I recently switched my development machine from Windows XP to Windows 7 and since that switch, I have a problem with files permissions when I do operations with Tortoise SVN.
Example:
I Have two ASP.NET website set on my local IIS. Beta and Devlo. Beta is a check out of the branch I'm working on and Devlo is a check out of the Trunk.
I made some change on the Beta website and Check it in.
Then I made a merge to reintegrate the branch in the truck on the Devlo website, but I got this error when I test it :
Parser Error
Description: An error occurred during the parsing of a resource required to
service this request. Please review the following specific parse error details
and modify your source file appropriately.
Parser Error Message: Access to the path 'C:\[...]' is denied.
After investigation, I discovered that every file that was modified by the Tortoise SVN merge lost theirs file permission (Read, Read & Execute) for the users IUSE and IIS_IUSRS.
I could manually put them back, but this happen every time I perform an operation of this kind. Is there a way to keep those permissions unchanged by the SVN operation?
Update
Before the Merge, the file was inheriting is permission from the parent folder (has it's supposed to do.)
But not after the merge :
The original file (in the beta folder) was inheriting is permission from the parent folder.
Why the TortoiseSVN (explicitly?) block permission inheritance?
I had the same issue and fixed it with the help of this SO answer: https://stackoverflow.com/a/8993163/361831
The answer mentions that updated files are copied to a .svn/tmp directory which is located in the top level of your working copy (as of tortoiseSVN 1.7). This top level dir didn't have the IIS permissions so I guess they weren't inheriting during the copy. So I just set the IIS permissions to that top level dir and set to inherit, and that fixed the issue.
When subversion updates a file it first creates a temporary version in .svn/tmp/. It then moves the file into the right location. (This to avoid corruptions)
In 1.6 it did this for every directory by itself, but in 1.7 there is just a .svn in the top level directory of your working copy.
If somehow the filesystem permissions of this .svn directory are restricted, it is possible that the restrictions are copied with the file when it is moved in place. (Subversion doesn't change the permissions itself on Windows)
ANSWER: Locate your .svn directory for that project and fix the permissions with permissions needed by your project.
You should be able to set these permissions on the folder that contains the files and then let the files inherit these permissions, instead of explicitly setting the permissions on the files themselves.
TortoiseSVN may delete and create files instead of renaming. When a new file is created this way it will not have the original permissions, but it will inherit permissions from its container.
See also: Explicit vs. Inherited Permissions
Each permission that exists can be assigned one of two ways:
explicitly or by inheritance. For this reason, permissions are
referred to as explicit permissions and inherited permissions.
Explicit permissions are permissions that are set by default when the object is created, or by user action.
Inherited permissions are permissions that are given to an object because it is a child of a parent object.
Similar to the way rights are managed for groups of users, permissions
are best managed for containers of objects. Objects within the
container inherit all the access permissions in that container.
See also: TortoiseSVN - Deleting, Moving and Renaming
Since renames and moves are done as a delete followed by an add...
I had the same problem on both my Win7 64bit machines. I would check in code on one, go to the other, do a Tortoise SVN Update, and have to reset the permissions on the folder to let the parent folder's permissions propagate downwards.
I finally found this article, tried it, and two weeks later it seems to be holding up.
Open the Registry Editor (click Start > Run, type regedit, then press ENTER).
Locate the following registry key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
With the key selected, on the Edit menu, click Add Value, and then add the following registry value:
Value name: ForceCopyAclwithFile
Data type: DWORD
Value data: 1
Exit the Registry Editor.
http://kb.globalscape.com/KnowledgebaseArticle10473.aspx
Related
I implemented a feature that allow users to upload files. Everything was working perfectly on my machine. After we deploy it, I got the following error:
Access to the path '\...\VendorDocuments\TempFolder\2585' is denied.
I've added EveryOne in the list of the object that have all the permissions to the VendorDocument folder. It worked.
Now I'd like to know how to setup the permissions to take into account the security aspects.
vendorDocuments is the main folder.
Inside vendorDocuments there is another folder called TempFolder
When user selects a file, the file is automatically uploaded to a TempFolder/UserId
If the user decides to cancel the operation, the file inside the TempFolder is deleted.
If the user decides to proceed, the file will be moved from the TempFolder/UserId to a folder belonging to the vendor still inside vendorDocuments.
