#5 Improve folder permissions and AppPool/Website naming.

README.md

@@ -36,6 +36,7 @@ Feel free to use it as-is or as a reference implementation for your own C#-based
 | enabled | bool | no | true | Enables/Disables the Nomad IIS Plugin |
 | stats_interval | string | no | 3s | Defines the interval how often the plugin should report driver statistics to Nomad. The smallest possible value is 1s. |
 | fingerprint_interval | string | no | 30s | Defines the interval how often the plugin should report the driver's fingerprint to Nomad. The smallest possible value is 10s. |
+| directory_security | bool | no | true | Enables Directory Permission Management for [Filesystem Isolation](#-filesystem-isolation). |
 
 **Example**
 

src/NomadIIS/Services/ConfigSchemas.cs

@@ -55,7 +55,31 @@ public static class ConfigSchemas
 							Required = false
 						}
 					}
-				}
+				},
+				{
+					"directory_security", new Spec()
+					{
+						Default = new Default()
+						{
+							Primary = new Spec()
+							{
+								Attr = new Attr()
+								{
+									Name = "directory_security",
+									Type = "bool",
+									Required = false
+								}
+							},
+							Default_ = new Spec()
+							{
+								Literal = new Literal()
+								{
+									Value = "true"
+								}
+							}
+						}
+					}
+				},
 			}
 		}
 	};

src/NomadIIS/Services/Grpc/BaseService.cs

@@ -53,6 +53,7 @@ public override Task<SetConfigResponse> SetConfig ( SetConfigRequest request, Se
 		_logger.LogInformation( nameof( SetConfig ) );
 
 		var enabled = true;
+		var directorySecurity = true;
 		TimeSpan? statsInterval = null;
 		TimeSpan? fingerprintInterval = null;
 
@@ -90,9 +91,12 @@ public override Task<SetConfigResponse> SetConfig ( SetConfigRequest request, Se
 
 				fingerprintInterval = interval.Value;
 			}
+
+			if ( config.TryGetValue( "directory_security", out var rawDirectorySecurity ) && rawEnabled is bool vDirectorySecurity )
+				directorySecurity = vDirectorySecurity;
 		}
 
-		_managementService.Configure( enabled, statsInterval, fingerprintInterval );
+		_managementService.Configure( enabled, statsInterval, fingerprintInterval, directorySecurity );
 
 		return Task.FromResult( new SetConfigResponse() );
 	}

src/NomadIIS/Services/IisTaskHandle.cs

@@ -8,6 +8,8 @@
 using System.Linq;
 using System.Security.AccessControl;
 using System.Security.Cryptography.X509Certificates;
+using System.Security.Principal;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -190,7 +192,8 @@ await _owner.LockAsync( async serverManager =>
 			}
 		} );
 
-		SetupDirectoryPermissions();
+		if ( _owner.DirectorySecurity )
+			SetupDirectoryPermissions();
 
 		await SendTaskEventAsync( $"Application started, Name: {_appPoolName}" );
 
@@ -390,7 +393,25 @@ public void Dispose ()
 	}
 
 	private static string GetAppPoolName ( TaskConfig taskConfig )
-		=> $"{taskConfig.AllocId}-{taskConfig.Name}";
+	{
+		var rawName = $"{taskConfig.AllocId}-{taskConfig.Name}";
+
+		var invalidChars = ApplicationPoolCollection.InvalidApplicationPoolNameCharacters()
+			.Union( SiteCollection.InvalidSiteNameCharacters() )
+			.ToArray();
+
+		var sb = new StringBuilder();
+
+		foreach ( var c in rawName )
+		{
+			if ( invalidChars.Contains( c ) )
+				sb.Append( '_' );
+			else
+				sb.Append( c );
+		}
+
+		return sb.ToString();
+	}
 
 	private ApplicationPool GetApplicationPool ( ServerManager serverManager )
 		=> FindApplicationPool( serverManager ) ?? throw new KeyNotFoundException( $"No AppPool with name {_appPoolName} found." );
@@ -421,21 +442,23 @@ private async Task SendTaskEventAsync ( string message )
 	private void SetupDirectoryPermissions ()
 	{
 		// https://developer.hashicorp.com/nomad/docs/concepts/filesystem
+		// https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/default-permissions-user-rights
+		// https://stackoverflow.com/questions/51277338/remove-users-group-permission-for-folder-inside-programdata
 
 #pragma warning disable CA1416 // Plattformkompatibilität überprüfen
 
 		var identity = $"IIS AppPool\\{_appPoolName}";
 
 		var allocDir = new DirectoryInfo( _taskConfig!.AllocDir );
 
