DotNetNuke Security Tip 2

In Professional DotNetNuke 4 by Shaun Walker et al, the chapter on Installing DotNetNuke recommends that the minimum folder permissions for the anonymous web site user account include read and write access to the root installation folder and all child folders.
I experimented a bit and I found that I did not have to give write permissions. So far I have not found any loss of functionality in DotNetNuke as a result of limiting the folder permissions to read only.
I gave write and modify access to the /DesktopModules and /Portals folders, as recommended.
I have also been able to create child portal without giving the Modify access right to all child folders under the root.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

These permission settings will not work in all scenarios. When a new module, written using the Asp.Net 2.0 Web Site Project model, is installed, DotNetNuke may need to create a new App_Code folder and make alterations to the web.config file. Also, upgrades and installations may alter the web.config file as well. So, you should expect a few errors crop up over time, but for general site operation, your permissions should work just fine.

Joe, thanks for the clarification on that point. The book doesn't give much detail on why those permission recommendations are made. However, the DNN 4 book is excellent overall and I have found it very helpful. You and Shaun and the others did a very good job with that book.I am not very familiar with the ASP.NET 2.0 Web Site project model. I prefer the new Web Application Project (WAP) model and that is what I almost exclusively use.It seems like the Reports module is currently struggling with problems related to the ASP.NET 2.0 Web Site project model. Is that true? I did a lot of testing on the Reports module installation problem. Even with all write and modify permissions, the Reports module still fails to install if DNN is running in Medium Trust. I had to temporarily change to Full Trust to install Reports, then I could change back to Medium.

Dave,The medium trust issues have to do with making changes to the web.config. We were using the configuration classes to perform maintenance on web.config. Apparently these classes were not designed with medium trust in mind. After discussions with Microsoft, we are moving back to doing direct XML manipulation of web.config to avoid Medium Trust issues.