howto make file available to everyone

[Gregory K]

My C# program creates a file while running under Administrator account. I
need this file to be available to any user for read/write. It appears that
the way to do it is to create an access rule and use File.SetAccessControl to
add it. My question is how to to create an access rule for any user.

I tried

FileSystemAccessRule rl = new FileSystemAccessRule(si,
FileSystemRights.FullControl, AccessControlType.Allow);

but I cannot create SecurityIdentifier si that will include any user.

Can somebody help?



SecurityIdentifier si = new
SecurityIdentifier( WellKnownSidType.AccountDomainUsersSid,


);

 

[Jeff Johnson]

My C# program creates a file while running under Administrator account. I
need this file to be available to any user for read/write. It appears that
the way to do it is to create an access rule and use File.SetAccessControl
to
add it. My question is how to to create an access rule for any user.

I take it your program is creating these files in a folder that by default
is not accessible to others? Because normally it doesn't matter WHO creates
the file but rather WHERE it is created as far as security goes.

 

[Harlan Messinger]

I take it your program is creating these files in a folder that by default
is not accessible to others? Because normally it doesn't matter WHO creates
the file but rather WHERE it is created as far as security goes.

Assuming the application writer has control over the containing
directory, yes, that certainly is the easier way to go about it.

 

[Peter Duniho]

My C# program creates a file while running under Administrator account. I
need this file to be available to any user for read/write. It appears
that
the way to do it is to create an access rule and use
File.SetAccessControl to
add it. My question is how to to create an access rule for any user.

Please be more specific. Provide a concise-but-complete code example that
reliably demonstrates the problem, and be precise about what "I cannot
create SecurityIdentifier..." means. What _exactly_ fails, and how does
it fail? What error message or exception happens? What other symptoms of
the failure are present, if any?

Pete

 

[henry.lee.jr]

My C# program creates a file while running under Administrator account. I
need this file to be available to any user for read/write. It appears that
the way to do it is to create an access rule and use File.SetAccessControl to
add it. My question is how to to create an access rule for any user.

I tried

FileSystemAccessRule rl = new FileSystemAccessRule(si,
FileSystemRights.FullControl, AccessControlType.Allow);

but I cannot create SecurityIdentifier si that will include any user.

Can somebody help?

SecurityIdentifier si = new
SecurityIdentifier(                             WellKnownSidType.AccountDomainUsersSid,

                                        );

Gregory,

Usually you would try to create files in a folder that has the
permissions you want, where the file would inherit the folder's
permissions upon creation.

 

[Gregory K]

Sorry for not making myself clear.

My program creates the file that stores all user selections and it saves it
in the same folder where the program is, i.e. C:\Program Files\MyApp...
Program always reads the file on startup and writes it on exit.

For the first time my program is run by the installer and therefore has
administrative privileges (I have to do it in order to initialize 3rd party
licensing software). Therefore the user setting file will be created by the
administrator. Then the program will be run by a user. When the program exits
and tries to overwrite the user settings file, it crashes because a user
cannot overwrite the file created by an administrator (at least it is my
understanding). So I believe that at file creation time I should do
something to give any user full access to it.

If I am wrong please tell me why. If I am right, I need a code sample that
creates full access for any user for a given file.

Thank you.
Gregory

 

[Jeff Johnson]

My program creates the file that stores all user selections and it saves
it
in the same folder where the program is, i.e. C:\Program Files\MyApp...
Program always reads the file on startup and writes it on exit.

That's not the way you're supposed to do thing "these days." You're supposed
to store user preferences in individual user files located in folders that
the users have access to.

 

[Peter Duniho]

[...] Therefore the user setting file will be created by the
administrator. Then the program will be run by a user. When the program
exits
and tries to overwrite the user settings file, it crashes because a user
cannot overwrite the file created by an administrator (at least it is my
understanding). So I believe that at file creation time I should do
something to give any user full access to it.

If I am wrong please tell me why. If I am right, I need a code sample
that
creates full access for any user for a given file.

As Jeff says, from a UI point of view, you seem to be going about it the
wrong way. "User selections" should be stored on a per-user basis. One
user should not be modifying settings visible to other users (unless, of
course, that user is an administrator and is modifying truly global
settings). You can either do your own custom per-user settings storage,
or just take advantage of the built-in ConfigurationManager-based stuff
provided by .NET. In neither case would you need to worry about
file-level security settings.

