CODEWITHSUNDEEP
c#.netpermissionsimplementation
Logan
Logan

Reputation: 1682

DirectorySecurity sets Special Permissions while FileSecurity does not

Examine the following two blocks of code:

System.Security.AccessControl.DirectorySecurity dsec = System.IO.Directory.GetAccessControl(str);
System.Security.Principal.NTAccount group= new System.Security.Principal.NTAccount("DOMAIN","USERGROUP");
System.Security.AccessControl.FileSystemAccessRule myrule = new System.Security.AccessControl.FileSystemAccessRule(group,System.Security.AccessControl.FileSystemRights.FullControl, System.Security.AccessControl.AccessControlType.Allow);
dsec.SetAccessRule(myrule);
System.IO.Directory.SetAccessControl(str,dsec);

and

System.Security.AccessControl.FileSecurity fsec = System.IO.File.GetAccessControl(file);
System.Security.Principal.NTAccount group= new System.Security.Principal.NTAccount("DOMAIN","USERGROUP");
System.Security.AccessControl.FileSystemAccessRule myrule = new System.Security.AccessControl.FileSystemAccessRule(group,System.Security.AccessControl.FileSystemRights.FullControl, System.Security.AccessControl.AccessControlType.Allow);
fsec.SetAccessRule(myrule);
System.IO.File.SetAccessControl(file,fsec);

One would expect them both to do the exact same thing, only one to a directory and one to a file. And, in some ways, they do. In both cases, the filesystem object in question changes such that DOMAIN\USERGROUP has the Effective Permissions of Full Control.

However, the strange part is, when you right click on a file and view security, you see this: File Security Tab

and when you right click on a folder and view security, you see this: Folder Security Tab

If I then go to Advanced->Effective Permissions->Select(DOMAIN\USERGROUP), it shows that the effective permissions for the folder, for that group, is Full Control (All of the boxes are checked, not just the Full Control Box. That would be even weirder).

My question is, why is there a difference in the effect of an almost identical implementation and does anyone know how to replicate the effect of applying permissions to Files?

Upvotes: 10

Views: 6945

Answers (2)

Snixtor
Snixtor

Reputation: 4297

The difference is the relevance of propagation flags for directory security.

var accessRule = new FileSystemAccessRule(
    identity: group,
    fileSystemRights: FileSystemRights.FullControl,
    type: AccessControlType.Allow,
    inheritanceFlags: InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
    propagationFlags: PropagationFlags.None);

Note the inheritanceFlags setting. If unspecified, the default is none, which gets classified as "special".

Upvotes: 13

MethodMan
MethodMan

Reputation: 18843

Here is something that you can try Logan in regards to adding permissions to a file

try this code if help

    public static bool CheckReadWriteAccces(string filePath, System.Security.AccessControl.FileSystemRights fileSystemRights)
    {
        FileInfo fileInfo = new FileInfo(filePath);

        string str = System.Security.Principal.WindowsIdentity.GetCurrent().Name.ToUpper();
        foreach (System.Security.AccessControl.FileSystemAccessRule rule in fileInfo.GetAccessControl().GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
        {
            if (str == rule.IdentityReference.Value.ToUpper())
                return ((rule.AccessControlType == System.Security.AccessControl.AccessControlType.Allow) && (fileSystemRights == (rule.FileSystemRights & fileSystemRights)));
        }

        return false;
    }


    /// <summary>
    /// Make a file writteble
    /// </summary>
    /// <param name="path">File name to change</param>
    public static void MakeWritable(string path)
    {
        if (!File.Exists(path))
            return;
        File.SetAttributes(path, File.GetAttributes(path) & ~FileAttributes.ReadOnly);
    }

Upvotes: 0

Related Questions