NTFS ACLs from C# (Whidbey)

Mark,
I think that using string security descriptors and then translating them to
binary security descriptors is the most efficient way of doing that sort of
things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call ConvertStringSecurityDescriptorToSecurityDescripto r
API and done with it with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount))
as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up to
about 100 lines of code.

- Mark

--
MARK RICHMAN

Mark,

The forums for Beta testing and related

http://forums.microsoft.com/MSDN/default.aspx

I hope this helps a little bit?

Cor

Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?

--
MARK RICHMAN

"Valery Pryamikov" <va****@harper.no> wrote in message
news:%2*****************@TK2MSFTNGP12.phx.gbl...

Mark,
I think that using string security descriptors and then translating them
to binary security descriptors is the most efficient way of doing that
sort of things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call
ConvertStringSecurityDescriptorToSecurityDescripto r API and done with it
with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService =
siNetworkService.Translate(typeof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up
to about 100 lines of code.

- Mark

--
MARK RICHMAN

Since you are using Whidbey, you simply could call
SetSecurityDescriptorSddlForm method of any XXXSecurity based class
ex.

DirectorySecurity dirSec = Directory.GetAccessControl("C:\\TestDirectory");
dirSec.SetSecurityDescriptorSddlForm("D:(A;;GR;;;N S)(A;CIOIIO;GR;;;NS)");
Directory.SetAccessControl("C:\\TestDirectory", dirSec);

Documentation of SDDL format could be found here:
http://msdn.microsoft.com/library/de...descriptor.asp

(watch for line breaks)

in C++ it it looks like:
if
(!ConvertStringSecurityDescriptorToSecurityDescrip tor(_T("D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)"),
SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)pDescriptor, NULL))
// you can return error here. ex: return GetLastError();

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:uw**************@TK2MSFTNGP09.phx.gbl...

Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?

--
MARK RICHMAN

"Valery Pryamikov" <va****@harper.no> wrote in message
news:%2*****************@TK2MSFTNGP12.phx.gbl...

Mark,
I think that using string security descriptors and then translating them
to binary security descriptors is the most efficient way of doing that
sort of things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call
ConvertStringSecurityDescriptorToSecurityDescripto r API and done with it
with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read
access for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService =
siNetworkService.Translate(typeof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd
line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL
with fewer lines of code? I have about a dozen rules like this, and it
adds up to about 100 lines of code.

- Mark

--
MARK RICHMAN