If you build a windows installer package, file permissions can be specified for your install. I am not aware of a way to do this directly in VS.NET setup projects, as far as I know you have to use Orca and add the records manually to the LockPermissions table. There is also an msi task in NAntContrib, which I haven't used but could most likely be set up to add records for permissions.
I opted for setting permissions in code using a custom action during the msi installation. There is a library here for this purpose.
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9
The library can be a little overbearing for simple use, and is not CLR compliant. Here is a wrapper that is CLR compliant and allows for usage like this in my installation:
public void SetFilePermissions() {
string user = "aspnet";
OsVersionInfo info = new OsVersionInfo();
if(info.IsOSWindowsServer2003) user = "network service";
FilePermissionsManager.AddPermissions(InstallDirectory, user, FilePermissionType.GenericAll, true);
FilePermissionsManager.AddPermissions(InstallDirectory + "file.txt", user, FilePermissionType.GenericAll);
// In case the .NET framework install didn't set this(IIS installed after framework):
FilePermissionsManager.AddPermissions(GetSystemTempDirectory(), user, FilePermissionType.GenericAll, false);
//Users Group
user = "Users";
FilePermissionsManager.AddPermissions(InstallDirectory, user, FilePermissionType.GenericRead);
//Administrators Group
user = "Administrators";
FilePermissionsManager.AddPermissions(InstallDirectory, user, FilePermissionType.GenericAll, true);
}
using System;
using System.IO;
using System.Collections;
namespace Microsoft.Win32.Security {
public enum FilePermissionType {
GenericAll = 0,
GenericExecute = 1,
GenericWrite = 2,
GenericRead = 3
}
public sealed class FilePermissionsManager {
private void New() {}
public static void AddPermissions(string path, string user, FilePermissionType permissions) {
SecurityDescriptor descriptor;
Dacl dacl;
descriptor = SecurityDescriptor.GetFileSecurity(path, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
dacl = descriptor.Dacl;
dacl.AddAce(new AceAccessAllowed(new Sid(user), ConvertPermissions(permissions), AceFlags.OBJECT_INHERIT_ACE | AceFlags.CONTAINER_INHERIT_ACE));
descriptor.SetDacl(dacl);
descriptor.SetFileSecurity(path, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
}
public static void AddPermissions(string path, string user, FilePermissionType permissions, bool recursive) {
if(recursive) {
RecursePath(path, user, permissions);
}
else {
AddPermissions(path, user, permissions);
}
}
public static void RemovePermissions(string path,string user) {
SecurityDescriptor descriptor;
Dacl dacl;
descriptor = SecurityDescriptor.GetFileSecurity(path, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
dacl = descriptor.Dacl;
foreach(Ace ace in dacl) {
if ((ace.Sid.CanonicalName.ToLower() == user.ToLower()) || (ace.Sid.AccountName.ToLower() == user.ToLower())) {
dacl.RemoveAces(ace.Sid);
descriptor.SetDacl(dacl);
descriptor.SetFileSecurity(path, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
return;
}
}
}
private static void RecursePath(string path,string user, FilePermissionType permissions) {
// The path supplied
AddPermissions(path, user, permissions);
// All files in the folder
foreach(string f in Directory.GetFiles(path)) {
AddPermissions(f, user, permissions);
}
// Each subdirectory
foreach(string dir in Directory.GetDirectories(path)) {
RecursePath(dir, user, permissions);
}
}
private static AccessType ConvertPermissions(FilePermissionType permissions) {
// AccessType is a uint flag enum and cannot be used from vb, this is a conversion for vb compatibility
// TODO: Come up with a better way to convert this (hey it works for now)
switch (permissions) {
case FilePermissionType.GenericAll: {
return AccessType.GENERIC_ALL;
}
case FilePermissionType.GenericExecute: {
return AccessType.GENERIC_EXECUTE;
}
case FilePermissionType.GenericWrite: {
return AccessType.GENERIC_WRITE;
}
case FilePermissionType.GenericRead: {
return AccessType.GENERIC_READ;
}
default: {
throw new ArgumentException(string.Format("Unrecognized permission type: {0}", permissions.ToString()));
}
}
}
}
}
I have to deploy QA sites almost daily like you mention, keep in mind if you use an msi package you will either have to uninstall the old site first (i am writing a custom task to do this today) or change the upgrade code (this is what I do) so that your msi will install as a new product and you can have multiple sites up.
Hope this helps,
Steve Baker
| "Scott Hernandez" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 05/19/2004 07:56 PM |
To: "Jason Chaffee" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc: Subject: Re: [Nant-users] Deployment automation |
Take a look at the archives for messages about remote MSI install, and NTFS
acls stuff. I believe everything you need had been discussed before.
Mail-archive.com has nant archives; the sf.net stuff kinda works, but not
really.
http://www.mail-archive.com/[EMAIL PROTECTED]/msg00633.html
----- Original Message -----
From: "Jason Chaffee" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 19, 2004 11:41 AM
Subject: [Nant-users] Deployment automation
> Hello all, feel free to disregard the newby here.
> I am looking for documentation or some reference help in getting nant to
> work for deploying a webapp to a particular server.
> I have created multiple targets (ex. prod, test, staging). I see that
> custom tasks can be built too.
> One problem I am having is finding a way to automate the
verification/setup
> of directory security.
> Are there tasks that can set NT permissions for a particular user? It
seems
> that this may need to be done manually. I was also thinking of having
Nant
> kick off an msi package that sets the website up.
> Not sure what the best way to tackle this is, any input would be
> appreciated.
> The biggest problem with this is the number of sites we produce and deploy
> and the differences between each build. I might have to create a nant
build
> file for each site.
> thanks...
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Nant-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/nant-users
>
>
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Nant-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/nant-users
