473,226 Members | 1,345 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,226 software developers and data experts.

NTFS ACLs from C# (Whidbey)

I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with fewer lines of code? I have about a dozen rules like this, and it adds up to about 100 lines of code.

- Mark

--
MARK RICHMAN
Jul 21 '05 #1
4 4971
Mark,
I think that using string security descriptors and then translating them to
binary security descriptors is the most efficient way of doing that sort of
things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call ConvertStringSecurityDescriptorToSecurityDescripto r
API and done with it with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount))
as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up to
about 100 lines of code.

- Mark

--
MARK RICHMAN

Jul 21 '05 #2
Mark,

The forums for Beta testing and related

http://forums.microsoft.com/MSDN/default.aspx

I hope this helps a little bit?

Cor
Jul 21 '05 #3
Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?

--
MARK RICHMAN

"Valery Pryamikov" <va****@harper.no> wrote in message
news:%2*****************@TK2MSFTNGP12.phx.gbl...
Mark,
I think that using string security descriptors and then translating them
to binary security descriptors is the most efficient way of doing that
sort of things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call
ConvertStringSecurityDescriptorToSecurityDescripto r API and done with it
with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read access
for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService =
siNetworkService.Translate(typeof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL with
fewer lines of code? I have about a dozen rules like this, and it adds up
to about 100 lines of code.

- Mark

--
MARK RICHMAN

Jul 21 '05 #4
Since you are using Whidbey, you simply could call
SetSecurityDescriptorSddlForm method of any XXXSecurity based class
ex.

DirectorySecurity dirSec = Directory.GetAccessControl("C:\\TestDirectory");
dirSec.SetSecurityDescriptorSddlForm("D:(A;;GR;;;N S)(A;CIOIIO;GR;;;NS)");
Directory.SetAccessControl("C:\\TestDirectory", dirSec);

Documentation of SDDL format could be found here:
http://msdn.microsoft.com/library/de...descriptor.asp

(watch for line breaks)

in C++ it it looks like:
if
(!ConvertStringSecurityDescriptorToSecurityDescrip tor(_T("D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)"),
SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)pDescriptor, NULL))
// you can return error here. ex: return GetLastError();

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:uw**************@TK2MSFTNGP09.phx.gbl...
Valery,

Since it's just three lines of code, may I ask for an example? Also, can
you provide a link to that descriptor format?

--
MARK RICHMAN

"Valery Pryamikov" <va****@harper.no> wrote in message
news:%2*****************@TK2MSFTNGP12.phx.gbl...
Mark,
I think that using string security descriptors and then translating them
to binary security descriptors is the most efficient way of doing that
sort of things. Here is your sd:

D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)

After that you just call
ConvertStringSecurityDescriptorToSecurityDescripto r API and done with it
with just tree lines of code :-).

-Valery.
http://www.harper.no/valery

"Mark A. Richman" <no****@nospam.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl...
I'm using the new System.Security.AccessControl stuff in 2.0.

This is a snippet typical of what I've done (this example sets Read
access for Network Service on 'myFolder' and all subfolders and files)

SecurityIdentifier siNetworkService = new
SecurityIdentifier(WellKnownSidType.NetworkService Sid, null);
NTAccount ntaNetworkService =
siNetworkService.Translate(typeof(NTAccount)) as NTAccount;
DirectoryInfo diMyFolder = new DirectoryInfo(myFolder);
DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl();
FileSystemAccessRule fsarNetworkService = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
AccessControlType.Allow);
FileSystemAccessRule fsarNetworkService2 = new
FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly, AccessControlType.Allow);

// I can't figure out why I need two ACEs for this, but I can't get the
// behavior for this folder, child folder and files, and propagate all
// to work in one line of code. The InheritanceFlags and PropagationFlags
// don't like to be mixed with the line above. Try it without the 2nd
line
// and you'll see what I mean. Bug in .NET Fx?

dsMyFolder.AddAccessRule(fsarNetworkService);
dsMyFolder.AddAccessRule(fsarNetworkService2);
diMyFolder.SetAccessControl(dsMyFolder);

Any idea why that 2nd ACE is required? Is there a way to set this ACL
with fewer lines of code? I have about a dozen rules like this, and it
adds up to about 100 lines of code.

- Mark

--
MARK RICHMAN



Jul 21 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: Pål Andreassen | last post by:
Running Windows 2003 Server Framework 1.1 A site is configured to use integrated security (in IIS 6) Windows autentication and user impersonation in web.config <identity impersonate="true" />...
2
by: Jim Richards | last post by:
I have been told by a local PC club technician that 98SE cannot read NTFS drives in a network. Is this true? TIA, Jim.
1
by: Morten | last post by:
Hi! I'm trying to figure out how to add a user with full access to an NTFS folder on a Windows 2003 Server using C# (web project). Does anyone have an example of this? I want to keep existing...
0
by: Sherwood | last post by:
My current scenario is users logging in to our website and being directed to a specific directory based on who they are. The ACLs on the destination result in prompts for credentials (the windows...
0
by: spamfurnace | last post by:
Will Whidbey have the features, of a girl i'd like to meet? Will Whidbey be easy to talk to, and rub my tired feet? Will Whidbey bats it eyes at me, and whisper "Baby, your so sweet". Will...
5
by: rogsonl | last post by:
My computer was moved last week, and the company changed the network groups we work on. As a result, one of the main benefits from Whidbey (database connectivity) no longer works. Situation: 1....
1
by: Troy | last post by:
Is there a way in Visual Basic to determine when a user has explicit rights to a directory and when they have rights due to inheritance?
4
by: Mark A. Richman | last post by:
I'm using the new System.Security.AccessControl stuff in 2.0. This is a snippet typical of what I've done (this example sets Read access for Network Service on 'myFolder' and all subfolders and...
5
by: dananrg | last post by:
Is there a standard library module in Python 2.4 (Win32) that will return directory permissions / ACLs (e.g. users, groups, and what rights they have)? Otherwise, I'm faced with sending "cacls...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
0
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.