I have a C# code which creates a folder and sets some permissions on it. Here is the code sample:
static void Main(string[] args){
Directory.CreateDirectory("C:\\vk07");
DirectorySecurity dirSec = Directory.GetAccessControl("C:\\vk07");
dirSec.AddAccessRule(new FileSystemAccessRule("INTRANET\\fGLBChorusUsers", FileSystemRights.ReadAndExecute, AccessControlType.Allow));
Directory.SetAccessControl("C:\\vk07", dirSec);
}
When I check the permissions set on the folder created above, instead of having Read and Modify (which is what I have set in the code), it shows only "Special Permissions" as checked.
Please can some one help me with this? I am new to ACL, so don't understand it very well.
I was having this same problem, The actual reason is if you look at that network service picture from the other post, it is applying to files only. The basic permissions will only show up on the first picture if they say "This folder, subfolders, and files" To do this, you need to set the two flags -InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit.
Try
'If destination directory does not exist, create it first.
If Not Directory.Exists(path) Then Directory.CreateDirectory(path)
Dim dir As New DirectoryInfo(path)
Dim dirsec As DirectorySecurity = dir.GetAccessControl()
'Remove inherited permissions
dirsec.SetAccessRuleProtection(True, False)
'create rights, include subfolder and files to be inherited by this
Dim Modify As New FileSystemAccessRule(username, FileSystemRights.Modify, InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
Dim Full As New FileSystemAccessRule(admingroup, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
dirsec.AddAccessRule(Modify)
dirsec.AddAccessRule(Full)
'Set
dir.SetAccessControl(dirsec)
Catch ex As Exception
MsgBox(ex.Message)
End Try
This code works for me:
security.AddAccessRule(
new FileSystemAccessRule(
"domain\\login",
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow
));
I also had this problem. After executing the following code:
var security = Directory.GetAccessControl(folderPath);
security.AddAccessRule(
new FileSystemAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
FileSystemRights.Modify,
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
);
Directory.SetAccessControl(folderPath, security);
...then the Properties Dialog for folderPath would appear as follows:
As you mentioned, only 'Special Permissions' is checked, but if you click Advanced, then you see:
Notice that in this dialog NETWORK SERVICE has the modify permission.
It seems as though when you set permissions programmatically Windows does not show these permissions within the folder properties dialog, but they still exist under advanced security settings. I also confirmed that my Window service (running as NETWORK SERVICE) was then able to access files within folderPath.
FileSystemRights.ReadAndExecute doesn't allow you to modify. This is for read-only.
You would need FileSystemRights.Modify for the full range.
You may want to check out for the options available.
here is an example of the above:
String dir = #"C:\vk07";
Directory.CreateDirectory(dir);
DirectoryInfo dirInfo = new DirectoryInfo(dir);
DirectorySecurity dirSec = dirInfo.GetAccessControl();
dirSec.AddAccessRule(new FileSystemAccessRule("INTRANET\\fGLBChorusUsers",FileSystemRights.Modify,AccessCo‌ntrolType.Allow));
dirInfo.SetAccessControl(dirSec);
I got the same code to work in VB, setting FileSystemRights.FullControl.
Dim fsRule As FileSystemAccessRule = New FileSystemAccessRule(sid, FileSystemRights.FullControl, (InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit), PropagationFlags.None, AccessControlType.Allow)
Related
I have an application that is intended to add read/execute permissions for a user. It appears to work, but really doesn't.
I have the following code:
string folderName = #"\\ShareDrive\MyDepartment\someFolder";
DirectorySecurity ds = new DirectoryInfo(folderName).GetAccessControl(AccessControlSections.Access);
AuthorizationRuleCollection rules = ds.GetAccessRules(true, true, typeof(NTAccount));
ds.AddAccessRule(
new FileSystemAccessRule(
"SomeValidUser#myCompany.com",
FileSystemRights.ReadAndExecute,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow));
rules = ds.GetAccessRules(true, true, typeof(NTAccount));
//when I examine the value of 'rules' after executing the above statement, it appears the person has been added with
//the correct identity reference (successfully translated the email address)
After executing this code, if I check permissions in Windows File Explorer, the person has NOT been added. This is actually expected since if I try to add the person in File Explorer, I get an access denied error. I was expecting AddAccessRule to throw an exception.
My question is: How can I in C# check to see if the operation actually succeeded?
You need to call SetAccessControl() passing in your modified DirectorySecurity object to actually apply your changes.
I am trying to write a tool, limiting the ability to mess up file server structures. Within this project I am trying to limit the user to save files in directories, but prevent the user from creating subdirectories in specific folder. The subdirectory will be created another way, wich already works.
But I am facing the problem, that ntfs permission seem to mix "create directories" and "append data". Now the "append data" part is the one (when on deny) preventing users from saving files in a directory, wich is not wanted. But when on allow, the same permission makes it possible to create subdirectories.
In windows explorer security window the both permissions are set with the same checkbox, but as the enumeration FileSystemRights has both CreateDirectories and AppendData, I thought I could set them appart from another.
