I've been having problems programatically assigning permissions to Folders / Registry entries. I have managed to assign inheriting permissions using the following code:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
DirectorySecurity security = new DirectorySecurity();
security.SetAccessRule(rule);
Directory.CreateDirectory(dir);
Directory.SetAccessControl(dir, security);
This correctly sets my file permissions on all the child folders i create as an administrator. However, it does not set the permissions on the dir folder itself. I've played around with a fair few permutations for inheritance and propogation, but not had any joy.
For example, I have:
dir = %programfiles%\Test
If i have created a folder in test (%programfiles%\Test\SubFolder), I have full permissions assigned to it for my user, but I do not have full permissions on %programfiles%\Test. This is really annoying, as I would like to give my user full permissions to do whatever with the Test directory as well.
I am having similar problems with registry permissions, but I believe that if i can solve one, i can solve both of the outstanding issues.
Does anyone know how this can be resolved?
Regards
Tris
For the folder:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, AccessControlType.Allow);
For subfolders and files:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly,
AccessControlType.Allow);
both lines need to be in your project. then you get acls that apply to this folder, subfolders and files
I'm hardly an expert here, but after having to figure this out for my own purposes, I believe that Dave's answer, although functional, is overly complicated. You should be able to achieve this with just one rule:
FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
The PropagationFlags.InheritOnly parameter used by the OP in their original code is what prevents the access rule from applying to the object itself.
Also, you might as well set the directory's security as you're creating it, since .NET provides an overload for just that purpose:
Directory.CreateDirectory(dir, security);
Related
I am trying to write a tool, limiting the ability to mess up file server structures. Within this project I am trying to limit the user to save files in directories, but prevent the user from creating subdirectories in specific folder. The subdirectory will be created another way, wich already works.
But I am facing the problem, that ntfs permission seem to mix "create directories" and "append data". Now the "append data" part is the one (when on deny) preventing users from saving files in a directory, wich is not wanted. But when on allow, the same permission makes it possible to create subdirectories.
In windows explorer security window the both permissions are set with the same checkbox, but as the enumeration FileSystemRights has both CreateDirectories and AppendData, I thought I could set them appart from another.
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.CreateDirectories, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Deny)
);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.AppendData, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow)
);
directoryInfo.SetAccessControl(directorySecurity);
But when setting one to allow and one to deny, both are denied.
Any thoughts or hints on this?
The problem is solved the following way:
// Create a new DirectoryInfo object.
DirectoryInfo directoryInfo = new DirectoryInfo(_folderPath);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
SecurityIdentifier sidAll = new SecurityIdentifier("S-1-1-0");
//Set the permissions for files in that folder to allow
FileSystemRights rights = FileSystemRights.Modify |
FileSystemRights.ReadAndExecute |
FileSystemRights.ListDirectory |
FileSystemRights.Read |
FileSystemRights.Write
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
rights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow)
);
FileSystemRights subfolderRights = FileSystemRights.CreateDirectories |
FileSystemRights.DeleteSubdirectoriesAndFiles |
FileSystemRights.Delete;
//Set the rights for subfolders of the
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
subfolderRights,
InheritanceFlags.ContainerInherit, PropagationFlags.None,
AccessControlType.Deny)
);
// Set the new access settings.
directoryInfo.SetAccessControl(directorySecurity);
Note the differences in the InheritanceFlags-parameters and the AccessControllType-parameters. A friend of mine gave me the solution, but I was not yet able to investigate on the differences of the InheritanceFlags-parameters. As soon as I have had the time, I will try to give a hint on how they work.
The SecurityIdentifier sidAll is here just used as an example.
I would like to add some new ACL rules alongside existing ones. I am currently using SetAccessRule, with the expectation that adding new rules also keeps the old ones. According to the documentation for SetAccessRule,
The SetAccessRule method adds the specified access control list (ACL) rule or overwrites any identical ACL rules that match the FileSystemRights value of the rule parameter. For example, if the rule parameter specifies a Read value and the SetAccessRule method finds an identical ACL rule that specifies the Read value, the identical rule will be overwritten. If the SetAccessRule method finds an identical ACL rule that specifies the Write value, the identical rule will not be overwritten.
However, in practice, I've found that adding a new rule actually overwrites any previous rules (belonging to the same user/SID?). This seems to contradict what the documentation says.
My current intention is to assign both read and write permissions, but in separate calls. Unfortunately, the latter permissions overwrite the first. In the example code below, the result is only the read permissions are assigned. If I comment out that block, then only the write permissions are assigned. This could be fixed with an additional if condition to assign both permissions, but it still overwrites any existing permissions on the directory, which is undesired.
DirectoryInfo directory = new DirectoryInfo(abspath);
DirectorySecurity security = directory.GetAccessControl();
security.SetAccessRuleProtection(false, true);
if (perm.Contains("write"))
{
security.SetAccessRule(new FileSystemAccessRule(user, FileSystemRights.Write, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
}
if (perm.Contains("read"))
{
security.SetAccessRule(new FileSystemAccessRule(user, FileSystemRights.ReadAndExecute | FileSystemRights.Traverse, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
}
directory.SetAccessControl(security);
How should I handle adding new rules while keeping existing ones? And, is the documentation incorrect, am I misinterpreting it, or is my code incorrect?
Try using DirectorySecurity.AddAccessRule method instead to append/add permissions instead or replacing, see this MSDN link for more info
security.AddAccessRule(new FileSystemAccessRule(user, FileSystemRights.Write, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
I'm really out of my comfort zone when it comes to permisions. But I want to create a folder and give all users Full Control over it.
