions for the folder where the images for design are stored, as Tim Geyssens pointed out to me. I'm going to test again with the following settings:
READ only access
/
/umbraco
/web.config
READ & EXECUTE, WRITE and MODIFY access
/app_code
/usercontrols
READ, WRITE and MODIFY access
/app_data
/bin
/config
/css
/data
/images (used for design)
/macroScripts
/masterpages
/media
/scripts
/xslt
It's probably easier to give the application pool user full rights on all the subfolders, but what are the (security) risks of doing so?
is working on a reply...