I have used the code below to allow Everyone access to a folder:
System.Security.AccessControl.DirectorySecurity sec =
System.IO.Directory.GetAccessControl(directory, AccessControlSections.All);
FileSystemAccessRule accRule = new FileSystemAccessRule("Everyone",
FileSystemRights.Modify,
AccessControlType.Allow);
sec.AddAccessRule(accRule); // setACL
sec.ResetAccessRule(accRule);
Now, the Everyone user is added to the folder, but not with any rights assigned. All the read, write, execute etc. checkboxes are not checked.
First thing I want to tell you is how I found this solution. This is probably more important than the answer because file permissions are hard to get correct.
First thing I did was set the permissions I wanted using the Windows dialogs and checkboxes. I added a rule for "Everyone" and ticked all boxes except "Full Control".
Then I wrote this C# code to tell me exactly what parameters I need to duplicate the Windows settings:
string path = #"C:\Users\you\Desktop\perms"; // path to directory whose settings you have already correctly configured
DirectorySecurity sec = Directory.GetAccessControl(path);
foreach (FileSystemAccessRule acr in sec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount))) {
Console.WriteLine("{0} | {1} | {2} | {3} | {4}", acr.IdentityReference.Value, acr.FileSystemRights, acr.InheritanceFlags, acr.PropagationFlags, acr.AccessControlType);
}
This gave me this line of output:
Everyone | Modify, Synchronize | ContainerInherit, ObjectInherit | None | Allow
So the solution is simple (yet hard to get right if you don't know what to look for!):
DirectorySecurity sec = Directory.GetAccessControl(path);
// Using this instead of the "Everyone" string means we work on non-English systems.
SecurityIdentifier everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
sec.AddAccessRule(new FileSystemAccessRule(everyone, FileSystemRights.Modify | FileSystemRights.Synchronize, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
Directory.SetAccessControl(path, sec);
This will make the checkboxes on the Windows security dialog match what you have already set for your test directory.
The below code checks for the folder existence, if not created, creates one. And then sets every user- permission of that folder with full permission (read & write).
string file = #"D:\Richi";
private static void GrantAccess(string file)
{
bool exists = System.IO.Directory.Exists(file);
if (!exists)
{
DirectoryInfo di = System.IO.Directory.CreateDirectory(file);
Console.WriteLine("The Folder is created Sucessfully");
}
else
{
Console.WriteLine("The Folder already exists");
}
DirectoryInfo dInfo = new DirectoryInfo(file);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
dSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit, AccessControlType.Allow));
dInfo.SetAccessControl(dSecurity);
}
use FileSystemRights.FullControl instead of FileSystemRights.Modify if you want to allow all actions (ACL).
Related
Quick question if anyone happens to know. I'm working on a Worker app in dotnet6 that is intended to be made into a service and I need to store a json file somewhere. Doing some research it seems like CommonApplicationData(ex: "C:/ProgramData") is the place to go. My question is, I can't seem to write a file to that folder. I am able to create a directory just fine. But my access is denied to creating an actual file.
This service will be used on servers in the field right now and cannot answer UAC prompts. I'm unsure what else to do. I can have the file created manually and access, edit it. That seems to work fine. But I'd like to have a logs files dynamically created and more.
Heres the code("its pretty basic")
var dirPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "MyServerService");
var path = dirPath + "\\service.json";
var doesDirExist = Directory.Exists(dirPath);
var doesFileExist = File.Exists(path);
if (!doesDirExist || !doesFileExist)
{
Directory.CreateDirectory(dirPath); //<- directory is created just fine
using var file = File.Create(dirPath); // <- fails here (access is denied)
//do stuff
}
This bit of code worked for me. It was indeed a permission issue with the directory being created.
public static bool CreateDirWithAccess(string fullPath, bool readOnly)
{
var dInfo = Directory.CreateDirectory(fullPath);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
dSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), readOnly ? FileSystemRights.Read : FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit, AccessControlType.Allow));
dInfo.SetAccessControl(dSecurity);
return true;
}
I want to programmatically give the local user group <MachineName>\IIS_IUSRS access to a folder and its subfolders.
My current code is looking like this:
DirectoryInfo directoryInfo = new DirectoryInfo(path);
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
var groupName = Environment.MachineName + #"\IIS_IUSRS";
directorySecurity.AddAccessRule(
new FileSystemAccessRule(groupName,
FileSystemRights.Read,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow));
directoryInfo.SetAccessControl(directorySecurity);
But this is throwing a System.Security.Principal.IdentityNotMappedException. Replacing groupName with the SID for new SecurityIdentifier(WellKnownSidType.WorldSid, null); is working.
Do I need to get a SecurityIdenfier for a group and if yes how do I do that? Or do I need to do it completely different for groups?
Edit: BUILTIN\IIS_IUSRS didn't work either as I'm using Windows with German locale.
You don't need to use the SID, I wrote a program for work once which used "DOMAIN\GroupName" and it worked fine. Instead of:
var groupName = Environment.MachineName + #"\IIS_IUSRS";
Try:
var groupName = #".\IIS_IUSRS";
I want an application to create a folder and restrict users other than current and admins from accessing it.