That said, if you insist on this design, it can be done. Here are a
couple of MSDN pages that should get you started:

http://msdn.microsoft.com/en-us/library/system.io.file.setaccesscontrol.aspx
http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemaccessrule.aspx

You'll have to read other documentation with respect to defining the
proper group for changing the access control, but I'm sure if you look
around on MSDN you can find it. I'm not sure off the top of my head
whether you can use AccountDomainUsersSid, or you have to explicitly use a
string like @"ComputerName\Users". I'd think the former would work even
without the computer in an NT domain, but since you seem to be trying to
say that you tried that and it didn't work, maybe you need something
different. Of course, until you post a concise-but-complete code example,
it's not possible know what you've actually tried, never mind why it might
not be working.

Pete

 

[Gregory K]

That's not the way you're supposed to do thing "these days." You're supposed

to store user preferences in individual user files located in folders that
the users have access to.

Thanks. You started me going in entirely different direction.
One problem I see with using "Application Data" folder is that different
users won't share each other's settings and our product sometimes requires it
(imagine one user running a lengthy calibration procedure and another user
running the device). I looked briefly at All Users\Application Data, but it
doesn't look like it allows everyone read/write access. Am I right about "All
Users"?

 

[Peter Duniho]

Thanks. You started me going in entirely different direction.
One problem I see with using "Application Data" folder is that different
users won't share each other's settings and our product sometimes
requires it
(imagine one user running a lengthy calibration procedure and another
user
running the device).

If you need for a user to be able to share their settings with another, a
much better solution would be to allow export and import of settings, or
somehow tie the data that results from the "lengthy calibration procedure"
with the actual "device", rather than making that part of your user
settings.

One possible approach that would be more "Windows-like" would be to
implement the device-access stuff in a service, and then provide a
user-accessible GUI to interact with the service. Then the service can
serve as the central repository for things that are not user-specific, but
which are shared by users.

Of course, you can also just store data in a shared area of the file
system; it's not necessarily as robust an approach (it means that any one
user can screw up the data/configuration for all other users), but if you
are running the code in a 100% completely trusted environment, it might be
okay.

I looked briefly at All Users\Application Data, but it
doesn't look like it allows everyone read/write access. Am I right about
"All
Users"?

On XP, you should be able to use the "All Users" (which translates to the
"Shared" folders in Windows Explorer), and my recollection is that all
users have write access to the directories in there. On Vista and Windows
7, the "shared" folders have changed structure, but as long as you're not
actually hard-coding the path names, but instead using the
System.Environment.GetFolderPath() method with the
SpecialFolder.CommonApplicationData folder item, my recollection is that
it should work.

Pete

 

[Gregory K]

Unfortunately you are wrong about the access rights to "All Users". I just
wrote a sample application with this code (I am using XP Pro):

string appdata2 =
Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);

string aslPath = Path.Combine(appdata2, "Applied Science labs\\Eye-Trac 6");
string filename = Path.Combine(aslPath, "MyTest.txt");
Directory.CreateDirectory(aslPath);
Stream fs = new FileStream(filename, FileMode.Create);//FileAccess.ReadWrite);
StreamWriter sw = new StreamWriter(fs);
sw.WriteLine("Test");
sw.WriteLine(DateTime.Now.ToString());
sw.Close();

I ran it from administrator account and then from user account. When I ran
it as a user, the program crashed on "new FileStream" statement complaining
about lack of access rights. File properties in Explorer confirmed that.

The import/export option already exists but it won't be very useful because
user\Application Data folder is invisible. Users will have to change their
explorer settings in order to see somebody else's config file and our users
are not computer experts.

I guess the perfect solution will be create the file under All Users\App
Data and make it writeable to anyone.

 

[Peter Duniho]

Unfortunately you are wrong about the access rights to "All Users". I
just
wrote a sample application with this code (I am using XP Pro):

So, store the data somewhere that users _do_ have shared access. Such as
in the "All Users/Documents" folder.

[...]
The import/export option already exists but it won't be very useful
because
user\Application Data folder is invisible. Users will have to change
their
explorer settings in order to see somebody else's config file and our
users
are not computer experts.

That doesn't make sense. A true "import/export option" would allow the
user to specify where settings are saved when exported, and then can share
that file in any arbitrarily convenient way for another user to import
them (copy the file, send it in email, etc.)

I guess the perfect solution will be create the file under All Users\App
Data and make it writeable to anyone.

I disagree. But if you want to do that, it would probably work.

Pete