4

I've been trying to give the IIS APPPOOL\DefaultAppPool user write permissions to two folders under the wwwroot folder using the .ebextensions container_commands.

There are two scenarios that I need to cover:

  1. Be able to grant the DefaultAppPool user write permissions when publishing to a new EBS environment where the wwwroot folder does not contain my solution when .ebextensions run.
  2. Be able to republish to an existing EBS environment and keep the DefaultAppPool write permissions where the wwwroot folder does contain my solution when .ebextensions run.

I have been able to perform the latter but not the former. The former fails because I'm specifying the path to the folders under wwwroot who's permissions I want to change but the solution has yet to be deployed to wwwroot resulting in an error message: "The system cannot find the file specified."

I've tried an other approach where I give DefaultAppPool write permissions to the whole wwwroot folder hoping that when the project is extracted, the newly added folders would inherit the permissions from wwwroot. When I do this, and log to a file the output of the icacls command, I can verify that the write permissions are indeed added for wwwroot. In spite of being able to verify that the write permissions are added when the .ebextensions run, they somehow get changed back to their original state (only read) later in the deployment process, likely by:

c:\Program Files\Amazon\ElasticBeanstalk\Tools\Deploy.exe

This is the .config file I used to verify that the permissions changed:

container_commands:
  00_dir:
    command: dir c:\inetpub\wwwroot >> c:\cfn\perms.log 2>&1
    waitAfterCompletion: 0
  01_what_perms:
    command: icacls.exe c:\\inetpub\\wwwroot >> c:\\cfn\\perms.log 2>&1
    waitAfterCompletion: 0 
  02_changeperm:
    command: icacls.exe c:\\inetpub\\wwwroot /grant "IIS AppPool\DefaultAppPool":(OI)(CI)W >> c:\\cfn\\perms.log 2>&1
    waitAfterCompletion: 0
  03_what_perms:
    command: icacls.exe c:\\inetpub\\wwwroot >> c:\\cfn\\perms.log 2>&1
    waitAfterCompletion: 0
  04_dir:
    command: dir c:\inetpub\wwwroot >> c:\cfn\perms.log 2>&1
    waitAfterCompletion: 0

Thus I ask:

  1. Is there a way to grant the DefaultAppPool user write permissions to these two folders that works both when publishing to a new EBS environment and when republishing to an existing one?

  2. Is there a way to run commands after the application has been deployed to wwwroot, but not before as container_commands do?

  3. When I look at the logs from my .ebextensions .config files I see that they are run twice, is that normal?

Starkadur
  • 63
  • 3
  • Granting write permissions under `wwwroot` is dangerous. Why do you need it? Can you find another solution? It won't scale if 2+ EC2 instances are used. – Matt Houser Jul 28 '16 at 14:31
  • I'm currently moving a demo of an .net application to AWS and as the application is implemented it requires the ability to write to two different folders within `wwwroot`. I want to minimize the amount of changes done on the source code and that's why I want to allow the DefaultAppPool user to write to these two folders. But I agree that it is an suboptimal solution to my problem. As for the scaling aspect, I will only run this demo in one instance. – Starkadur Jul 28 '16 at 15:52

0 Answers0