-		SetupDirectory( @"alloc\data", FileSystemRights.FullControl );
-		SetupDirectory( @"alloc\logs", FileSystemRights.FullControl );
-		SetupDirectory( @"alloc\tmp", FileSystemRights.FullControl );
-		SetupDirectory( $@"{_taskConfig.Name}\local", FileSystemRights.FullControl );
-		SetupDirectory( $@"{_taskConfig.Name}\secrets", FileSystemRights.Read );
-		SetupDirectory( $@"{_taskConfig.Name}\tmp", FileSystemRights.FullControl );
-
-		void SetupDirectory( string subDirectory, FileSystemRights fileSystemRights )
+		SetupDirectory( @"alloc\data", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit );
+		SetupDirectory( @"alloc\logs", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit );
+		SetupDirectory( @"alloc\tmp", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit );
+		SetupDirectory( $@"{_taskConfig.Name}\local", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit );
+		SetupDirectory( $@"{_taskConfig.Name}\secrets", FileSystemRights.Read, InheritanceFlags.ObjectInherit );
+		SetupDirectory( $@"{_taskConfig.Name}\tmp", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit );
+
+		void SetupDirectory( string subDirectory, FileSystemRights fileSystemRights, InheritanceFlags inheritanceFlags )
 		{
 			var directory = allocDir;
 
@@ -447,11 +470,30 @@ void SetupDirectory( string subDirectory, FileSystemRights fileSystemRights )
 
 			var acl = directory.GetAccessControl();
 
+			// Disable Inheritance and copy existing rules
+			acl.SetAccessRuleProtection( true, true );
+			directory.SetAccessControl( acl );
+
+			// Re-read the ACL
+			acl = directory.GetAccessControl();
+
+			// Remove unwanted BuiltIn-users/groups which allow access to everyone
+			var builtinUsersSid = new SecurityIdentifier( WellKnownSidType.BuiltinUsersSid, null );
+			var authenticatedUserSid = new SecurityIdentifier( WellKnownSidType.AuthenticatedUserSid, null );
+
+			foreach ( FileSystemAccessRule rule in acl.GetAccessRules( true, false, typeof( SecurityIdentifier ) ) )
+			{
+				if ( rule.IdentityReference == builtinUsersSid || rule.IdentityReference == authenticatedUserSid )
+					acl.RemoveAccessRule( rule );
+			}
+
+			// Add new Rules
 			acl.AddAccessRule( new FileSystemAccessRule(
-				identity, fileSystemRights, InheritanceFlags.ContainerInherit, PropagationFlags.None, AccessControlType.Allow ) );
-			acl.AddAccessRule( new FileSystemAccessRule(
-				identity, fileSystemRights, InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow ) );
+				identity, fileSystemRights, inheritanceFlags, PropagationFlags.InheritOnly, AccessControlType.Allow ) );
+			//acl.AddAccessRule( new FileSystemAccessRule(
+			//	identity, fileSystemRights, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow ) );
 
+			// Apply the new ACL
 			directory.SetAccessControl( acl );
 		}
 

src/NomadIIS/Services/ManagementService.cs

@@ -16,6 +16,7 @@ public sealed class ManagementService
 	private bool _driverEnabled;
 	private TimeSpan _statsInterval = TimeSpan.FromSeconds( 3 );
 	private TimeSpan _fingerprintInterval = TimeSpan.FromSeconds( 30 );
+	private bool _directorySecurity;
 	private readonly ConcurrentDictionary<string, IisTaskHandle> _handles = new();
 	private readonly SemaphoreSlim _lock = new( 1, 1 );
 	private readonly Channel<DriverTaskEvent> _eventsChannel = Channel.CreateUnbounded<DriverTaskEvent>( new UnboundedChannelOptions()
@@ -33,12 +34,14 @@ public ManagementService ( ILogger<ManagementService> logger )
 	public bool DriverEnabled => _driverEnabled;
 	public TimeSpan StatsInterval => _statsInterval;
 	public TimeSpan FingerprintInterval => _fingerprintInterval;
+	public bool DirectorySecurity => _directorySecurity;
 
-	public void Configure ( bool enabled, TimeSpan? statsInterval, TimeSpan? fingerprintInterval )
+	public void Configure ( bool enabled, TimeSpan? statsInterval, TimeSpan? fingerprintInterval, bool directorySecurity )
 	{
 		_driverEnabled = enabled;
 		_statsInterval = statsInterval ?? _statsInterval;
 		_fingerprintInterval = fingerprintInterval ?? _fingerprintInterval;
+		_directorySecurity = directorySecurity;
 	}
 
 	public IisTaskHandle CreateHandle ( string taskId )