|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
NTFS ACLs from C# (Whidbey)This is a snippet typical of what I've done (this example sets Read access for Network Service on 'myFolder' and all subfolders and files) SecurityIdentifier siNetworkService = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null); NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount)) as NTAccount; DirectoryInfo diMyFolder = new DirectoryInfo(myFolder); DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl(); FileSystemAccessRule fsarNetworkService = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, AccessControlType.Allow); FileSystemAccessRule fsarNetworkService2 = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow); // I can't figure out why I need two ACEs for this, but I can't get the // behavior for this folder, child folder and files, and propagate all // to work in one line of code. The InheritanceFlags and PropagationFlags // don't like to be mixed with the line above. Try it without the 2nd line // and you'll see what I mean. Bug in .NET Fx? dsMyFolder.AddAccessRule(fsarNetworkService); dsMyFolder.AddAccessRule(fsarNetworkService2); diMyFolder.SetAccessControl(dsMyFolder); Any idea why that 2nd ACE is required? Is there a way to set this ACL with fewer lines of code? I have about a dozen rules like this, and it adds up to about 100 lines of code. - Mark -- MARK RICHMAN Mark,
I think that using string security descriptors and then translating them to binary security descriptors is the most efficient way of doing that sort of things. Here is your sd: D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS) After that you just call ConvertStringSecurityDescriptorToSecurityDescriptor API and done with it with just tree lines of code :-). -Valery. http://www.harper.no/valery "Mark A. Richman" <nospam@nospam.com> wrote in message I'm using the new System.Security.AccessControl stuff in 2.0.news:%23VkdN$3bFHA.3400@tk2msftngp13.phx.gbl... This is a snippet typical of what I've done (this example sets Read access for Network Service on 'myFolder' and all subfolders and files) SecurityIdentifier siNetworkService = new SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null); NTAccount ntaNetworkService = siNetworkService.Translate(typeof(NTAccount)) as NTAccount; DirectoryInfo diMyFolder = new DirectoryInfo(myFolder); DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl(); FileSystemAccessRule fsarNetworkService = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, AccessControlType.Allow); FileSystemAccessRule fsarNetworkService2 = new FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow); // I can't figure out why I need two ACEs for this, but I can't get the // behavior for this folder, child folder and files, and propagate all // to work in one line of code. The InheritanceFlags and PropagationFlags // don't like to be mixed with the line above. Try it without the 2nd line // and you'll see what I mean. Bug in .NET Fx? dsMyFolder.AddAccessRule(fsarNetworkService); dsMyFolder.AddAccessRule(fsarNetworkService2); diMyFolder.SetAccessControl(dsMyFolder); Any idea why that 2nd ACE is required? Is there a way to set this ACL with fewer lines of code? I have about a dozen rules like this, and it adds up to about 100 lines of code. - Mark -- MARK RICHMAN Valery,
Since it's just three lines of code, may I ask for an example? Also, can you provide a link to that descriptor format? -- Show quoteHide quoteMARK RICHMAN "Valery Pryamikov" <val***@harper.no> wrote in message news:%230ui2K%23bFHA.612@TK2MSFTNGP12.phx.gbl... > Mark, > I think that using string security descriptors and then translating them > to binary security descriptors is the most efficient way of doing that > sort of things. Here is your sd: > > D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS) > > After that you just call > ConvertStringSecurityDescriptorToSecurityDescriptor API and done with it > with just tree lines of code :-). > > -Valery. > http://www.harper.no/valery > > "Mark A. Richman" <nospam@nospam.com> wrote in message > news:%23VkdN$3bFHA.3400@tk2msftngp13.phx.gbl... > I'm using the new System.Security.AccessControl stuff in 2.0. > > This is a snippet typical of what I've done (this example sets Read access > for Network Service on 'myFolder' and all subfolders and files) > > SecurityIdentifier siNetworkService = new > SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null); > NTAccount ntaNetworkService = > siNetworkService.Translate(typeof(NTAccount)) as NTAccount; > DirectoryInfo diMyFolder = new DirectoryInfo(myFolder); > DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl(); > FileSystemAccessRule fsarNetworkService = new > FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, > AccessControlType.Allow); > FileSystemAccessRule fsarNetworkService2 = new > FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, > InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, > PropagationFlags.InheritOnly, AccessControlType.Allow); > > // I can't figure out why I need two ACEs for this, but I can't get the > // behavior for this folder, child folder and files, and propagate all > // to work in one line of code. The InheritanceFlags and PropagationFlags > // don't like to be mixed with the line above. Try it without the 2nd line > // and you'll see what I mean. Bug in .NET Fx? > > dsMyFolder.AddAccessRule(fsarNetworkService); > dsMyFolder.AddAccessRule(fsarNetworkService2); > diMyFolder.SetAccessControl(dsMyFolder); > > Any idea why that 2nd ACE is required? Is there a way to set this ACL with > fewer lines of code? I have about a dozen rules like this, and it adds up > to about 100 lines of code. > > - Mark > > -- > MARK RICHMAN Since you are using Whidbey, you simply could call
SetSecurityDescriptorSddlForm method of any XXXSecurity based class ex. DirectorySecurity dirSec = Directory.GetAccessControl("C:\\TestDirectory"); dirSec.SetSecurityDescriptorSddlForm("D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)"); Directory.SetAccessControl("C:\\TestDirectory", dirSec); Documentation of SDDL format could be found here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/convertstringsecuritydescriptortosecuritydescriptor.asp (watch for line breaks) in C++ it it looks like: if (!ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS)"), SDDL_REVISION_1, (PSECURITY_DESCRIPTOR *)pDescriptor, NULL)) // you can return error here. ex: return GetLastError(); -Valery. http://www.harper.no/valery Show quoteHide quote "Mark A. Richman" <nospam@nospam.com> wrote in message news:uwn$eeAcFHA.2960@TK2MSFTNGP09.phx.gbl... > Valery, > > Since it's just three lines of code, may I ask for an example? Also, can > you provide a link to that descriptor format? > > -- > MARK RICHMAN > > "Valery Pryamikov" <val***@harper.no> wrote in message > news:%230ui2K%23bFHA.612@TK2MSFTNGP12.phx.gbl... >> Mark, >> I think that using string security descriptors and then translating them >> to binary security descriptors is the most efficient way of doing that >> sort of things. Here is your sd: >> >> D:(A;;GR;;;NS)(A;CIOIIO;GR;;;NS) >> >> After that you just call >> ConvertStringSecurityDescriptorToSecurityDescriptor API and done with it >> with just tree lines of code :-). >> >> -Valery. >> http://www.harper.no/valery >> >> "Mark A. Richman" <nospam@nospam.com> wrote in message >> news:%23VkdN$3bFHA.3400@tk2msftngp13.phx.gbl... >> I'm using the new System.Security.AccessControl stuff in 2.0. >> >> This is a snippet typical of what I've done (this example sets Read >> access for Network Service on 'myFolder' and all subfolders and files) >> >> SecurityIdentifier siNetworkService = new >> SecurityIdentifier(WellKnownSidType.NetworkServiceSid, null); >> NTAccount ntaNetworkService = >> siNetworkService.Translate(typeof(NTAccount)) as NTAccount; >> DirectoryInfo diMyFolder = new DirectoryInfo(myFolder); >> DirectorySecurity dsMyFolder = diMyFolder.GetAccessControl(); >> FileSystemAccessRule fsarNetworkService = new >> FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, >> AccessControlType.Allow); >> FileSystemAccessRule fsarNetworkService2 = new >> FileSystemAccessRule(ntaNetworkService, FileSystemRights.Read, >> InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, >> PropagationFlags.InheritOnly, AccessControlType.Allow); >> >> // I can't figure out why I need two ACEs for this, but I can't get the >> // behavior for this folder, child folder and files, and propagate all >> // to work in one line of code. The InheritanceFlags and PropagationFlags >> // don't like to be mixed with the line above. Try it without the 2nd >> line >> // and you'll see what I mean. Bug in .NET Fx? >> >> dsMyFolder.AddAccessRule(fsarNetworkService); >> dsMyFolder.AddAccessRule(fsarNetworkService2); >> diMyFolder.SetAccessControl(dsMyFolder); >> >> Any idea why that 2nd ACE is required? Is there a way to set this ACL >> with fewer lines of code? I have about a dozen rules like this, and it >> adds up to about 100 lines of code. >> >> - Mark >> >> -- >> MARK RICHMAN > > Mark,
The forums for Beta testing and related http://forums.microsoft.com/MSDN/default.aspx I hope this helps a little bit? Cor 
Other interesting topics
Appdomain.CreateDomain throws SecurityException
Help with CryptoStream and incomplete files... session manager vs Form authentication in the Global.asax.cs file User.IsInRole is always FALSE Multi-Domain Authentication for Windows Services Provide grouped security policy files and .Net Configuration tool? Sharing login across applications ASP.NET Authuntication & Authorization Authorization Manager/Windows 2000/ASP.NET throwing UnauthorizedAc |
|||||||||||||||||||||||