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.CreateDirectories, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Deny)
);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.AppendData, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow)
);
directoryInfo.SetAccessControl(directorySecurity);
But when setting one to allow and one to deny, both are denied.
Any thoughts or hints on this?
The problem is solved the following way:
// Create a new DirectoryInfo object.
DirectoryInfo directoryInfo = new DirectoryInfo(_folderPath);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
SecurityIdentifier sidAll = new SecurityIdentifier("S-1-1-0");
//Set the permissions for files in that folder to allow
FileSystemRights rights = FileSystemRights.Modify |
FileSystemRights.ReadAndExecute |
FileSystemRights.ListDirectory |
FileSystemRights.Read |
FileSystemRights.Write
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
rights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow)
);
FileSystemRights subfolderRights = FileSystemRights.CreateDirectories |
FileSystemRights.DeleteSubdirectoriesAndFiles |
FileSystemRights.Delete;
//Set the rights for subfolders of the
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
subfolderRights,
InheritanceFlags.ContainerInherit, PropagationFlags.None,
AccessControlType.Deny)
);
// Set the new access settings.
directoryInfo.SetAccessControl(directorySecurity);
Note the differences in the InheritanceFlags-parameters and the AccessControllType-parameters. A friend of mine gave me the solution, but I was not yet able to investigate on the differences of the InheritanceFlags-parameters. As soon as I have had the time, I will try to give a hint on how they work.
The SecurityIdentifier sidAll is here just used as an example.
I'm really out of my comfort zone when it comes to permisions. But I want to create a folder and give all users Full Control over it.
DirectoryInfo NewDir = Directory.CreateDirectory(#"C:\Test");
DirectorySecurity dSecur = NewDir.GetAccessControl();
FileSystemAccessRule fAccess =
new FileSystemAccessRule("Users", FileSystemRights.FullControl,AccessControlType.Allow);
dSecur.AddAccessRule(fAccess);
NewDir.SetAccessControl(dSecur);
But the pic below shows that Users Still doesn't have Full Control.
Am I missing something? Thanks!
If you want full control then you need to pass both ContainerInherit and ObjectInherit for the InheritanceFlags.
new FileSystemAccessRule(
User,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
And be sure that run under a user with enough rights to grant full control the other user.
I have two machines, call them client and server, in a Windows domain. The server has a shared directory which can be accessed from the client machine. I want to run a C# application on the client which sets the permission on this share to inherit the permissions of the share's parent directory on the server. How do I do this?
I have tried code along the following lines, but I don't think it has the right effect:
DirectoryInfo shareDirectoryInfo = new DirectoryInfo("\\server\share");
DirectorySecurity directorySecurity = shareDirectoryInfo.GetAccessControl();
directorySecurity.SetAccessRuleProtection(false, false);
InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
FileSystemAccessRule accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, iFlags, PropagationFlags.InheritOnly, AccessControlType.Allow);
bool modified;
directorySecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out modified);
if (modified)
{
Directory.SetAccessControl(name, directorySecurity);
}
I guess I don't understand why I have to create a FileSystemAccessRule for the directory - how can I just say inherit from parent?
Thanks for any help! Martin
You can set the folder to inherit from parent by using SetAccessRuleProtection
DirectoryInfo targetFolder = new DirectoryInfo(#"\\server\share");
DirectorySecurity folderSecurity = targetFolder.GetAccessControl(); // Existing security
folderSecurity.SetAccessRuleProtection(false, true); // This sets the folder to inherit
targetFolder.SetAccessControl(folderSecurity);
EDIT: The msdn document explains that if false is sent as the first argument, then the second argument is ignored.
I've been having problems programatically assigning permissions to Folders / Registry entries. I have managed to assign inheriting permissions using the following code:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
DirectorySecurity security = new DirectorySecurity();
security.SetAccessRule(rule);
Directory.CreateDirectory(dir);
Directory.SetAccessControl(dir, security);
This correctly sets my file permissions on all the child folders i create as an administrator. However, it does not set the permissions on the dir folder itself. I've played around with a fair few permutations for inheritance and propogation, but not had any joy.
For example, I have:
dir = %programfiles%\Test
If i have created a folder in test (%programfiles%\Test\SubFolder), I have full permissions assigned to it for my user, but I do not have full permissions on %programfiles%\Test. This is really annoying, as I would like to give my user full permissions to do whatever with the Test directory as well.
I am having similar problems with registry permissions, but I believe that if i can solve one, i can solve both of the outstanding issues.
Does anyone know how this can be resolved?
Regards
Tris
For the folder:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, AccessControlType.Allow);
For subfolders and files:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
both lines need to be in your project. then you get acls that apply to this folder, subfolders and files
I'm hardly an expert here, but after having to figure this out for my own purposes, I believe that Dave's answer, although functional, is overly complicated. You should be able to achieve this with just one rule:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
The PropagationFlags.InheritOnly parameter used by the OP in their original code is what prevents the access rule from applying to the object itself.
Also, you might as well set the directory's security as you're creating it, since .NET provides an overload for just that purpose:
Directory.CreateDirectory(dir, security);