Nant : change file permission
Asked Answered
A

4

8

I have an ASP.NET application. Basically the delivery process is this one :

  • Nant builds the application and creates a zip file on the developer's computer with the application files without SVN folders and useless files. This file is delivered with a Nant script.
  • The zip and nant files are copied to the client's computer
  • the Nant script replaces the current website files with the file contained in the zip file.

My problem is that with this process I have an Unauthorized access error when I try to open the website. It seems that the files need to have a permission set for the user "IIS_WPG".

I don't have the power to change IIS configuration so I have to manually change the permissions of each file. And each time I replace the files the permissions are removed and I need to set them again.

So I have two questions :

  • Can I change files permissions with Nant ? How to do it ?
  • Is it possible to avoid this problem ? (developers don't have this user on their computers)
Arteriovenous answered 24/10, 2008 at 12:19 Comment(0)
C
4

You need to run the CACLS program in windows to grant permissions to files and folders. From Nant, you can do this with the EXEC task.

Try a tag block like:

<exec program="cacls">
    <arg value="*" />
    <arg value="/G IIS_WPG:F" />
</exec>
Counterpunch answered 24/10, 2008 at 12:27 Comment(1)
Just note that your suggestion is the right solution but the parameters are... dangerous :). See my answer.Arteriovenous
A
7

@Jeff Fritz Ouch... Your suggestion is the right solution but the parameters are... dangerous :).

On dev computers I'm logged as administrator and I tried your suggestion with cmd.

  • It replaces all the permissions set in order to set only the ones defined in the command (so, after the command, accessing files resulted in a "Access denied" even with my admin user)
  • It applied on the C:\WINDOWS\ directory, while I called the command from the wwwroot folder. :)

So, after some tests, the right command is :

cacls [full folder path] /T /E /G IIS_WPG:F
  • /T : applies on specified folder and subfolders
  • /E : edits the ACL instead of replacing it :)
Arteriovenous answered 24/10, 2008 at 13:6 Comment(1)
UPDATE: CACLS is now deprecated and ICACLS should be used instead. This is the case on Windows Server 2008 R2, at least.Hett
C
4

You need to run the CACLS program in windows to grant permissions to files and folders. From Nant, you can do this with the EXEC task.

Try a tag block like:

<exec program="cacls">
    <arg value="*" />
    <arg value="/G IIS_WPG:F" />
</exec>
Counterpunch answered 24/10, 2008 at 12:27 Comment(1)
Just note that your suggestion is the right solution but the parameters are... dangerous :). See my answer.Arteriovenous
E
3

We ended up writing our own task for this with some fairly straight forward code:

[TaskName("addusertodir")]
public class AddUserToDirectorySecurity : Task
{
    [TaskAttribute("dir", Required=true)]
    public string DirPath { get; set; }

    [TaskAttribute("user", Required=true)]
    public string UserName { get; set; }

    protected override void ExecuteTask()
    {
        FileSystemAccessRule theRule1 = new FileSystemAccessRule(UserName, FileSystemRights.ListDirectory, AccessControlType.Allow);
        FileSystemAccessRule theRule2 = new FileSystemAccessRule(UserName, FileSystemRights.ReadAndExecute, AccessControlType.Allow);
        FileSystemAccessRule theRule3 = new FileSystemAccessRule(UserName, FileSystemRights.Read, AccessControlType.Allow);

        DirectorySecurity theDirSecurity = new DirectorySecurity();
        theDirSecurity.AddAccessRule(theRule1);
        theDirSecurity.AddAccessRule(theRule2);
        theDirSecurity.AddAccessRule(theRule3);
        Directory.SetAccessControl(DirPath, theDirSecurity);
    }
}

Then you can write a nant script that loads the custom task and executes:

<loadtasks>
    <fileset>
        <include name="MyTask.dll"/>
    </fileset>
</loadtasks>

<addusertodir dir="MyDir" user="IIS_WPG"/>

Obviously, this could be modified for your certain rules or you could even parameterize this in the task if you so wish. We preferred this over the using the exec task as it have us a bit more control over permissions that were being applied.

Expunction answered 24/10, 2008 at 16:49 Comment(0)
P
2

CACLS is now deprecated. Here's a version that uses ICACLS, the replacement.

Let's say we have the following:

  • The root folder of our installation is "c:\inetpub\wwwroot", and it's stored in the NANT variable ${paths.myprogram.inetpub}
  • The folder we want to modify is called "uploads", and it's stored in ${upload.foldername}
  • The user we want to grant access to is "IIS_UPLOAD_USER", stored in ${iis.upload.user}
  • The permission level we want to grant is "M", for "modify" permissions, stored in ${iis.user.permissionlevel}

With these assumptions, our task is this:

<exec program="icacls">
    <arg value="${path::combine(paths.myprogram.inetpub, upload.foldername)}" />
    <arg value="/grant" />
    <arg value="${iis.upload.user}:${iis.user.permissionlevel}" />
</exec>

Hope this helps!

Psychiatry answered 22/10, 2012 at 17:46 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.