The situation I'm trying to address is this: I'm writing an application which multiple users will have access to. Access is restricted based on Windows permissions for folders - users will be granted access to the folder containing the application if needed.
For better or worse, the application stores its data in files on the same network as the application. I don't want users to be able to edit the data directly, so I plan to restrict access to the data files.
The approach I've been trying to use is then to have a 'service user' which does have read/write access to the data, and to use impersonation within the application to 'login' as the service user, perform required read/write, and return to the original user.
I've had a few different attempts at this without luck. Perhaps the simplest/most promising is based on Mark Johnson's answer here:
How do you do Impersonation in .NET?
I use it as follows:
using (new Impersonation(serviceAccount.Domain, serviceAccount.UserName, serviceAccount.Password))
{
DoImport(app);
}
where 'DoImport(app)' performs the reading of the data.
However, this gives an error 'Access to the path '...' is denied'. I'm trying to run this locally (the path is C:...) where I've restricted access to the path for the user I'm logged into but the user I'm trying to impersonate with has access.
Is there something I'm doing wrong here? Is there a better way to achieve what I'm after?
Thanks,
Andrew
The code at the below link seems to do what I'm after:
http://www.codeproject.com/Articles/10090/A-small-C-Class-for-impersonating-a-User
I think the token duplication is the important part, but I'm not exactly sure why.
I did have a further issue doing this - any assemblies that needed to be loaded for the 'DoImport(...)' function couldn't be loaded after the impersonation, access was denied for some reason (sorry for the vagueness, I didn't have time to look into this). Ensuring they're loaded before doing the impersonation, either through some dummy function calls or code to force load (see e.g. Is there a way to force all referenced assemblies to be loaded into the app domain?) did the trick.
The fact the user, which is logged on (or which you try to impersonate) has access rights to the files, does NOT imply, that the application, that you are running, has the rights.
Have you considered running the application under administrator rights? (You got to grant the access to the files to the application!)
Or, if you use debugging and are running it from VisualStuido (or other IDE), try running the IDE under administrator rights first.
This can do the trick in most cases, however, storing the data on a drive, where the users have physical access to it is by no means something I would recommend, have you thought about different ways of storing and accessing your data? Or what are the reasons for having it this way?
You can't gain acces to other useraccounts without Administrator rights, but have you considered to put the files in a shared folder? If you want to identify the creater/owner of the file you could use getowner. Or you could use subfolders in the shared folder. I hope this will help.
Related
I have an Application that needs to store User Info such as their Username and there score and etc...
I have selected LocalApplicationData of the Environment.SpecialFolder Enumeration.
but I can access the directory for my application manually using file explorer and can edit or delete the file that can prove as a weak spot for the application and the users may be able to mess with my application.
So, Is there any directory that I can write to using code that the user will not be able to access it.
tnx
Is there any directory that I can write to using code that the user will not be able to access it.
No. An application run by a user account has the same privileges and permissions as that user. Therefore, there is no way that the application could do something the user couldn't do on his own.
If the data you need to store is intended to be browsed or modified by the user, it should go in Environment.SpecialFolder.Personal.
Otherwise, data should be stored in either Environment.SpecialFolder.ApplicationData (if it should roam with the user account) or Environment.SpecialFolder.LocalApplicationData (if it should not roam with the user, and instead should be limited to the local machine).
Yes, the user can get into these folders and destroy the data. By doing so, they run the risk of breaking your application. You can't secure yourself from yourself.
Develop a "repair" utility that can recover from the damage by recreating the necessary files on startup of your application if necessary.
As your application is running with your users privileges, there is no place your application can access that your user would not be able to access.
Your only option is to use encryption so your user cannot tamper with the file easily once it's written. But even then... what you did with the user's privileges can be undone by the user with the same privileges. You can only make it hard enough so he or she won't bother.
You can not prevent use open the file, but have some method to check if a file is being modified by user.
