There may be times when you’ll want your website or application to run commands while being served by IIS. In order to do so you’ll need to set permissions to the user that runs your website or application.
Before I move on, I should stress that setting incorrect permissions (or setting permissions when you don’t need them) to
cmd.exeis a liability and should be avoided
A while ago I was working on a project that allowed users to run composer commands directly from the browser. In order to make it work I had to add permissions on
cmd.exe to the IIS user. However, this was not the piece of cake I thought.
Usually, when you want to give permissions (for instance to files of folders) you just have to add the IUSR user (or the IIS_IUSRS group) and everything goes smooth. That’s not the case when you try to set permissions on the
cmd.exe and Windows is not so permissive (and this is a good thing!).
This is how I sorted this out.
1. Can’t change permissions to
The first issue was when I tried to change the permissions on
cmd but the buttons were locked. Even starting Exporer as an Administrator the buttons kept being locked and greyed out.
The solution to this issue is to force the file’s ownership to your used using the
takeown /F c:\windows\system32\cmd.exe
Beware that this command will only be successfull if you run cmd as an Administrator. To accomplish that enter cmd on the Start Menu, right-click it and select “Run as Administrator”
Once you run cmd as Administrator and run the command, you should see a message similar to the following
2. Setting permissions to the correct user
Now that you can change permissions to the
cmd.exe, you need to select the correct user and, as I’ve said on the top, it is not the IUSR.
IIS uses specific users depending on the Application Pool that is used by your site. By default IIS has the DefaultAppPool which is used to run the Default Web Site. But when you create a new website a new Application Pool will be created with the same name you gave to the site.
So the user you need to set permissions to is the user that runs the Application Pool and not the generic IUSR. You can see the list of Application Pools directly on IIS Manager.
In order to set permissions to that user you need to open
cmd.exe properties adn click on “Add” on the “Security” tab. The thing is, if you look through the users in your local machine you won’t find the Application Pool users. So you need to manually enter the Application Pool user preceded by IIS AppPool\ and then click on “Check Names” (eg: IIS AppPool\DefaultAppPool).
cacls c:\windows\system32\cmd.exe /E /G "IIS AppPool\DefaultAppPool":F
icacls c:\windows\system32\cmd.exe /grant "IIS AppPool\DefaultAppPool":F