/// <summary>
/// InternalUpdateDirectoryACLs method implementation
/// </summary>
internal static void InternalUpdateDirectoryACLs(string fulldir)
{
if (!Loaded)
{
Initialize();
}
bool mustsave = false;
DirectorySecurity fSecurity = Directory.GetAccessControl(fulldir, AccessControlSections.Access);
SecurityIdentifier localacc = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
fSecurity.PurgeAccessRules(localacc);
fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
if (ADFSDomainAdminServiceAdministrationAllowed)
{
SecurityIdentifier domainacc = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, null);
fSecurity.PurgeAccessRules(domainacc);
fSecurity.AddAccessRule(new FileSystemAccessRule(domainacc, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(domainacc, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(domainacc, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
}
if (!string.IsNullOrEmpty(ADFSAdminGroupSID))
{
SecurityIdentifier adfsgroup = new SecurityIdentifier(ADFSAdminGroupSID);
fSecurity.PurgeAccessRules(adfsgroup);
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
mustsave = true;
}
if (!string.IsNullOrEmpty(ADFSAccountSID))
{
SecurityIdentifier adfsaccount = new SecurityIdentifier(ADFSAccountSID);
fSecurity.PurgeAccessRules(adfsaccount);
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsaccount, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsaccount, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsaccount, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
mustsave = true;
}
if (mustsave)
{
Directory.SetAccessControl(fulldir, fSecurity);
}
}
public void CanDeleteFileWithDenyACL()
{
string file = GetFullPath("File with space");
string directory = Path.GetDirectoryName(file);
File.WriteAllText(file, string.Empty);
try
{
FileInfo fi = new FileInfo(file);
FileSecurity accessControl = fi.GetAccessControl(AccessControlSections.All);
accessControl.PurgeAccessRules(WindowsIdentity.GetCurrent().User);
accessControl.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Deny));
fi.SetAccessControl(accessControl);
DirectoryInfo di = new DirectoryInfo(directory);
DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All);
ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User);
ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.CreateFiles, AccessControlType.Deny));
di.SetAccessControl(ds);
XAssert.IsTrue(File.Exists(file));
FileUtilities.DeleteFile(file);
XAssert.IsFalse(File.Exists(file));
}
finally
{
DirectoryInfo di = new DirectoryInfo(directory);
DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All);
ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User);
ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Allow));
di.SetAccessControl(ds);
di.Delete(true);
}
}
/// <summary>
/// Remove all user permissions from folder.
/// </summary>
/// If the user with name `username` exists, it will be preserved.
/// <param name="fullPath">Full path to the folder on which to remove
/// all user permissions.</param>
/// <param name="username">Name of the user that will keep the
/// permissions.</param>
public static void RemovePermissionsForAllUsersButOne(string fullPath, string username)
{
// Is the function being run by an administrator?
if (!LocalUserManager.IsAdministrator())
{
// Inform
const string msg = "This method must be run by an administrator.";
sLogger.Error(msg);
throw new InvalidOperationException(msg);
}
DirectoryInfo dirinfo = new DirectoryInfo(fullPath);
DirectorySecurity dsec = dirinfo.GetAccessControl(AccessControlSections.All);
AuthorizationRuleCollection rules =
dsec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
foreach (AccessRule rule in rules)
{
if (rule.IdentityReference.Value != username)
{
dsec.PurgeAccessRules(rule.IdentityReference);
dsec.ModifyAccessRule(AccessControlModification.RemoveAll, rule, out bool value);
// Inform
sLogger.Info("Removed permission from '" + fullPath + "' for '" + username + "'.");
}
}
}
public static void SetAccessDirectory(string dirPath)
{
if (!Directory.Exists(dirPath))
{
Directory.CreateDirectory(dirPath);
}
// Pega a segurança atual da pasta
DirectorySecurity oDirSec = Directory.GetAccessControl(dirPath);
// Define o usuário Everyone (Todos)
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
//SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
NTAccount oAccount = sid.Translate(typeof(NTAccount)) as NTAccount;
oDirSec.PurgeAccessRules(oAccount);
FileSystemAccessRule fsAR = new FileSystemAccessRule(oAccount,
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// Atribui a regra de acesso alterada
oDirSec.SetAccessRule(fsAR);
Directory.SetAccessControl(dirPath, oDirSec);
}
/// <summary>
/// Reverts changes made by <see cref="AddNetworkPermissions"/>.
