|
Home > Archive > IIS Server Security > May 2005 > IIS 6 Logfiles inherit permissions attribute
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 6 Logfiles inherit permissions attribute
|
|
| ThomsonWest 2005-05-09, 5:52 pm |
| During our build process and IIS 6 install we move the IIS log files to a
non-OS partition local to the server and set the NTFS permissions to allow a
specific user group read access to the IIS logfiles directory. Once a user
hits the website IIS creates a directory W3svcX for each site. In doing so
the inherit permissions attribute does not carry down from the parent
directory to the IIS logfiles directory (W3SVC?) as it did in IIS 5.
Any suggestions short of pre-creating each "W3svcX" directory that will
allow IIS to create the log file directory and log file so the NTFS
permissions we set in our install process also carry down to the directories
IIS creates? Manually creating a directory at the parent will have the
inherit permissions checked in the same directory without any issues.
Thanks
| |
| Jeff Cochran 2005-05-10, 7:49 am |
| On Mon, 9 May 2005 14:28:04 -0700, "ThomsonWest"
<ThomsonWest@discussions.microsoft.com> wrote:
>During our build process and IIS 6 install we move the IIS log files to a
>non-OS partition local to the server and set the NTFS permissions to allow a
>specific user group read access to the IIS logfiles directory. Once a user
>hits the website IIS creates a directory W3svcX for each site. In doing so
>the inherit permissions attribute does not carry down from the parent
>directory to the IIS logfiles directory (W3SVC?) as it did in IIS 5.
That's a Windows thing. Make sure the appropriate accounts in your
group have the appropriate rights. Check a Windows admin group for
help and further detals.
>Any suggestions short of pre-creating each "W3svcX" directory that will
>allow IIS to create the log file directory and log file so the NTFS
>permissions we set in our install process also carry down to the directories
>IIS creates? Manually creating a directory at the parent will have the
>inherit permissions checked in the same directory without any issues.
Again, not an IIS issue but rather a Windows administration issue.
You could script the directory creation before the logfiles are
written of course, along with scripting correct permissions.
Jeff
| |
|
| We are scripting the move of the IIS logfiles and setting the appropriate
permissions at the root directory for the IIS logfiles. d:\data\iis\logfiles.
The issue occurs when IIS creates the W3SVC dirctory and log file, the
permissions we set at d:\data\iis\logfiles directory with the inherrit
permissions enabled do not carry down to the directory W3SVC that IIS creates
when the site is hit for the first time. The same behavior holds true if we
leave the extended logging pointed to the default logging directory when IIS
installed. Only permissions that are set at "W3SVC, which IIS creates" are
the "default permissions" for IIS for this directory which are Administrator
and the System accounts. If a file is manually created at this location the
new folder carries the inherrit permissions attribute flag as expected.
"Jeff Cochran" wrote:
> On Mon, 9 May 2005 14:28:04 -0700, "ThomsonWest"
> <ThomsonWest@discussions.microsoft.com> wrote:
>
>
> That's a Windows thing. Make sure the appropriate accounts in your
> group have the appropriate rights. Check a Windows admin group for
> help and further detals.
>
>
> Again, not an IIS issue but rather a Windows administration issue.
> You could script the directory creation before the logfiles are
> written of course, along with scripting correct permissions.
>
> Jeff
>
| |
| Bernard 2005-05-11, 2:49 am |
| Not sure if this is by design. but those log paths created by IIS will NOT
inherit the permissions from parent directory. I know, it's really
troublesome to manually set it, but that's the only way to change it. You
can try tools like xcacls.exe to set it.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Ducks" <Ducks@discussions.microsoft.com> wrote in message
news:0CCE2907-E4DA-4B5B-A4C0-ED5AE95BEEF5@microsoft.com...[vbcol=seagreen]
> We are scripting the move of the IIS logfiles and setting the appropriate
> permissions at the root directory for the IIS logfiles.
