File Permissions on IIS

mtndan's picture

Hi folks,

I'm trying to install Drupal on IIS6 and think I have some file permissions issues. I've made it past the database screen on the installer, but am getting this php error:

PHP Warning: fopen(./sites/default/settings.php) [function.fopen]: failed to open stream: Permission denied in C:\Inetpub\wwwroot\includes\install.inc

It appears the Internet Guest Account as Read and Execute permissions on everything. What else could I look for?

Comments

The IIS_WPG group needs

chicagomom's picture

The IIS_WPG group needs permissions to read/execute the folders/files as well.

chicagomom on Twitter and d.o.

got it

mtndan's picture

Thanks! Works now.

For those of us more familiar with Linux permissions, is there a table of "recommended" permissions for Drupal on Windows somewhere?

--
Dan Katz
Solutions Architect, Acquia

I think that would be a

chicagomom's picture

I think that would be a great addition to the wiki. Can you tell me, how did you put the Drupal distro files into your site's directory? Did you copy them from another directory, cut/paste them, or unzip them directly into the wwwroot/mysite directory? Did you set up a virtual directory first? I know some people have difficulties when cutting/pasting instead of copying (like SELinux, I believe), copy/paste allows the pasted stuff to inherit the IIS machine group permissions.

chicagomom on Twitter and d.o.

I actually pulled them in

mtndan's picture

I actually pulled them in using the svn repository from Acquia

--
Dan Katz
Solutions Architect, Acquia

Generally, the quickest way

chicagomom's picture

Generally, the quickest way to get the IIS_WPG group (or IIS_IUSRS on IIS7) to be able to read your site's files is to create the site in IIS Manager, then unpack your Drupal files into a temporary directory somewhere on your disk and then copy/paste them into your website's folder. IIS_WPG automatically gets access to these when a new website is created. Copy/paste permits the process group to gain these permissions. Otherwise, you have to specify that the group should have read/execute permissions.

Extra, completely gratuitous background

The bad days: worker processes roam the countryside
OK probably more than you wanted to know, but since you asked... In IIS5, the worker processes that ran web apps ran wild across the server's countryside because they ran as a user called LocalSystem, which had promiscuous access to just about everything on the disk (bad worker process, bad). Well on IIS6+ MS introduced the idea of process pools to (among other things) isolate web apps and keep them from accessing stuff they shouldn't. On IIS6 the IIS_WPG group account is the de-facto worker process pool owner and it has far fewer rights to stuff elsewhere on disk.

A new day: Every worker gets his own pool!
However, best security practices actually call for one to NOT use IIS_WPG itself to handle your application's process pool; rather, MS suggests each site/app should have its own separate "process" user to isolate things; this process pool user would be a member of the IIS_WPG group, and then when you create your site you specify that user as the site's process pool user. Here's a long-winded explanation of why/how to do this, including some handy vbscript to automate that user creation task. It also contains an important cautionary note about some stuff that needs to be enabled for these custom accounts to access CGI.

In IIS7 they made it even easier to do this, and changed the group's name from IIS_WPG to IIS_IUSRS just because they're sadists and like confusing people. On IIS7, when you create a new application or site you can create a new process pool, and the pool user (which is now not a user at all but a "token") is created and added to IIS_IUSRS automatically.

So to make a short story long, these groups (IIS_WPG and IIS_IUSRS) exist as a way for us to isolate our app's processes, which is a good thing security-wise. Members of these groups that you want running your apps need read/execute permissions to your drupal files so they can do the processing.

chicagomom on Twitter and d.o.

thanks!

mtndan's picture

Thanks for the info!

--
Dan Katz
Solutions Architect, Acquia