You can save it at Registry, or if your data is big, you can encrypt it before save to file. When you encrypt data, user can not know which infomartion it contains, and if user open the file and modify it, the data become invalid and you can know it is modified.
I know this question has already been already many times,but doesn't help me tackle my equation.
I currently have a Folder shared for the respective users to be zipped when the user calls the service. I get Access to the path \\IP\FolderName is denied. On research, I found out several solutions for this issue, but none worked.
I tested by trying to zip the files inside the folder and was able to do it successfully. I do not know what might be the issue! I even tried going the bad way by giving permission for Everyone for the folder (out of frustration though) and still was not successful.
My Anonymous, Asp.Net Impersonate and Windows Authentication were enabled.I do not know what might be the issue.
PS: Could I know in what identity the IIS is accessing the folder, so that I can give permissions only to that User.
I can not help you with your main problem, but for the following:
Could I know in what identity the IIS is accessing the folder, so that I can give permissions only to that User.
You need to check what Application Pool is assigned to your application in IIS. Then go to the application pools section and there the user is listed:
As mentioned by Chrfin you need to first find out the Application pool used by your application(Ex: DefaultAppPool, ASP.NET v4.0 etc). Right click on the relevant App pool and go to Advanced Settings there you should see the Identity.
But best way is to go for impersonation, Check this thread for more details. With impersonation what you do is, Giving required folder access permission to an admin user on the web server and whenever you try to access these folder from within your code, you impersonate particular code block,
Using(Impersonator impersonator = new Impersonator())
{
//Write the folder accessing logic here
}
I am trying to create a Directory in .NET using Directory.CreateDirectory, I followed the directions here to give access permission but I am still getting an UnauthorizedAccessException. Does anyone have any advice? Note, this is a web application that uses the IIS7 server.
In the directory you are attempting to create a new directory, make sure that your app pool user has Read/Write permissions for that directory. You have to specifically do that in addition to adding the user to the user groups.
2 more potential issues (+1 to user959729):
you are creating directory at different place than you think you are (i.e. you building path wrong)
the code runs under impersonated account (user's or anonymous) and such user does not have permissions to create folder (to verify try check System.Environment.UserName before creating directory). To fix you need to run code as process account.
Is there any way to get list of all users who have access to a SVN project with SharpSVN?
A user may not add/edit any file, yet, but he has access to that project.
No. Whoever has access is determined by the server and there is no way to retrieve this for any specific server. On the server side you might look in the config files to see who has access, but this could be something like 'anybody on this active directory domain'.
my problem is, I want to create a new folder and make it impossible (or reasonably hard) for the user to change its name or to delete it. The thing is, the user must be able to access the files contained within that folder and change them in any way he pleases. Using the examples I've been finding in the net all I get is making it impossible to change the files INSIDE the folder, and not the folder itself.
Thanks in advance ;)
As long as that folder is created by the user's account (assuming that you're creating the folder programmatically by your application), the user will be able to edit the folder. The best way to protect that folder from tampering would be to write a very small windows service that keeps that folder always open, thus preventing deletion/renaming.
This might be helpful.
http://technet.microsoft.com/en-us/library/cc732880.aspx
It seems you want to allow the "Create Files/Write Data" permission but not allow "control" of the parent folder.
You should be able to set up an ACL to do this. Give them "List folder contents" rights and then selectively give them additional extended rights without giving them modify attributes rights.
The service answer is a bad idea. I might work, but is not the best way to do it. The key with windows directory and folder security is the "owner" of a folder. As an administrator you can always take ownership of a folder or file. BUT if the file has a different owner and that owner has granted you rights you won't have any other rights until you go in and take ownership.
What you want to do is create a special account on the machine (often called a service account) which is the identity the program runs under. This account has admin rights and is the owner of any files it creates. Then it can allow whatever access it wants to grant to users of files and folders it creates.
The admin will always be able to take ownership if they want to, but most users don't even know how to do this.