public override void InitializeEnlistmentACLs(string enlistmentPath)
{
// The following permissions are typically present on deskop and missing on Server
//
// ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
// [OBJECT_INHERIT_ACE]
// [CONTAINER_INHERIT_ACE]
// [INHERIT_ONLY_ACE]
// DELETE
// GENERIC_EXECUTE
// GENERIC_WRITE
// GENERIC_READ
DirectorySecurity rootSecurity = Directory.GetAccessControl(enlistmentPath);
AccessRule authenticatedUsersAccessRule = rootSecurity.AccessRuleFactory(
new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
true,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
// https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
rootSecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
Directory.SetAccessControl(enlistmentPath, rootSecurity);
}
/// <summary>
/// Creates the specified directory (and its ancestors) if they do not
/// already exist.
///
/// If the specified directory does not exist this method:
///
/// - Creates the directory and its ancestors
/// - Adjusts the ACLs of 'directoryPath' (the ancestors' ACLs are not
/// modified).
/// </summary>
/// <returns>
/// - true if the directory already exists -or- the directory was successfully created
/// with the proper ACLS
/// - false otherwise
/// </returns>
/// <remarks>
/// The following permissions are typically present on deskop and missing on Server.
/// These are the permissions added by this method.
///
/// ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
/// [OBJECT_INHERIT_ACE]
/// [CONTAINER_INHERIT_ACE]
/// [INHERIT_ONLY_ACE]
/// DELETE
/// GENERIC_EXECUTE
/// GENERIC_WRITE
/// GENERIC_READ
/// </remarks>
public bool TryCreateDirectoryAccessibleByAuthUsers(string directoryPath, out string error, ITracer tracer = null)
{
if (Directory.Exists(directoryPath))
{
error = null;
return(true);
}
try
{
// Create the directory first and then adjust the ACLs as needed
Directory.CreateDirectory(directoryPath);
// Use AccessRuleFactory rather than creating a FileSystemAccessRule because the NativeMethods.FileAccess flags
// we're specifying are not valid for the FileSystemRights parameter of the FileSystemAccessRule constructor
DirectorySecurity directorySecurity = Directory.GetAccessControl(directoryPath);
AccessRule authenticatedUsersAccessRule = directorySecurity.AccessRuleFactory(
new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
true,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
// https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
directorySecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
Directory.SetAccessControl(directoryPath, directorySecurity);
}
catch (Exception e) when(e is IOException || e is UnauthorizedAccessException || e is SystemException)
{
if (tracer != null)
{
EventMetadata metadataData = new EventMetadata();
metadataData.Add("Exception", e.ToString());
metadataData.Add(nameof(directoryPath), directoryPath);
tracer.RelatedError(metadataData, $"{nameof(this.TryCreateDirectoryAccessibleByAuthUsers)}: Failed to create and configure directory");
}
error = e.Message;
return(false);
}
error = null;
return(true);
}
public bool TryCreateEnlistmentFolders()
{
try
{
Directory.CreateDirectory(this.EnlistmentRoot);
// The following permissions are typically present on deskop and missing on Server
//
// ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
// [OBJECT_INHERIT_ACE]
// [CONTAINER_INHERIT_ACE]
// [INHERIT_ONLY_ACE]
// DELETE
// GENERIC_EXECUTE
// GENERIC_WRITE
// GENERIC_READ
DirectorySecurity rootSecurity = Directory.GetAccessControl(this.EnlistmentRoot);
AccessRule authenticatedUsersAccessRule = rootSecurity.AccessRuleFactory(
new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
true,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
// https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
rootSecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
Directory.SetAccessControl(this.EnlistmentRoot, rootSecurity);
Directory.CreateDirectory(this.WorkingDirectoryRoot);
this.CreateHiddenDirectory(this.DotGVFSRoot);
}
catch (IOException)
{
return(false);
}
return(true);
}
/// <summary>
/// 移除 指定目录 指定用户的 权限
/// </summary>
/// <param name="DirectoryName"></param>
/// <param name="Account"></param>
public static void RemoveDirectoryAccountSecurity(string DirectoryName, string Account)
{
DirectoryInfo dInfo = new DirectoryInfo(DirectoryName);
if (dInfo.Exists)
{
System.Security.Principal.NTAccount myAccount = new System.Security.Principal.NTAccount(System.Environment.MachineName, Account);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
FileSystemAccessRule AccessRule = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Allow);
FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Deny);
InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
PropagationFlags pFlags = PropagationFlags.InheritOnly | PropagationFlags.NoPropagateInherit;
dSecurity.AccessRuleFactory(myAccount, 983551, false, iFlags, pFlags, AccessControlType.Allow);
dSecurity.RemoveAccessRuleAll(AccessRule);
dSecurity.RemoveAccessRuleAll(AccessRule2);
dInfo.SetAccessControl(dSecurity);
}
}
