How to give Create, Read and Modify permissions to all users for a file created by my application in C:\ProgramData?

Question

My application basically creates an XML file in C:\ProgramData\MyAppFolder and dumps config settings in it.

I need to allow even standard users to have permission to add or delete settings to these config files. Right now I see that standard users only have read/execute permission but not "Full Control".

I've seen other questions being answered with ways to modify permissions to that particular folder but I don't want to change the default permission level, since it might be reset by a system admin.

If C:\ProgramData can't give that access to all users, is there any folder that best suits the needs of application?

EDIT:

My initial question might be misleading. I don't want to give rights to users, but rather allow the application to modify the XML file when it is run by all users.

DECISION:

I think changing the permissions while creating the folder in ProgramData is the only option.

And if that's not possible, CommonDocuments is the way to go.

Thanks Eve.

Answer 1

Users should not be allowed to write arbitrary data to this directory. This is equivalent to regular users being able to modify the C:\Users\AllUsers directory. If users need to be modifying this directory you have serious design flaws and should reconsider this approach. What should happen is the users are given GUI interface to interact with that manipulates these values behind the scenes without giving them direct access, similar to how getters/setters work in most programming languages. Needless to say it is a very large security hole when regular users can corrupt a system for other users.

UPDATE

I don't want to give users direct access to the file. My question might have been misleading. I want to allow the program to have full control on the file even when it being run by all users. I'm actually doing this: "users are given GUI interface to interact with that manipulates these values behind the scenes without giving them direct access"

This article which has far too much information to post here, will provide details on remaining secure as to not leak permissions. The first thing you want to do is make sure that your application user is in its own group and cannot login/have any special permissions. What you can than do is have this group added to the directory with write permissions, which would allow this application to perform these tasks. If that is not possible you will need to work within UAC to not break the security of the system as is detailed in the article above.

Second Update

Thanks for the link. Any suggestions on some other folder which can do the job, rather than messing with the permissions?

Sure you can write it into the directory where the application is written to, i.e. C:\Program Files\Some Awesome Program, this keeps everything in one place, and you only have to worry about your user/group and anything that the person who installed it has allowed for. It also prevents other people from messing with it unless of course they are administrators.

Answer 2

Assuming you have an installer for your application, your installer can create a subfolder in the common appdata directory (aka C:\ProgramData) which your application will have read/write access to. Depending on your choice of installation technology you can set the permissions on that folder as well, although that may be overkill. I know with WiX basically all you have to do is a per-machine installation and make sure that sub folder gets created.

Answer 3

I would use a folder in the Environment.SpecialFolder enum.

Example:

var path = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);