Dave's Tech Shop

if your tech is broken, bring it in for repairs

My Links

Post Categories

Archives

Blog Stats

DotNetNuke Security Tip 2

In Professional DotNetNuke 4 by Shaun Walker et al, the chapter on Installing DotNetNuke recommends that the minimum folder permissions for the anonymous web site user account include read and write access to the root installation folder and all child folders.

I experimented a bit and I found that I did not have to give write permissions. So far I have not found any loss of functionality in DotNetNuke as a result of limiting the folder permissions to read only.

I gave write and modify access to the /DesktopModules and /Portals folders, as recommended.

I have also been able to create child portal without giving the Modify access right to all child folders under the root.

Print | posted on Wednesday, October 11, 2006 5:58 PM

Feedback

# re: DotNetNuke Security Tip 2 10/12/2006 8:56 AM Joe Brinkman

These permission settings will not work in all scenarios. When a new module, written using the Asp.Net 2.0 Web Site Project model, is installed, DotNetNuke may need to create a new App_Code folder and make alterations to the web.config file. Also, upgrades and installations may alter the web.config file as well.
So, you should expect a few errors crop up over time, but for general site operation, your permissions should work just fine.

# re: DotNetNuke Security Tip 2 10/12/2006 11:41 AM Dave

Joe, thanks for the clarification on that point. The book doesn't give much detail on why those permission recommendations are made. However, the DNN 4 book is excellent overall and I have found it very helpful. You and Shaun and the others did a very good job with that book.

I am not very familiar with the ASP.NET 2.0 Web Site project model. I prefer the new Web Application Project (WAP) model and that is what I almost exclusively use.

It seems like the Reports module is currently struggling with problems related to the ASP.NET 2.0 Web Site project model. Is that true? I did a lot of testing on the Reports module installation problem. Even with all write and modify permissions, the Reports module still fails to install if DNN is running in Medium Trust. I had to temporarily change to Full Trust to install Reports, then I could change back to Medium.

# re: DotNetNuke Security Tip 2 10/12/2006 11:58 AM Joe Brinkman

Dave,
The medium trust issues have to do with making changes to the web.config. We were using the configuration classes to perform maintenance on web.config. Apparently these classes were not designed with medium trust in mind. After discussions with Microsoft, we are moving back to doing direct XML manipulation of web.config to avoid Medium Trust issues.

Title  
Name  
Url
Comments