VendorDocuments => TempFolder => TempFolder => UserId (file inside)
VendorDocuments => VendorName => DocumentId (file inside)
So in my opinion, there are 2 problems;
How to setup the permission on the highest level, i.e. vendorDocuments folder.
Do I need to setup permission as well for every vendor folder, i.e. where files belonging to a given vendor will be saved. There reason I asking this question is because I read that it's better to setup manually permission on folder. However, in this case, vendor's own folder will be created on the fly, i.e. the first time a user belonging to that vendor upload a file.
Sorry to ask a long question. This is the first time I'm working with permissions.
We take care of our permission like this by assigning an application pool identity to the application itself. This allows you to give the applications account the permissions it needs to write files to their destination. We are using IIS and I can see that depending on your version of IIS the process is slightly different. IIS instructions: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
I have one server that works (that I originally remember took me a loooong time to figure out--dont remember solution). I copy the exact same permissions to the new server, and it does not work. 'Everyone' is given total permission.
I have given permissions to _IUSR, IIS_USR, and Everyone., yet I still have errors with PHP trying to write/modify files.
Whats up?
You didn't mention IIS version you are using and what's application you are trying to run on top of it - these would be helpful to get a proper answer.
Looking at account names you mentioned you are running IIS 7.x... If you are running app which requires some fancy permissions config on its folders and files just try to temporarily grant full access to Everyone and IUSR from the top of app folder (overwriting everything below it) just to verify that this is permissions problem indeed.
I noticed recently IISExpress & My Web Sites folders are getting added to the My Documents folder on my Windows 7 machine. I recently installed VS2012, so I'm guessing that's the culprit, but I haven't been able to find anything on line that explains how to change these defaults, if possible.
Microsoft cluttering up my 'Documents' folder with all their programs' (junk) folders drives me insane as well. I have conceded somewhat by creating a Data folder under my Documents folder, where I am pointing all MS apps (and others apps such as Firefox's profile folder) to for all their (generally unwanted) folders, and with a subfolder created for each program/suite. At least this way I can easily back up all settings when I back up my 'Documents' folders.
Anyway, VS2012 installs IIS Express, which is what is causing these folders to be created. I have found two solutions for dealing with the unwanted folders.
Uninstall IIS Express. You can do this from the normal Windows 'Uninstall a Program' part of Control Panel.
Change the folder location that IIS Express uses, as follows. Be warned: anyone doing this risks causing problems with their computer if you don't know what you are doing, so you do so at your own risk. Please make appropriate backups along the way as well too!
a) Close Visual Studio.
b) Create a new folder for the IIS Express sub-folders:
eg. D:\My Documents\Data\Microsoft\IISExpress
c) Move the existing unwanted IISExpress subfolders (config, Logs, TraceLogFiles) from your My Documents > IISExpress folder to the folder created in step b).
d) Create a new folder for the My Web Sites folder, I suggest also under the folder created in step b).
eg. D:\My Documents\Data\Microsoft\IISExpress\Websites
Under this folder, create a website for the default IIS Express website (in case it "auto-magically" reappears it's ugly head again later on).
eg. D:\My Documents\Data\Microsoft\IISExpress\Websites\Default
e) Go to the newly located config folder at:
eg. D:\My Documents\Data\Microsoft\IISExpress\config, and:
i. Open the file applicationhost.config in your text editor (eg. Notepad).
ii. Find the node sites > site > application path > virtualDirectory path for WebSite1, and change the physicalPath value from %IIS_SITES_HOME%\WebSite1 to the IIS Express default website folder you created in step d).
Eg. %IIS_SITES_HOME%\Websites\Default.
Note that %IIS_SITES_HOME% points to your 'Documents' folder (this appears to be a "feature" of IIS Express, I can't find a way to change it, and it appears to be auto-configured when IIS Express starts up, which it does by using the applicationhost.config file).
Do the same for any other sites created by IIS Express.
f) Create a new registry entry pointing IIS Express to the new folders you created (partly explained by MS here: http://www.iis.net/learn/extensions/introduction-to-iis-express/iis-80-express-readme). FYI the registry key doesn't previously exist, as IIS Express uses a default of my Documents unless this key exists:
i. Open the Windows 'Run' box, eg. (Windows Key) + R
ii. Type regedit
iii. Navigate to key: HKEY_CURRENT_USER\Software\Microsoft
iv. *Right click* the Microsoft key (that you have just navigated to), and choose: New > Key
v. Type IISExpress
vi. *Right click* the IISExpress key that you have just created, and choose: New > String Value
vii. Type CustomUserHome, and hit the Enter key to save it.
viii. Double-click the CustomUserHome string to enter a value for it, and for the Value Data: field, type in the path to the new IIS Express folder you created in step b), for example: D:\My Documents\Data\Microsoft\IISExpress. Press OK, and you can now close the Registry Editor.
g) Reopen Visual Studio, and it should start using the new folders, as well as not create the folders in your Documents folder anymore. Yay!!!!!
