Version 2.0.0.1020, brand new install on new server for deploy and tentacle
In an attempt to remove extra config transformations (http://help.octopusdeploy.com/discussions/questions/243-deleting-config-transformation-files-after-deploy), I am running this script:
get-childitem .\ -include *.debug.config, *.staging.config, *.release.config -recurse | foreach ($) {remove-item $.fullname -force}
It does not seem to work. So, I opened a powershell prompt on the server and executed the script.
I got “access to the path is denied”.
So, using explorer, I went to delete the file and it prompted me that I will ‘need administrator permissions to delete the file’. I am an administrator and click continue and it of course is deleted.
Looking at file permissions, SYSTEM as well as COMPUTER\Administrators have full control. COMPUTER\Users have read only.
So…
First issue is why cant the “run a powershell script” task remove this file?
Second issue is permissions. Typically I grant read access to the app-pool virtual user. In addition if website needs write permission to folders (log folders, upload folders, etc), I grant those on a folder level to this same user. In addition the IIS_IUSRS group is granted read only. This particular deployment is a rest service so there are no files to access, but if it was a normal website, not sure the permissions are setup correctly as IUSR (default anonymous user) does not have read right to these folders. Something like this should be done:
Allow inheritance of read permissions in subfolders and files inside this directory
ICACLS <path_to_root> /INHERITANCE:R
Remove users from being able to access this directory (Only admins should have full access to the web root folder)
ICACLS <path_to_root> /remove Users
Allow read access to the Application Pool on the Web page folder (f:\wwwroot\Demo)
ICACLS <path_to_site> /grant “IIS AppPool<app_pool_name>”:(OI)(CI)R
(Of course I cannot execute the above from powershell in octopus as I get access is denied as stated above)
As a further note, if the user as selected the Identity to be ‘application pool identity’, most likely the Anonymous user should be configured to use the ‘application pool identity’. (something like set-webconfigurationproperty /system.webServer/security/authentication/anonymousAuthentication -name userName -value “” )
Thoughts?