Directory Security and Access Rules

Damir Dobric Posts

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

This post contains one example which shows how to deal with the Access Control Lists by using of .NET 2.0.
It enlists all access rules from the specified folder. Additionally, this example shows how to remove
the access control rule of the specified account (in this case NT-Account "Everyone").
Last but not least, the example shows how to set a new access rule for the account which has been removed.

static void Main(string[] args)
{
 
string dir = @"C:\Temp\ACLTEST";
  AuthorizationRuleCollection rules; 

  
DirectorySecurity dirSec = Directory.GetAccessControl(dir);

 
// Gets the list of all access-rules of the specified folder.
 
rules = dirSec.GetAccessRules(true, true, typeof(NTAccount));

  // Enumerates all access rules set on the specified folder.
 
foreach (FileSystemAccessRule rule in rules)
  {

    
Console.WriteLine("Identity: {4}\nType: {0}\nRights
     {1}\nPropagation Flags: {2}\nInherited: {3}"
,
     rule.AccessControlType,
     rule.FileSystemRights, 
     rule.PropagationFlags, rule.IsInherited,
     rule.IdentityReference);

    
Console.WriteLine(".........................");
  }

  //
  // Removes access rules for account 'Everyone' if such
  // rules exists.
 
foreach (FileSystemAccessRule rule in rules)
 
{
   
if (rule.IdentityReference.Value == "Everyone")
   
dirSec.RemoveAccessRule(rule);
 
}

  // Create the identity reference for account 'Everyone'.
 
NTAccount everyOne = new NTAccount("everyone");

  // Creates the new rule for account 'Everyone'.
 
// Permissions are propagated to Folders, Subfolders and items.
 
FileSystemAccessRule sbbNetRule =
  new FileSystemAccessRule(everyOne,
FileSystemRights.FullControl,
 
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,  
  PropagationFlags
.None,
AccessControlType.Allow);

  dirSec.AddAccessRule(sbbNetRule);
 
DirectoryInfo dInfo = new DirectoryInfo(dir);
 
dInfo.SetAccessControl(dirSec);
}

The list bellow shows what flags have to be set by creating of FileSystemAccessRule to establish wanted scenario.

Subfolders and Files only:
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit
PropagationFlags.InheritOnly
This Folder, Subfolders and Files:
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit
PropagationFlags.None
This Folder, Subfolders and Files:
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.NoPropagateInherit
This folder and subfolders:
InheritanceFlags.ContainerInherit,
PropagationFlags.None
Subfolders only:
InheritanceFlags.ContainerInherit,
PropagationFlags.InheritOnly
This folder and files:
InheritanceFlags.ObjectInherit,
PropagationFlags.None
This folder and files:
InheritanceFlags.ObjectInherit,
PropagationFlags.NoPropagateInherit

Posted Jun 18 2007, 12:23 PM by Damir Dobric
Filed under:

Comments

Chrissy wrote re: Directory Security and Access Rules
on 07-23-2007 8:46

That list contained exactly what I needed to know! Thank you!

» PowerShell: Set-Acl Does Not Appear to Work wrote » PowerShell: Set-Acl Does Not Appear to Work
on 07-29-2007 0:07

Pingback from  » PowerShell: Set-Acl Does Not Appear to Work

daree wrote re: Directory Security and Access Rules
on 08-30-2007 13:51

i compiled the exact same code in Windows Service, it doesn't work. somhow it crash in like DirectorySecurity dirSec = Directory.GetAccessControl(dir);

Damir Dobric wrote re: Directory Security and Access Rules
on 08-30-2007 14:10

I’m not sure what your problem is. However, It could be that the operative system you use is not the English one. For example on the German system there is no group “everyone”. That group is called in German “jeder”.

Try to use the generic naming of groups and not hard coded names.

daree wrote re: Directory Security and Access Rules
on 08-30-2007 14:35

thanks Damir,

My actual problem is, lets say if i remove all the security from the directory, the program cant get the access control for that particular folder (when i run my program as a windows service). however, if i create an application and run the code it works fine. it is because windows Service cant get the access control for any directory?

Damir Dobric wrote re: Directory Security and Access Rules
on 08-30-2007 14:43

It seems that the user under the service is running has different permissions than the interactive user (you), who starts the application. I would check the permissions of the user running the service (System, LocalService, Network Service etc.).

daree wrote re: Directory Security and Access Rules
on 08-30-2007 14:45

it is running as system

Damir Dobric wrote re: Directory Security and Access Rules
on 08-30-2007 15:03

If that account has not permission to the folder, then it will not work?!

daree wrote re: Directory Security and Access Rules
on 08-30-2007 15:08

Thanks for your prompt help Damir, i was just wondering because it works well with application but the same thing doesn't work with Windows Service.

i will try out few more techniques may be i'm missing out something.

Resimler wrote re: Directory Security and Access Rules
on 04-14-2008 17:21

thank you Damir Dobric.This is very good information,I like this blog,thanx your time and effort.

Ric wrote re: Directory Security and Access Rules
on 05-27-2009 20:20

I see this is an old thread but a great article and the chart above has proven to be very helpful.

I was wondering though it there is a "FILES ONLY" setting?

Ric wrote re: Directory Security and Access Rules
on 05-29-2009 0:51

Nevermind, maybe it was a silly question but I figured it out:

(InheritanceFlags.ObjectInherit), PropagationFlags.InheritOnly

Thanks again for the nice article. It really did help!

Paul Bergson wrote re: Directory Security and Access Rules
on 12-08-2010 14:52

I also needed "File Only" and after a whole bunch of playing I started dumping the access property:

Get-Acl fileLocation |select -ExpandProperty access

This allowed me to make comparisons and I found that by the following two settings I was able to get things to work:

$InheritanceFlag = "ObjectInherit"

$PropagationFlag = "InheritOnly"

Camille Le Mouëllic wrote re: Directory Security and Access Rules
on 10-12-2011 10:14

Hi Ric, Paul,

I've wrote a post on  the different Security Descriptors' Inheritance and Propagation file possibilities, including "File Only"

Have a check:

camillelemouellic.blog.com/.../powershell-security-descriptors-inheritance-and-propagation-flag-possibilities

(It's aimed at Powershell, but it's using .NET all the same, it might prove useful to you).

developers.de is a .Net Community Blog powered by daenet GmbH.