8

I've got a Windows Docker container (microsoft/aspnet) that is hosting a simple Web API. The web API accepts files from a form, saves them in a temp folder, does some processing, and then returns the result.

This works fine when deployed locally, but when done in my Docker container, I get a file permissions error on my temp folder (App_Data).

Is there a way to grant the IIS user the code is running as access to this file, or to open up the folder to any user for read/write access?

Current Docker file is below:

FROM microsoft/aspnet

COPY ./Deploy/ /inetpub/wwwroot

RUN mkdir /inetpub/wwwroot/App_Data

Error message snippet I get running API from docker image:

"InnerException":{"Message":"An error has occurred.","ExceptionMessage":"Access to the path 'C:\\inetpub\\wwwroot\\App_Data\\BodyPart_481b6424-f9a5-4608-894d-406145a48445' is denied.","ExceptionType":"System.UnauthorizedAccessException"

It looks like there is a bug open on the aspnet-docker github about this same issue. [link]

In the meantime, it looks like running cacls App_Data /G IIS_IUSRS:F after starting the container fixes the issue temporarily.

Darendal
  • 843
  • 9
  • 29
  • Add `User Administrator` after `From` and remove -Credential from RUN statement – Gregory Suvalian Mar 23 '18 at 23:26
  • @GregorySuvalian Also, not sure where I should add `User Administrator`.. The `FROM` line only supports an image and a tag, and neither have a space, and I can't find an image/tag with that name – Darendal Mar 23 '18 at 23:50
  • I meant put on new line `User Administrator`. See here https://social.msdn.microsoft.com/Forums/en-US/65e5e7d0-db0d-4dd4-b5f0-ab88aeb5cc27/build-image-from-nanoserver1709-get-an-access-denied-when-trying-to-set-system-variables-run-setx?forum=windowscontainers – Gregory Suvalian Mar 24 '18 at 01:06
  • Use PowerShell or `cacls` to grant IIS_IUSRS write permissions on `App_Data` folder in your `Dockerfile`. Also grant anonymous account the same permissions if you use anonymous authentication. – Lex Li Mar 24 '18 at 02:29
  • @GregorySuvalian adding the `USER Administrator` line as suggested gives the following error: `error during CreateProcess: failure in a Windows system call: The user name or password is incorrect.` – Darendal Mar 26 '18 at 15:18
  • Error which you specified is it coming from WebAPI running inside container or coming during build/run stage? – Gregory Suvalian Mar 26 '18 at 18:45
  • @GregorySuvalian Sorry, coming from the Docker build process – Darendal Mar 26 '18 at 19:15
  • See if issue only appears if replace `microsoft/aspnet` with `microsoft/aspnet:4.7.1-windowsservercore-ltsc2016` – Gregory Suvalian Mar 26 '18 at 22:47
  • Also which version of Windows 10 are you running? Is it 1709 or below that? – Gregory Suvalian Mar 26 '18 at 22:53
  • @GregorySuvalian Same issue using `microsoft/aspnet:4.7.1-windowsservercore-ltsc2016` as suggested. Still seeing the same CreateProcess error when running `docker build`. Running latest version of Windows, v1709 and up-to-date Docker. – Darendal Mar 27 '18 at 21:36
  • Can you post simpliest reproduction steps you can find which will show up the issue. It does not happen to me – Gregory Suvalian Mar 28 '18 at 00:09

3 Answers3

15

Unclear why, but cacls doesn't seem to be working when run as part of building the container. Switched to using icacls, and was able to grant the IIS_USRS permissions on the folder.

Line added to dockerfile:

RUN icacls 'C:\inetpub\wwwroot\App_Data' /grant 'IIS_IUSRS:(F)'

Darendal
  • 843
  • 9
  • 29
  • This helped me solve an issue with a SQLite db in my Docker image (was running into [this error](https://stackoverflow.com/questions/3319112/sqlite-read-only-database)). Just had to add a `/t` flag to the `icacls` command to grant access to all sub-folders. – dillonius01 Jul 06 '18 at 14:31
  • @dillonius01 can you specify complete command by adding `/t` for better readbility in comment for people like who require subfolder access as well – vibs2006 May 14 '23 at 13:05
4

I can't comment as I don't have enough reputation, but if the answer by @Darendal doesn't work (which it did not for me), then try this syntax

RUN icacls C:\inetpub\wwwroot\App_Data /grant "BUILTIN\IIS_IUSRS:(OI)(CI)F" /t
Tazz
  • 181
  • 7
  • Thanks for that version. (OI) = directories object inherit. (CI) = directories container inherit. I needed that to set the permissions once and have future new files inherit the same permissions. – Jean-François L'Heureux Jan 08 '21 at 14:46
0

My dockerfile did not accepted any of the other answers. Below is one more alernative.

FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8
SHELL ["powershell"] 
RUN & ICACLS "'C:\inetpub\wwwroot\App_Data'  /grant 'IIS APPPOOL\DefaultAppPool:(OI)(CI)F' /T"
mybrave
  • 1,662
  • 3
  • 20
  • 37