Reputation: 61
c# How to set FileSystemRights.CreateDirectories to Deny but FileSystemRights.AppendData to Allow
I am trying to write a tool, limiting the ability to mess up file server structures. Within this project I am trying to limit the user to save files in directories, but prevent the user from creating subdirectories in specific folder. The subdirectory will be created another way, wich already works.
But I am facing the problem, that ntfs permission seem to mix "create directories" and "append data". Now the "append data" part is the one (when on deny) preventing users from saving files in a directory, wich is not wanted. But when on allow, the same permission makes it possible to create subdirectories.
In windows explorer security window the both permissions are set with the same checkbox, but as the enumeration FileSystemRights has both CreateDirectories and AppendData, I thought I could set them appart from another.
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.CreateDirectories, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Deny)
);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(sidAll, FileSystemRights.AppendData, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow)
);
directoryInfo.SetAccessControl(directorySecurity);
But when setting one to allow and one to deny, both are denied.
Any thoughts or hints on this?
Upvotes: 0
Views: 2453
Answers (1)
Reputation: 61
The problem is solved the following way:
// Create a new DirectoryInfo object.
DirectoryInfo directoryInfo = new DirectoryInfo(_folderPath);
// Get a DirectorySecurity object that represents the
// current security settings.
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
SecurityIdentifier sidAll = new SecurityIdentifier("S-1-1-0");
//Set the permissions for files in that folder to allow
FileSystemRights rights = FileSystemRights.Modify |
FileSystemRights.ReadAndExecute |
FileSystemRights.ListDirectory |
FileSystemRights.Read |
FileSystemRights.Write
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
rights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow)
);
FileSystemRights subfolderRights = FileSystemRights.CreateDirectories |
FileSystemRights.DeleteSubdirectoriesAndFiles |
FileSystemRights.Delete;
//Set the rights for subfolders of the
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
sidAll,
subfolderRights,
InheritanceFlags.ContainerInherit, PropagationFlags.None,
AccessControlType.Deny)
);
// Set the new access settings.
directoryInfo.SetAccessControl(directorySecurity);
Note the differences in the InheritanceFlags-parameters and the AccessControllType-parameters. A friend of mine gave me the solution, but I was not yet able to investigate on the differences of the InheritanceFlags-parameters. As soon as I have had the time, I will try to give a hint on how they work.
The SecurityIdentifier sidAll is here just used as an example.
Upvotes: 3
Related Questions
- Set permissions for directories/subdirectories/files
- How to give permissions for folders in c#?
- Setting NTFS permissions in C#.NET
- Programmatically Adding Permissions to a Folder
- C# Creating directory and setting the permissions
- C# File/Directory Permissions
- setting up filesystem permissions
- Protect directory from modify C#
- Which file writing methods are available under NTFS "Create Folders / Append Data" permissions?
- Folder permissions