How TO Set ACLs Through the Manifest.xml File in IIS

There are many methods you can employ to configure access control lists (ACLs). One of these methods is through the use of command-line tool like the Icacls.exe. PHP hosters commonly utilize the command line to set up ACLs. However, you can as well set up access control list with the use of Manifest.xml file. These are the systems that are commonly utilized during the installation of an app with the use of the Web Deployment Tool (WDT) or through the utilization of the Microsoft Web Platform Installer (Web PI).

The WDT is pre-configured to install all files and directories without making any alteration to any type of already existing permission. In majorities of instances, it implies that the app only possess a read right of entry to the files and directories that are installed. If your app requires being written to a file or directory, you can spell out the particular files or directories with a setAcl command within the Manifest.xml file. The setAclResourceType components specify if the path stands for a file or a directory.

XMLCopy

 
<setAcl
        path="application/sites/default/settings.php"
        setAclResourceType="File"
        setAclAccess="Modify"
        setAclUser="anonymousAuthenticationUser" />

To certify that you give access control list to the right directory, you need to as well implement a hidden constraint in relation to the AppPath where it is configured and setup.

XMLCopy

<!-- This is the parameter that is used to set ACLs, it's set to the application path filled in by the user -->
<parameter
name="SetAclParameter1"
defaultValue="{AppPath}/sites/default/settings.php"
tags="Hidden">
<parameterEntry
  type="ProviderPath"scope="setAcl"
  match="Application/sites/default/settings.php" />
</parameter>

If you fail to configure ACL on a specific file or directory, the ACL would possibly be configured to allow read access to the file or directory by default. The ACLs are precise, thus, a grant of access does not essentially offer a read access. If you have to write to a file or directory, you ought to incorporate "read, write". When you have to list the files in a directory, you ought to incorporate "ListDirectory". Be aware that write access doesn’t imply modification right. If you need to alter the files as soon as they are written to disk, you have to clearly configure the modification access.

There are a few permissions that are mergers of other permissions; for instance, "Modify" permission gives the person right to "Read", "Write", "Execute", and "Delete".

To offer read, execute, and write access to the MyApp file structure directory for the client Test, incorporate the line below to your Manifest.xml file:

XMLCopy

<setAcl path="MyApp" setAclAccess="ReadAndExecute, Write" setAclUser="Test" />

To configure the Access Control Lists on the thread MyApp/Upload to permit anonymous clients to upload content, integrate the line below into your Manifest.xml file:

XMLCopy

<setAcl path="MyApp/Upload" setAclAccess="Write" setAclUser="anonymousAuthenticationUser" />

Be aware that anonymousAuthenticationUser is a specific token that commonly get resolved to your anonymous authentication ID setup. To offer read access to the MyAppData folder for the app pool identity, integrate the line below to the Manifest.xml file:

XMLCopy

<setAcl path="MyApp/Data" setAclAccess="Read" />

Be aware that that the setAclUser is not utilized here. The pre-set value for this is Application Pool Identity; therefore, you may be able to leave out that line.

Be aware that it is taken as a huge security risk to offer "Write" or "Modify" access to the whole app tree through the application of the ACL at the root of the application. ACLs ought to be very much restricting and granular in nature but not in any way limit the functionality of the apps.

If you are knowledgeable about UNIX or Linux permissions, the privileges here is related to "Owner" permissions in those platforms. Although Group and Global permissions can be configured through a lot of ACLs external of the WDT, the only permissions that are configured in this instance are the "Owner" category of permissions. The chart below illustrates the Windows operating system counterparts of a variety of Linux bit-masked permissions:

Linux

Example of the user rights and the descriptions

fileSystemRights Enum

  • Namespace: System.Security.AccessControl
  • Assemblies: System.IO.FileSystem.AccessControl.dll, mscorlib.dll
  • Definition: This defines the access permission to utilize when developing access and audit rules.
  • This list contains a FlagsAttribute element that permits a bitwise merger of its member values.

C#Copy

[System.Flags]
[System.Security.SecurityCritical]

publicenum FileSystemRights

  • Inheritance: Object ->ValueType ->Enum ->FileSystemRights
  • Attributes: FlagsAttribute , SecurityCriticalAttribute

Examples

The code below is an illustration that utilizes the FullControl list to spell out an access rule and then take away the access rule from a file. You have to provide a valid user or group account to be able to execute the example we have shown here.

