NTFS ACLs from C# (Whidbey)

M

Mark A. Richman

I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with fewer lines of code? I have about a dozen rules like this, and it adds up to about 100 lines of code.

- Mark
 
V

Valery Pryamikov

Mark,
I think that using string security descriptors and then translating them to
binary security descriptors is the most efficient way of doing that sort of
things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call ConvertStringSecurityDescriptorToSecurityDescriptor
API and done with it with just tree lines of code :).

-Valery.
http://www.harper.no/valery

I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null);
NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount))
as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up to
about 100 lines of code.

- Mark
 
M

Mark A. Richman

Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?
 
V

Valery Pryamikov

Since you are using Whidbey, you simply could call
SetSecurityDescriptorSddlForm method of any XXXSecurity based class
ex.

DirectorySecurity dirSec = Directory.GetAccessControl("C:\\TestDirectory");
dirSec.SetSecurityDescriptorSddlForm("D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)");
Directory.SetAccessControl("C:\\TestDirectory", dirSec);

Documentation of SDDL format could be found here:
http://msdn.microsoft.com/library/d...ingsecuritydescriptortosecuritydescriptor.asp

(watch for line breaks)

in C++ it it looks like:
if
(!ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)"),
SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)pDescriptor, NULL))
// you can return error here. ex: return GetLastError();

-Valery.
http://www.harper.no/valery
 
Top