According to this article (method 2, item 6) I'm supposed to add computername\IIS_IUSRS as the role allowed to read my web.config file.
I'm not sure if it's true, though, because:
I've seen other web sites on the current server that don't have that set in security tab but still are accessible
more importantly, I still get the error 500.19 related config data invalid with extension config file insufficient permissions (0x80070005).
(At this point I'm only trying to serve a static HTML page, before I'll go on and also deliver web services.)
What am I missing?
Check every part of the directory tree in your setup. Make sure that every directory, subdirectory and file that you're trying to access, in fact, has the group IIS_IUSRS defined on your local machine (or the server, in fact). I'm betting my left ear that you'll find a part that hasn't.
The error you mentioned - 0x80070005 - means precisely that.
In case you still can't find the source of the issue, remove the whole directory tree and redo the whole setup process. Maybe there's some access right that's catched, then.
I just tested it on my system and I could cause the error you're describing by removing permissions of IIS_IUSRS from a subdirectory.
Related
I have one server that works (that I originally remember took me a loooong time to figure out--dont remember solution). I copy the exact same permissions to the new server, and it does not work. 'Everyone' is given total permission.
I have given permissions to _IUSR, IIS_USR, and Everyone., yet I still have errors with PHP trying to write/modify files.
Whats up?
You didn't mention IIS version you are using and what's application you are trying to run on top of it - these would be helpful to get a proper answer.
Looking at account names you mentioned you are running IIS 7.x... If you are running app which requires some fancy permissions config on its folders and files just try to temporarily grant full access to Everyone and IUSR from the top of app folder (overwriting everything below it) just to verify that this is permissions problem indeed.
I recently switched my development machine from Windows XP to Windows 7 and since that switch, I have a problem with files permissions when I do operations with Tortoise SVN.
Example:
I Have two ASP.NET website set on my local IIS. Beta and Devlo. Beta is a check out of the branch I'm working on and Devlo is a check out of the Trunk.
I made some change on the Beta website and Check it in.
Then I made a merge to reintegrate the branch in the truck on the Devlo website, but I got this error when I test it :
Parser Error
Description: An error occurred during the parsing of a resource required to
service this request. Please review the following specific parse error details
and modify your source file appropriately.
Parser Error Message: Access to the path 'C:\[...]' is denied.
After investigation, I discovered that every file that was modified by the Tortoise SVN merge lost theirs file permission (Read, Read & Execute) for the users IUSE and IIS_IUSRS.
I could manually put them back, but this happen every time I perform an operation of this kind. Is there a way to keep those permissions unchanged by the SVN operation?
Update
Before the Merge, the file was inheriting is permission from the parent folder (has it's supposed to do.)
But not after the merge :
The original file (in the beta folder) was inheriting is permission from the parent folder.
Why the TortoiseSVN (explicitly?) block permission inheritance?
I had the same issue and fixed it with the help of this SO answer: https://stackoverflow.com/a/8993163/361831
The answer mentions that updated files are copied to a .svn/tmp directory which is located in the top level of your working copy (as of tortoiseSVN 1.7). This top level dir didn't have the IIS permissions so I guess they weren't inheriting during the copy. So I just set the IIS permissions to that top level dir and set to inherit, and that fixed the issue.
When subversion updates a file it first creates a temporary version in .svn/tmp/. It then moves the file into the right location. (This to avoid corruptions)
In 1.6 it did this for every directory by itself, but in 1.7 there is just a .svn in the top level directory of your working copy.
If somehow the filesystem permissions of this .svn directory are restricted, it is possible that the restrictions are copied with the file when it is moved in place. (Subversion doesn't change the permissions itself on Windows)
ANSWER: Locate your .svn directory for that project and fix the permissions with permissions needed by your project.
You should be able to set these permissions on the folder that contains the files and then let the files inherit these permissions, instead of explicitly setting the permissions on the files themselves.
TortoiseSVN may delete and create files instead of renaming. When a new file is created this way it will not have the original permissions, but it will inherit permissions from its container.
See also: Explicit vs. Inherited Permissions
Each permission that exists can be assigned one of two ways:
explicitly or by inheritance. For this reason, permissions are
referred to as explicit permissions and inherited permissions.
Explicit permissions are permissions that are set by default when the object is created, or by user action.
Inherited permissions are permissions that are given to an object because it is a child of a parent object.
Similar to the way rights are managed for groups of users, permissions
are best managed for containers of objects. Objects within the
container inherit all the access permissions in that container.
See also: TortoiseSVN - Deleting, Moving and Renaming
Since renames and moves are done as a delete followed by an add...
I had the same problem on both my Win7 64bit machines. I would check in code on one, go to the other, do a Tortoise SVN Update, and have to reset the permissions on the folder to let the parent folder's permissions propagate downwards.
I finally found this article, tried it, and two weeks later it seems to be holding up.
Open the Registry Editor (click Start > Run, type regedit, then press ENTER).