C#Copy

using System;
using System.IO;
using System.Security.AccessControl;
 
namespace FileSystemExample
{
        class FileExample
        {
            publicstaticvoid Main()
            {
                try
                {
                    string fileName = "test.xml";
 
                    Console.WriteLine("Adding access control entry for "
                        + fileName);
 
                    // Add the access control entry to the file.
                    AddFileSecurity(fileName, @"DomainNameAccountName",
                        FileSystemRights.ReadData, AccessControlType.Allow);
 
                    Console.WriteLine("Removing access control entry from "
                        + fileName);
 
                    // Remove the access control entry from the file.
                    RemoveFileSecurity(fileName, @"DomainNameAccountName",
                        FileSystemRights.ReadData, AccessControlType.Allow);
 
                    Console.WriteLine("Done.");
                }
                catch (Exception e)
                {
                    Console.WriteLine(e);
                }
            }
 
            // Adds an ACL entry on the specified file for the specified account.
            publicstaticvoid AddFileSecurity(string fileName, string account,
                FileSystemRights rights, AccessControlType controlType)
            {
 
 
                // Get a FileSecurity object that represents the
                // current security settings.
                FileSecurity fSecurity = File.GetAccessControl(fileName);
 
                // Add the FileSystemAccessRule to the security settings.
                fSecurity.AddAccessRule(new FileSystemAccessRule(account,
                    rights, controlType));
 
                // Set the new access settings.
                File.SetAccessControl(fileName, fSecurity);
 
            }
 
            // Removes an ACL entry on the specified file for the specified account.
            publicstaticvoid RemoveFileSecurity(string fileName, string account,
                FileSystemRights rights, AccessControlType controlType)
            {
 
                // Get a FileSecurity object that represents the
                // current security settings.
                FileSecurity fSecurity = File.GetAccessControl(fileName);
 
                // Remove the FileSystemAccessRule from the security settings.
                fSecurity.RemoveAccessRule(new FileSystemAccessRule(account,
                    rights, controlType));
 
                // Set the new access settings.
                File.SetAccessControl(fileName, fSecurity);
 
            }
        }
}

For Internet Information Services (IIS)–specific ACL setup guide see below:

How to Set ACLs

There are plenty ways you can set your ACLs via the shell. Theses includes with the use of command-line tools like Icacls.exe. This article concentrates on the Web Deployment Tool manifest (XML) mechanism that can be utilized for setting up ACLs. This is utilized when you are installing an app via the Web Deployment Tool or the Web Platform Installer.

To offer Read, Execute, and Write permissions to MyApp file system directory for user Foo, incorporate the line below to the Manifest.xml file:

XMLCopy

<setAcl path="MyApp" setAclAccess="ReadAndExecute, Write" setAclUser="Foo" />

To configure the ACL on the path MyApp/Upload to permit anonymous users to upload content, integrate the lines below into your Manifest.xml file:

XMLCopy

<setAcl path="MyApp/Upload" setAclAccess="Write" setAclUser="anonymousAuthenticationUser" />

Be aware that anonymousAuthenticationUser is a particular token that will determine your configured anonymous authentication identity.

To provide Read access to the MyAppData folder for the application pool identity, incorporate the command below to the Manifest.xml file:

XMLCopy

<setAcl path="MyApp/Data" setAclAccess="Read" />

Be aware that the setAclUser is not utilized here. The (the out of the box set value for this is the Application Pool Identity).

The token anonymousAuthenticationUser is routinely measured up to the identity that the website has set up and that will be utilized for anonymous authentication. While this identity is set up by the website administrator, the best thing to do is to utilize anonymousAuthenticationUser for PHP applications and not to utilize setAclUser for Microsoft ASP.NET applications except your application has a particular requirement for a user to manage file right).

PHP apps are commonly executed as the anonymous user due to the fact the FastCGI settings commonly utilize the impersonation to be True (executed as anonymous user). ASP.NET apps basically execute as the worker process identity (application pool identity). If setAclUser is not spelled out, then the anonymousAuthenticationUser utilizes the app's Application Pool Identity to represent the identity for authorization.

Concluding Comment

The FileSystemRights lists stipulates the file system actions permitted allowed for a specific user account and which file system procedures are audited for a specific user account.

Utilize the FileSystemRights list when you want to generate an access rule with the FileSystemAccessRule category or when you want to generate an audit rule with the FileSystemAuditRule category.

This list is made up of a lot of granular structure rights values and many values that are a mixture of those granular values. It is simpler to utilize the merger values like FullControl, Read, and Write, instead of spelling out each element value individually.

Screenshots

How TO Set ACLs Through the Manifest.xml File in IIS

How TO Set ACLs Through the Manifest.xml File in IIS

How TO Set ACLs Through the Manifest.xml File in IIS

How TO Set ACLs Through the Manifest.xml File in IIS

Check out these top 3 Best web hosting services

Was this article helpful?