As a result of the code below though current user loses access as well and cannot delete the folder.
string rootPath = Environment.GetEnvironmentVariable("TEMP");
var rootDirectory = new DirectoryInfo(rootPath);
DirectoryInfo subFolder = rootDirectory.CreateSubdirectory("SubFolder");
var directorySecurity = subFolder.GetAccessControl();
var adminitrators = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
adminitrators,
FileSystemRights.FullControl,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow));
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
WindowsIdentity.GetCurrent().Name,
FileSystemRights.FullControl,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow));
var everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
everyone,
FileSystemRights.FullControl,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Deny));
subFolder.SetAccessControl(directorySecurity);
subFolder.Delete(true); // <-- System.UnauthorizedAccessException
Ok, so the full solution would be the following:
As #zerkms proposed we need to remove "Deny for all". That solves System.UnauthorizedAccessException thrown when current user tries to delete the folder.
As explained here use SetAccessRuleProtection to make sure permissions are not inherited from the parent folder.
string rootPath = Environment.GetEnvironmentVariable("TEMP");
var rootDirectory = new DirectoryInfo(rootPath);
DirectoryInfo subFolder = rootDirectory.CreateSubdirectory("SubFolder");
var directorySecurity = subFolder.GetAccessControl();
var adminitrators = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
adminitrators,
FileSystemRights.FullControl,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow));
directorySecurity.AddAccessRule(
new FileSystemAccessRule(
WindowsIdentity.GetCurrent().Name,
FileSystemRights.FullControl,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow));
directorySecurity.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
subFolder.SetAccessControl(directorySecurity);
The explicit deny rule is redundant in this case.
What is not allowed is denied by default, so just remove the last deny for all rule and you're fine.
I am trying to set program's installation folder permissions restricted only to Administrators.
There are two scenarios: the folder needs creation and folder already exists.
Here is my code:
public static void CreatePrivateFolder(string path)
{
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
DirectorySecurity securityRules = new DirectorySecurity();
FileSystemAccessRule fsRule =
new FileSystemAccessRule(sid, FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
securityRules.SetAccessRule(fsRule);
if (Directory.Exists(path))
{
Directory.SetAccessControl(path, securityRules);
}
else
{
Directory.CreateDirectory(path, securityRules);
}
}
When the folder needs creation, the CreateDirectory works fine, the folder's permissions restricted only to Administrators.
The strange thing is when I am re-run this code and flow to SetAccessControl - the folder's permissions being reset to regular folder with no restricted access.
What do I'm doing wrong?
Folder security results (for path c:\\folderCheck) :
Update
anrei solution answering my question.
However, it seem to be the same problem in a different way:
If the folder already exists with unrestricted permissions, anrei's code don't seem to be work.
The folder's permissions remain unrestricted.
Thanks!
Use this instead of your if (Directory.Exists(path)) block.
// what is
var existingACL = Directory.GetAccessControl(path);
// remove everything from what is
foreach (FileSystemAccessRule rule in existingACL.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
existingACL.RemoveAccessRuleAll(rule);
// add yours to what is
existingACL.AddAccessRule (fsRule);
// set again
Directory.SetAccessControl(path, existingACL);
I'm writing a DLL to change permissions on a folder and everything underneath the folder. Below is the code that I have right now.
The problem comes when I call addPermissions(). It's correctly setting the permissions on the dirName folder and any folder that I later create under dirName, but any folder that exists when I add permissions doesn't get the additional permissions.
Do I need to recursively set the permissions on all child folders? Or is there a way to do this with a line or two of code?
public class Permissions
{
public void addPermissions(string dirName, string username)
{
changePermissions(dirName, username, AccessControlType.Allow);
}
public void revokePermissions(string dirName, string username)
{
changePermissions(dirName, username, AccessControlType.Deny);
}
private void changePermissions(string dirName, string username, AccessControlType newPermission)
{
DirectoryInfo myDirectoryInfo = new DirectoryInfo(dirName);
DirectorySecurity myDirectorySecurity = myDirectoryInfo.GetAccessControl();
string user = System.Environment.UserDomainName + "\\" + username;
myDirectorySecurity.AddAccessRule(new FileSystemAccessRule(
user,
FileSystemRights.Read | FileSystemRights.Write | FileSystemRights.ExecuteFile | FileSystemRights.Delete,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
newPermission
));
myDirectoryInfo.SetAccessControl(myDirectorySecurity);
}
}
This question is old but I was looking for the same thing and found a solution:
var dirInfo = new DirectoryInfo(dirName);
var dirSecurity = dirInfo.GetAccessControl();
// Add the DirectorySystemAccessRule to the security settings.
dirSecurity.AddAccessRule(new FileSystemAccessRule(
account,
rights,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow));
// Set the new access settings.
dirInfo.SetAccessControl(dirSecurity);
greetings
You have to do it recursively. You can specify inheritance rules for new folders/files but for existing you have to do it yourself.