Recycling an Application Pool as an Application Pool Identity

Question

I'm creating a setup where a push to my central git repo, located on my server, automatically pushes the changes to my site folder, which is running through IIS 8 on Windows Server 2012.

This is easy enough. The following is working: I have Bonobo Git Server, a site running on IIS onto its own. I have a post-receive hook on the central repo that is managed by Bonobo. This hook then runs a batch file which pulls the changes into the repo of the site's folder. This is made possible because, naturally, the post-receive hook runs as the identity assigned to Bonobo's App Pool, namely "IIS AppPool\GitServerAppPool" and I gave that identity modify permissions on the site's folder.

So the code gets pushed and pulled fine. The problem is that the project is coded in Python and integrated into IIS using ISAPI_WSGI, and therefore there aren't any mechanisms, that I'm aware of, to reload the code without recycling the App Pool.

Giving the post-receive script permission to recycle the App Pool is proving difficult.

So, the problem is this. -The post-receive script is running as "IIS AppPool\GitServerAppPool", so it cannot restart the other app pools as doing so requires an Admin account. -Any use of RunAs, for either running appcmd or a scheduled task, doesn't work because it would require entering a password to pass UAC. -Using /savecreds on runas doesn't work because I cannot log in as an AppPoolIdentity in order to enter the password in the first place.

And so I am stuck. If any of the following are possible in any way shape or form, they should work, but I can't find a way to do them.

1. some way of lowering the required permissions to recycle app pools.
2. some way of including the password in the runas command (the script won't be accessible to the outside world so I can live with this)
3. some way of manually running a command as GitServerAppPool so that I can run the batch file with /savecreds once, and not have to enter the password again

Anybody know how to do a, b or c, or have another solution?

One solution that does work is to run the git server on an app pool running as an admin account. It seems counter to the point of UAC to start giving things full Admin access rights to get around one rule on IIS security though. Of course, if I must, I will.

Thank you very much for any help or suggestions.

BTW, the reason for doing this is to give my other devs, scattered around the globe, the ability to push their changes direct to their staging servers without my interference and without actual access to the server. So manually restarting the app pool defeats the purpose.

Answer 1

Write a simple Windows service that either monitors certain file directories for changes or listens to another mechanism to be triggered. It then recycles the Application pool in question.

Run the service under an account with enough permissions to recycle the pool.

Make sure this process can not be initiated by someone from the outside.

Answer 2

Working off Peter's answer I came up with a more hacky solution that will do for the time being. The better solution will be Peter's above, but it requires a lot more expertise to setup.

In your post-receive batch file, call eventcreate to create an event on the windows event log, like so:

call eventcreate /S MACHINE_NAME /u Administrator /p password /t information /id 500 /d "A git post-receive hook has updated site code"

Where MACHINE_NAME is your server's machine name. It is important to include this as EVENTCREATE requires admin rights. It just so happens that it has the ability to remotely create events by supplying a username and password as a parameter. Including the machine name seems to put it in remote mode, which is required to supply the user/pass.

So this allows you to create an event with admin credentials from any source.

What you can then do is create a task in Task Scheduler which listens for this event. Open it up, create a task and make the trigger listen for an event with "EventCreate" as a source and the event id you supplied in the command above (500 in the example above, but you can use any number). Make sure to set the task to run as admin and let it run with elevated permissions.

Have the task run a batch with this included:

call %systemroot%\system32\inetsrv\appcmd.exe recycle apppool /apppool.name:APPPOOLNAME

replace only the capitalized APPPOOLNAME with the name of the pool you want to recycle.

The disadvantages this over creating a real service as Peter suggested are:

1. You need to write the admin's password in plain-text in the batch file, so make sure nobody else gets their hands on this file.
2. in theory there is potential for another app to create an event with the same ID and cause your app pool to recycle. (eventcreate seems to fail if I supply a custom source name, which would remove this issue)
3. it has a lot more moving parts that complicate setup