Locate the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
With the key selected, on the Edit menu, click Add Value, and then add the following registry value:
Value name: ForceCopyAclwithFile
Data type: DWORD
Value data: 1
Exit the Registry Editor.
http://kb.globalscape.com/KnowledgebaseArticle10473.aspx
The basic idea is we have a test enviroment which mimics Production so customErrors="RemoteOnly". We just built a test harness that runs against the Test enviroment and detects breaks. We would like it to be able to pull back the detailed error. But we don't want to turn customErrors="On" because then it doesn't mimic Production.
I've looked around and thought a lot, and everything I've come up with isn't possible. Am I wrong about any of these points?
We can't turn customErrors on at runtime because when you call configuration.Save() - it writes the web.config to disk and now it's Off for every request.
We can't symlink the files into a new top level directory with it's own web.config because we're on windows and subversion on windows doesn't do symlinks.
We can't use URL-Mapping to make an empty folder dir2 with its own web.config and make the files in dir1 appear to be in dir2 - the web.config doesn't apply
We can't copy all the aspx files into dir2 with it's own web.config because none of the links would be consistent and it's a horrible hacky solution.
We can't change customErrors in web.config based on hostname (e.g. add another dns entry to the test server) because it's not possible/supported
We can't do any virtual directory shenanigans to make it work.
If I'm not, is there a way to accomplish what I'm trying to do? Turn on customErrors site-wide under certain circumstances (dns name or even a querystring value)?
If you have customErrors="On" or "remoteOnly" the error detail doesnt go away right? I mean you can still access it and log it to another source using your custom error page.
Why dont you just have your custom error page in production log the information somewhere your harness can access it, like a message queue or App event log? When the harness comes across a break it just has to be smart enough to do a lookup in the right place for the full error info.
Another thing to consider anyway.
As part of a CMS, I have created a custom VirtualPathProvider which is designed to serve a single file in place of an actual file structure. I have it set up such that if a file actually exists on the server, that file will be served. If the file does not exist, the virtual content stored for that address will be served instead. This is similar to the concept of serving a website from files stored in a database, though in this case the content is stored in XML files on the server.
This setup works perfectly when a request is made to a specific page. For example, if I ask for "www.mysite.com/foobar.aspx", the content that is stored for "foobar.aspx" will be served. Further, if I ask for "www.mysite.com/subdir/foobar.aspx", the appropriate content will also be served.
The problem is this: If I ask for something like "www.mysite.com/foobar", things begin to fall apart. If the directory exists on disk (and doesn't have a configured default page in IIS, such as index.aspx), I will get a "Directory Listing Denied" error. If the directory does not exist, I'll simply get a 404 - Resource Not Found.
I've tried several things, and so far nothing I've done has made a bit of difference. It seems as though IIS is simply noting the nonexistence of a directory (or default file in an existing directory) and serving up its own error code, without ever asking my application what to do with the request. If it ever did get to the application, I would be able to solve the problem, but as it stands, I'm quite lost. Does anyone know if there is some setting in IIS that is causing this?
I've looked for every resource I can find on the subject, and am coming up empty. I know this should be possible, because I have read tutorials on serving content from both databases and ZIP files. HELP!
p.s., I am running IIS6 and .NET 3.5
IIS will only pass a request to the ASP.NET process if it is configured to do so for the particular extension. The default is aspx, ascx, etc. In other words, if you request a .html file, ASP.NET will never see that HTTP request. Likewise for empty extension.
To change this behavior, add a wildcard mapping to the ASP.NET process. Load IIS Manager, go to the Properties for your web site and look at the Home Directory tab. Click on "Configuration" and there you will see the extension-to-applicaiton mappings.
I am trying to configure the IPermission node as part of medium trust. However I am unable to find the valid values list for the PathDiscovery attribute on the node
<IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$"/>
I need to set the permission so that the account will be able to access all subdirectories under the main path. currently a .svc (WCF service file) throws a 404 error because the ASP.Net account is not able to get it from a sub-folder couple of levels deep. I am trying to avoid changing the node to
<IPermission class="FileIOPermission" version="1" Unrestricted="true"/>
Any ideas?
TIA
I certainly agree that you shouldn't change the node to Unrestricted, as that would pretty much defeat the purpose of partial trust.
According to the System.Security.Permissions.FileIOPermission documentation on MSDN, FileIOPermission is supposed to imply permissions to everything below that path as well.
From that doc:
Access to a folder implies access to
all the files it contains, as well as
access to all the files and folders in
its subfolders. For example, Read
access to C:\folder1\ implies Read
access to C:\folder1\file1.txt,
C:\folder1\folder2\,
C:\folder1\folder2\file2.txt, and so
on.
Of course, building custom trust .config files is woefully poorly documented by Microsoft, so it's possible that the .config markup for FileIOPermission behaves differently than the code class... That would be surprising to me though.
Is it possible some other problem is causing the 404? Double-check that the service is executing under the credentials you'd expect, and that the path is being evaluated correctly...