views:

878

answers:

3

Hi !

I have an ASP.NET application. Basically the delivery process is this one :

  • Nant builds the application and creates a zip file on the developer's computer with the application files without SVN folders and useless files. This file is delivered with a Nant script.
  • The zip and nant files are copied to the client's computer
  • the Nant script replaces the current website files with the file contained in the zip file.

My problem is that with this process I have an Unauthorized access error when I try to open the website. It seems that the files need to have a permission set for the user "IIS_WPG".

I don't have the power to change IIS configuration so I have to manually change the permissions of each file. And each time I replace the files the permissions are removed and I need to set them again.

So I have two questions :

  • Can I change files permissions with Nant ? How to do it ?
  • Is it possible to avoid this problem ? (developers don't have this user on their computers)
+2  A: 

You need to run the CACLS program in windows to grant permissions to files and folders. From Nant, you can do this with the EXEC task.

Try a tag block like:

<exec program="cacls">
    <arg value="*" />
    <arg value="/G IIS_WPG:F" />
</exec>
Jeff Fritz
Just note that your suggestion is the right solution but the parameters are... dangerous :). See my answer.
Julien N
+5  A: 

Ouch... Your suggestion is the right solution but the parameters are... dangerous :).

On dev computers I'm logged as administrator and I tried your suggestion with cmd.

  • It replaces all the permissions set in order to set only the ones defined in the command (so, after the command, accessing files resulted in a "Access denied" even with my admin user)
  • It applied on the C:\WINDOWS\ directory, while I called the command from the wwwroot folder. :)

So, after some tests, the right command is :

cacls [full folder path] /T /E /G IIS_WPG:F
  • /T : applies on specified folder and subfolders
  • /E : edits the ACL instead of replacing it :)
Julien N
+3  A: 

We ended up writing our own task for this with some fairly straight forward code:

[TaskName("addusertodir")]
public class AddUserToDirectorySecurity : Task
{
    [TaskAttribute("dir", Required=true)]
    public string DirPath { get; set; }

    [TaskAttribute("user", Required=true)]
    public string UserName { get; set; }

    protected override void ExecuteTask()
    {
        FileSystemAccessRule theRule1 = new FileSystemAccessRule(UserName, FileSystemRights.ListDirectory, AccessControlType.Allow);
        FileSystemAccessRule theRule2 = new FileSystemAccessRule(UserName, FileSystemRights.ReadAndExecute, AccessControlType.Allow);
        FileSystemAccessRule theRule3 = new FileSystemAccessRule(UserName, FileSystemRights.Read, AccessControlType.Allow);

        DirectorySecurity theDirSecurity = new DirectorySecurity();
        theDirSecurity.AddAccessRule(theRule1);
        theDirSecurity.AddAccessRule(theRule2);
        theDirSecurity.AddAccessRule(theRule3);
        Directory.SetAccessControl(DirPath, theDirSecurity);
    }
}

Then you can write a nant script that loads the custom task and executes:

<loadtasks>
    <fileset>
        <include name="MyTask.dll"/>
    </fileset>
</loadtasks>

<addusertodir dir="MyDir" user="IIS_WPG"/>

Obviously, this could be modified for your certain rules or you could even parameterize this in the task if you so wish. We preferred this over the using the exec task as it have us a bit more control over permissions that were being applied.

Scott Saad