FYI, when I did this all, I actually did it in a slightly different order (creating the registry key first), but this order was the easiest way to explain it all. Whether you create the key first or last shouldn't matter, as long as you do all the steps. Good luck!
A Tricky solution
Make a copy of your C:\Users\<user>\Documents\IISExpress folder
first
Create a symbolic folder called IISExpress inside the C:\Users\<user>\Documents folder using the following command
mklink /J C:\Users\<user>\Documents\IISExpress D:\IISExpress
Move all the content from your copied IISExpress into D:\IISExpress
Thats all
If you're just looking to declutter your Documents folder, one simple workaround is to set the unwanted folders to hidden so it's no longer visible.
You can do this by right clicking on the IISExpress folder > Properties and checking the hidden property at the bottom. The folder will still remain in your Documents folder but won't be visible to you. If for some reason you want to access these folders again, you can toggle hidden item visibility in File Explorer's View tab.
According to this article (method 2, item 6) I'm supposed to add computername\IIS_IUSRS as the role allowed to read my web.config file.
I'm not sure if it's true, though, because:
I've seen other web sites on the current server that don't have that set in security tab but still are accessible
more importantly, I still get the error 500.19 related config data invalid with extension config file insufficient permissions (0x80070005).
(At this point I'm only trying to serve a static HTML page, before I'll go on and also deliver web services.)
What am I missing?
Check every part of the directory tree in your setup. Make sure that every directory, subdirectory and file that you're trying to access, in fact, has the group IIS_IUSRS defined on your local machine (or the server, in fact). I'm betting my left ear that you'll find a part that hasn't.
The error you mentioned - 0x80070005 - means precisely that.
In case you still can't find the source of the issue, remove the whole directory tree and redo the whole setup process. Maybe there's some access right that's catched, then.
I just tested it on my system and I could cause the error you're describing by removing permissions of IIS_IUSRS from a subdirectory.
I've developed an ASP.NET v4 web app which I am trying to get to write to a folder in the webroot.
For the life of me I cannot get Windows 7 to allow it to write a file, I get Access is Denied error each time.
What I have tried on the folder is
attrib -r /foldernameandpath
attrib -r -s /foldernameandpath
Removing Check from ReadOnly attribute in folder properties
Changed owner to folder to current user whom is also the admin
Changed owner to Everyone
Adding Everyone user to folder with all permissions
Changing the folder to the Public Document directory
Changing to the root of the C drive (Out of desperation)
Nothing seems to work and all I want to do is test that the write works.
Now I know the system works and writes fine cause I had this same web app on a second machine writing the PDFs to the C drive without issue. This second machine I just cannot get it to allow the write.
Oh please for the love of all things holy, put the keyboard and mouse down and stop what you are doing. Some of the actions in your list seriously frightens me.
All the things you list as your actions are most likely useless or desperately random at best.
As a web developer, you shouldn't have to start messing around changing ownership of folders, especially not the web root folder normally used by the web server. When you do, you'll end up in a dark, cold and lonely place. Lord only knows what other desperate measures you have taken. For your own sake, I'll recommend you to do a system restore or even system reinstall to make sure you are in a healthy state.
Let's go back one step and try to sort out what you are doing.
First: what is the path you are trying to write to?
Second: are you running this application directly from within Visual Studio or in IIs?
If you are doing the first option then your current user account is the account who tries to write to the path in question. Do you have write permissions there?
One thing you can try is to start Visual Studio with elevated permissions and see if that works.
If you are running in IIs, it the associated pool account that needs write permissions.
Are you doing impersonation by any chance? If so, make sure the impersonated account have proper permissions.
You should only write to a predefined folder within your app path, like ..\App_Data for example.
The easiest way to find out which account you are running with and determine what path you are trying to write to, is to fire up SysIntenals process monitor and find the entry with the access denied result. Select properties for that entry and find out which account tried to do the write action. When you have determined that, right click on the folder in question and give the proper account write permissions.