DirectoryInfo NewDir = Directory.CreateDirectory(#"C:\Test");
DirectorySecurity dSecur = NewDir.GetAccessControl();
FileSystemAccessRule fAccess =
new FileSystemAccessRule("Users", FileSystemRights.FullControl,AccessControlType.Allow);
dSecur.AddAccessRule(fAccess);
NewDir.SetAccessControl(dSecur);
But the pic below shows that Users Still doesn't have Full Control.
Am I missing something? Thanks!
If you want full control then you need to pass both ContainerInherit and ObjectInherit for the InheritanceFlags.
new FileSystemAccessRule(
User,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
And be sure that run under a user with enough rights to grant full control the other user.
I have two machines, call them client and server, in a Windows domain. The server has a shared directory which can be accessed from the client machine. I want to run a C# application on the client which sets the permission on this share to inherit the permissions of the share's parent directory on the server. How do I do this?
I have tried code along the following lines, but I don't think it has the right effect:
DirectoryInfo shareDirectoryInfo = new DirectoryInfo("\\server\share");
DirectorySecurity directorySecurity = shareDirectoryInfo.GetAccessControl();
directorySecurity.SetAccessRuleProtection(false, false);
InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
FileSystemAccessRule accessRule = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, iFlags, PropagationFlags.InheritOnly, AccessControlType.Allow);
bool modified;
directorySecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out modified);
if (modified)
{
Directory.SetAccessControl(name, directorySecurity);
}
I guess I don't understand why I have to create a FileSystemAccessRule for the directory - how can I just say inherit from parent?
Thanks for any help! Martin
You can set the folder to inherit from parent by using SetAccessRuleProtection
DirectoryInfo targetFolder = new DirectoryInfo(#"\\server\share");
DirectorySecurity folderSecurity = targetFolder.GetAccessControl(); // Existing security
folderSecurity.SetAccessRuleProtection(false, true); // This sets the folder to inherit
targetFolder.SetAccessControl(folderSecurity);
EDIT: The msdn document explains that if false is sent as the first argument, then the second argument is ignored.
I have a C# code which creates a folder and sets some permissions on it. Here is the code sample:
static void Main(string[] args){
Directory.CreateDirectory("C:\\vk07");
DirectorySecurity dirSec = Directory.GetAccessControl("C:\\vk07");
dirSec.AddAccessRule(new FileSystemAccessRule("INTRANET\\fGLBChorusUsers", FileSystemRights.ReadAndExecute, AccessControlType.Allow));
Directory.SetAccessControl("C:\\vk07", dirSec);
}
When I check the permissions set on the folder created above, instead of having Read and Modify (which is what I have set in the code), it shows only "Special Permissions" as checked.
Please can some one help me with this? I am new to ACL, so don't understand it very well.
I was having this same problem, The actual reason is if you look at that network service picture from the other post, it is applying to files only. The basic permissions will only show up on the first picture if they say "This folder, subfolders, and files" To do this, you need to set the two flags -InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit.
Try
'If destination directory does not exist, create it first.
If Not Directory.Exists(path) Then Directory.CreateDirectory(path)
Dim dir As New DirectoryInfo(path)
Dim dirsec As DirectorySecurity = dir.GetAccessControl()
'Remove inherited permissions
dirsec.SetAccessRuleProtection(True, False)
'create rights, include subfolder and files to be inherited by this
Dim Modify As New FileSystemAccessRule(username, FileSystemRights.Modify, InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
Dim Full As New FileSystemAccessRule(admingroup, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)
dirsec.AddAccessRule(Modify)
dirsec.AddAccessRule(Full)
'Set
dir.SetAccessControl(dirsec)
Catch ex As Exception
MsgBox(ex.Message)
End Try
This code works for me:
security.AddAccessRule(
new FileSystemAccessRule(
"domain\\login",
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow
));
I also had this problem. After executing the following code:
var security = Directory.GetAccessControl(folderPath);
security.AddAccessRule(
new FileSystemAccessRule(
new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null),
FileSystemRights.Modify,
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow
)
);
Directory.SetAccessControl(folderPath, security);
...then the Properties Dialog for folderPath would appear as follows:
As you mentioned, only 'Special Permissions' is checked, but if you click Advanced, then you see:
Notice that in this dialog NETWORK SERVICE has the modify permission.
It seems as though when you set permissions programmatically Windows does not show these permissions within the folder properties dialog, but they still exist under advanced security settings. I also confirmed that my Window service (running as NETWORK SERVICE) was then able to access files within folderPath.
FileSystemRights.ReadAndExecute doesn't allow you to modify. This is for read-only.
You would need FileSystemRights.Modify for the full range.
You may want to check out for the options available.
here is an example of the above:
String dir = #"C:\vk07";
Directory.CreateDirectory(dir);
DirectoryInfo dirInfo = new DirectoryInfo(dir);
DirectorySecurity dirSec = dirInfo.GetAccessControl();
dirSec.AddAccessRule(new FileSystemAccessRule("INTRANET\\fGLBChorusUsers",FileSystemRights.Modify,AccessCo‌ntrolType.Allow));
dirInfo.SetAccessControl(dirSec);
I got the same code to work in VB, setting FileSystemRights.FullControl.
Dim fsRule As FileSystemAccessRule = New FileSystemAccessRule(sid, FileSystemRights.FullControl, (InheritanceFlags.ContainerInherit + InheritanceFlags.ObjectInherit), PropagationFlags.None, AccessControlType.Allow)