NTFS ACLs from C# (Whidbey)

Mark,
I think that using string security descriptors and then translating them to
binary security descriptors is the most efficient way of doing that sort of
things. Here is your sd:

D:(A;;GR;;;NS)( A;CIOIIO;GR;;;N S)

After that you just call ConvertStringSe curityDescripto rToSecurityDesc riptor
API and done with it with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam. com> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. ..
I'm using the new System.Security .AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentif ier siNetworkServic e = new
SecurityIdentif ier(WellKnownSi dType.NetworkSe rviceSid, null);
NTAccount ntaNetworkServi ce = siNetworkServic e.Translate(typ eof(NTAccount))
as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(m yFolder);
DirectorySecuri ty dsMyFolder = diMyFolder.GetA ccessControl();
FileSystemAcces sRule fsarNetworkServ ice = new
FileSystemAcces sRule(ntaNetwor kService, FileSystemRight s.Read,
AccessControlTy pe.Allow);
FileSystemAcces sRule fsarNetworkServ ice2 = new
FileSystemAcces sRule(ntaNetwor kService, FileSystemRight s.Read,
InheritanceFlag s.ContainerInhe rit | InheritanceFlag s.ObjectInherit ,
PropagationFlag s.InheritOnly, AccessControlTy pe.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlag s and PropagationFlag s
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddA ccessRule(fsarN etworkService);
dsMyFolder.AddA ccessRule(fsarN etworkService2) ;
diMyFolder.SetA ccessControl(ds MyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up to
about 100 lines of code.

- Mark

--
MARK RICHMAN

Mark,

The forums for Beta testing and related

http://forums.microsoft.com/MSDN/default.aspx

I hope this helps a little bit?

Cor

Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?

--
MARK RICHMAN

"Valery Pryamikov" <va****@harper. no> wrote in message
news:%2******** *********@TK2MS FTNGP12.phx.gbl ...

Mark,
I think that using string security descriptors and then translating them
to binary security descriptors is the most efficient way of doing that
sort of things. Here is your sd:

D:(A;;GR;;;NS)( A;CIOIIO;GR;;;N S)

After that you just call
ConvertStringSe curityDescripto rToSecurityDesc riptor API and done with it
with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam. com> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. ..
I'm using the new System.Security .AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentif ier siNetworkServic e = new
SecurityIdentif ier(WellKnownSi dType.NetworkSe rviceSid, null);
NTAccount ntaNetworkServi ce =
siNetworkServic e.Translate(typ eof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(m yFolder);
DirectorySecuri ty dsMyFolder = diMyFolder.GetA ccessControl();
FileSystemAcces sRule fsarNetworkServ ice = new
FileSystemAcces sRule(ntaNetwor kService, FileSystemRight s.Read,
AccessControlTy pe.Allow);
FileSystemAcces sRule fsarNetworkServ ice2 = new
FileSystemAcces sRule(ntaNetwor kService, FileSystemRight s.Read,
InheritanceFlag s.ContainerInhe rit | InheritanceFlag s.ObjectInherit ,
PropagationFlag s.InheritOnly, AccessControlTy pe.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlag s and PropagationFlag s
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddA ccessRule(fsarN etworkService);
dsMyFolder.AddA ccessRule(fsarN etworkService2) ;
diMyFolder.SetA ccessControl(ds MyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up
to about 100 lines of code.

- Mark

--
MARK RICHMAN

Since you are using Whidbey, you simply could call
SetSecurityDesc riptorSddlForm method of any XXXSecurity based class
ex.

DirectorySecuri ty dirSec = Directory.GetAc cessControl("C: \\TestDirectory ");
dirSec.SetSecur ityDescriptorSd dlForm("D:(A;;G R;;;NS)(A;CIOII O;GR;;;NS)");
Directory.SetAc cessControl("C: \\TestDirectory ", dirSec);

Documentation of SDDL format could be found here:
http://msdn.microsoft.com/library/de...descriptor.asp

(watch for line breaks)

in C++ it it looks like:
if
(!ConvertString SecurityDescrip torToSecurityDe scriptor(_T("D: (A;;GR;;;NS)(A; CIOIIO;GR;;;NS) "),
SDDL_REVISION_1 , (PSECURITY_DESC RIPTOR *)pDescriptor, NULL))
// you can return error here. ex: return GetLastError();

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam. com> wrote in message
news:uw******** ******@TK2MSFTN GP09.phx.gbl...

Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?

--
MARK RICHMAN

"Valery Pryamikov" <va****@harper. no> wrote in message
news:%2******** *********@TK2MS FTNGP12.phx.gbl ...

Mark,
I think that using string security descriptors and then translating them
to binary security descriptors is the most efficient way of doing that
sort of things. Here is your sd:

D:(A;;GR;;;NS)( A;CIOIIO;GR;;;N S)

After that you just call
ConvertStringSe curityDescripto rToSecurityDesc riptor API and done with it
with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam. com> wrote in message
news:%2******** ********@tk2msf tngp13.phx.gbl. ..
I'm using the new System.Security .AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read
access for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentif ier siNetworkServic e = new
SecurityIdentif ier(WellKnownSi dType.NetworkSe rviceSid, null);
NTAccount ntaNetworkServi ce =
siNetworkServic e.Translate(typ eof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(m yFolder);
DirectorySecuri ty dsMyFolder = diMyFolder.GetA ccessControl();
FileSystemAcces sRule fsarNetworkServ ice = new
FileSystemAcces sRule(ntaNetwor kService, FileSystemRight s.Read,
AccessControlTy pe.Allow);
FileSystemAcces sRule fsarNetworkServ ice2 = new
FileSystemAcces sRule(ntaNetwor kService, FileSystemRight s.Read,
InheritanceFlag s.ContainerInhe rit | InheritanceFlag s.ObjectInherit ,
PropagationFlag s.InheritOnly, AccessControlTy pe.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlag s and PropagationFlag s
// don't like to be mixed with the line above. Try it without the 2nd
line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddA ccessRule(fsarN etworkService);
dsMyFolder.AddA ccessRule(fsarN etworkService2) ;
diMyFolder.SetA ccessControl(ds MyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL
with fewer lines of code? I have about a dozen rules like this, and it
adds up to about 100 lines of code.

- Mark

--
MARK RICHMAN