Root Permissions (App_Data, App_Themes) Question

Posted by Community Admin on 03-Aug-2018 05:28

Root Permissions (App_Data, App_Themes) Question

Sitefinity - General Discussions

All Replies

Posted by Community Admin on 22-Feb-2011 00:00

I have only really just started working with Sitefinity 4.0 and it seems like an excellent CMS the more familiar I get with it. This is what I have done so far which has led me to worry about the site security as I'm not an expert on security so I need someone to set me straight. Please :-)

1. I installed Sitefinity on my own machine and created a new site using a database on the webserver I want to deploy it to, using SQL authentication.
2. I do not want to install Sitefinity on the webserver so I manually created a site in IIS and FTP'd the entire site to that location.
3. Brilliant stuff so far! All is good to this point.
4. I navigate to the site and get an error about the App_Data folder not having permissions. That's OK, so I then go to IIS on the webserver and give IIS_IUSRS Modify permissions to that folder! I know the App_Data folder is protected from the public so it's ok to do this.
5. The site renders great and I can log into it using the /sitefinity path.
6. Now I want to create a folder in the root called App_Themes via sitefinity/Administration/Files. BUT I don't have permissions to do it so I thought I'd be clever and give IIS_IUSRS modify permission for the entire ROOT which solved my problem.

Is this OK? Did I compromise the security of the entire site? I think it's OK as I can't access any of the folders via the browser but I'd like to know if anyone can advise me on this. Should I remove the IIS_IUSRS modify permission for the root and just apply it to the App_Themes and App_Data folders?

I know that the App_Themes folder should be in the App_Data folder for SF sites but I wanted to do it the Visual Studio way.

Thanks
Dave Stuart

Posted by Community Admin on 24-Feb-2011 00:00

Hi Dave,

Thank you for contacting Telerik Support.

Generally it is not a good practice to provide modify permissions for your entire folder structure of the website. It is recommended that you use the App_Data folder and follow this tutorial which explains how to use themes under the the protected folder. We have special mechanism for linking to items from the App_Data folder. As long as you register a folder as a theme folder under App_Data we create a special handler for it and then you can link to items without using App_Data in the path (as long as the resources are under a registered theme). It is recommended that you run with minimal permissions for the root folder and provide permissions only for specific files where you know that no sensitive data is stored.

Best wishes,
Radoslav Georgiev
the Telerik team

Vote for the 7 Telerik products at the 2011 Great Indian Developer Awards!

Posted by Community Admin on 25-Feb-2011 00:00

Thanks for your response! We will review this process as suggested and adhere to the Telerik Sitefinity folder structure practices as I don't see an issue with this.

Thanks
Dave

This thread is closed