> d:\data\iis\logfiles.
> The issue occurs when IIS creates the W3SVC dirctory and log file, the
> permissions we set at d:\data\iis\logfiles directory with the inherrit
> permissions enabled do not carry down to the directory W3SVC that IIS
> creates
> when the site is hit for the first time. The same behavior holds true if
> we
> leave the extended logging pointed to the default logging directory when
> IIS
> installed. Only permissions that are set at "W3SVC, which IIS creates" are
> the "default permissions" for IIS for this directory which are
> Administrator
> and the System accounts. If a file is manually created at this location
> the
> new folder carries the inherrit permissions attribute flag as expected.
>
> "Jeff Cochran" wrote:
>
| |
| David Wang [Msft] 2005-05-11, 7:49 am |
| It is by design.
HTTP.SYS will set its own ACLs when it creates the log file and directory.
If the logfile's directory is already there, then HTTP.SYS will use the
existing ACLs.
We did know about this before release, and the current behavior is a
compromise (it used to be HTTP.SYS sets its own ACLs, period).
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Bernard" <qbernard@hotmail.com.discuss> wrote in message
news:ufUFu$dVFHA.2960@TK2MSFTNGP15.phx.gbl...
Not sure if this is by design. but those log paths created by IIS will NOT
inherit the permissions from parent directory. I know, it's really
troublesome to manually set it, but that's the only way to change it. You
can try tools like xcacls.exe to set it.
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"Ducks" <Ducks@discussions.microsoft.com> wrote in message
news:0CCE2907-E4DA-4B5B-A4C0-ED5AE95BEEF5@microsoft.com...[vbcol=seagreen]
> We are scripting the move of the IIS logfiles and setting the appropriate
> permissions at the root directory for the IIS logfiles.
> d:\data\iis\logfiles.
> The issue occurs when IIS creates the W3SVC dirctory and log file, the
> permissions we set at d:\data\iis\logfiles directory with the inherrit
> permissions enabled do not carry down to the directory W3SVC that IIS
> creates
> when the site is hit for the first time. The same behavior holds true if
> we
> leave the extended logging pointed to the default logging directory when
> IIS
> installed. Only permissions that are set at "W3SVC, which IIS creates" are
> the "default permissions" for IIS for this directory which are
> Administrator
> and the System accounts. If a file is manually created at this location
> the
> new folder carries the inherrit permissions attribute flag as expected.
>
> "Jeff Cochran" wrote:
>
| |
| Bernard 2005-05-16, 7:48 am |
| And I assume this will be the same for 7 as well ?
--
Regards,
Bernard Cheah
http://www.microsoft.com/iis/
http://www.iiswebcastseries.com/
http://www.msmvps.com/bernard/
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OJbfl1gVFHA.2796@TK2MSFTNGP09.phx.gbl...
> It is by design.
>
> HTTP.SYS will set its own ACLs when it creates the log file and directory.
>
> If the logfile's directory is already there, then HTTP.SYS will use the
> existing ACLs.
>
> We did know about this before release, and the current behavior is a
> compromise (it used to be HTTP.SYS sets its own ACLs, period).
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Bernard" <qbernard@hotmail.com.discuss> wrote in message
> news:ufUFu$dVFHA.2960@TK2MSFTNGP15.phx.gbl...
> Not sure if this is by design. but those log paths created by IIS will NOT
> inherit the permissions from parent directory. I know, it's really
> troublesome to manually set it, but that's the only way to change it. You
> can try tools like xcacls.exe to set it.
>
> --
> Regards,
> Bernard Cheah
> http://www.microsoft.com/iis/
> http://www.iiswebcastseries.com/
> http://www.msmvps.com/bernard/
>
>
> "Ducks" <Ducks@discussions.microsoft.com> wrote in message
> news:0CCE2907-E4DA-4B5B-A4C0-ED5AE95BEEF5@microsoft.com...
>
>
>
|
|
|
|
|