/// </summary>
protected void RemoveNetworkPermissions()
{
DirectoryInfo dirInfo = new DirectoryInfo(ServiceHelper.ServiceDir);
DirectorySecurity dirSecurity = dirInfo.GetAccessControl();
dirSecurity.PurgeAccessRules(_networkServiceId);
dirInfo.SetAccessControl(dirSecurity);
}
public void SetAclDirectory(string path, FileSystemRights rights)
{
if (path is null)
{
throw new ArgumentNullException(nameof(path));
}
try {
Console.WriteLine((InstallMode == InstallMode.Install ? "# set acl on directory: " : "# remove acl on directory: ") + path);
if (InstallMode == InstallMode.Install)
{
CreatePath(path);
DirectorySecurity acl = Directory.GetAccessControl(path);
acl.SetAccessRule(new FileSystemAccessRule(AccountIdentity,
rights,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow));
Directory.SetAccessControl(path, acl);
}
else
{
if (Directory.Exists(path))
{
DirectorySecurity acl = Directory.GetAccessControl(path);
acl.PurgeAccessRules(AccountIdentity);
Directory.SetAccessControl(path, acl);
}
}
}
catch (Exception err) {
if (err is DirectoryNotFoundException)
{
err = new DirectoryNotFoundException("Directory not found.");
}
err = new InstallerException((InstallMode == InstallMode.Install ? "SetAclDirectory('" + path + "') failed." : "RemoveAclDirectory('" + path + "') failed."), err);
if (InstallMode == InstallMode.Install)
{
throw err;
}
else
{
DisplayError(err);
}
}
}
private static Task CreateKeyDirectoryAsync(DirectoryInfo keyDir)
{
return(Task.Factory.StartNew(() => {
var identity = new NTAccount(Environment.UserDomainName,
Environment.UserName);
var security = new DirectorySecurity();
security.PurgeAccessRules(identity);
security.AddAccessRule(new FileSystemAccessRule(identity,
FileSystemRights.Read, AccessControlType.Allow));
security.AddAccessRule(new FileSystemAccessRule(identity,
FileSystemRights.Write, AccessControlType.Allow));
security.AddAccessRule(new FileSystemAccessRule(identity,
FileSystemRights.Modify, AccessControlType.Allow));
keyDir.Create(security);
}));
}
/// <summary>
///
/// </summary>
/// <param name="Path">Directory path</param>
/// <param name="Name">Directory Name</param>
/// <param name="Username">Username</param>
/// <return>True or False</return>
public static void RemovePermissions(String Path, String Name, String Username)
{
String strDirectory = BuildDirectory(Path, Name);
DirectoryInfo dirinfo = new DirectoryInfo(strDirectory);
DirectorySecurity dsec = dirinfo.GetAccessControl(AccessControlSections.All);
AuthorizationRuleCollection rules = dsec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
foreach (AccessRule rule in rules)
{
if (rule.IdentityReference.Value == Username)
{
bool value;
dsec.PurgeAccessRules(rule.IdentityReference);
dsec.ModifyAccessRule(AccessControlModification.RemoveAll, rule, out value);
dirinfo.SetAccessControl(dsec);
}
}
}
/// <summary>
/// 为文件夹移除某个用户的权限
/// </summary>
/// <param name="dirName"></param>
/// <param name="username"></param>
static void removePermissions(string dirName, string username)
{
string user = System.Environment.UserDomainName + "\\" + username;
DirectoryInfo dirinfo = new DirectoryInfo(dirName);
DirectorySecurity dsec = dirinfo.GetAccessControl(AccessControlSections.All);
AuthorizationRuleCollection rules = dsec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
foreach (AccessRule rule in rules)
{
if (rule.IdentityReference.Value == user)
{
bool value;
dsec.PurgeAccessRules(rule.IdentityReference);
dsec.ModifyAccessRule(AccessControlModification.RemoveAll, rule, out value);
}
}
}
/// <summary>
/// コピー元でアクセス権の継承が切られている場合、コピー先で継承によって追加されいるアクセス権を削除する
/// </summary>
/// <param name="src_dir">移管元ディレクトリ</param>
/// <param name="dst_dir">移管先ディレクトリ</param>
/// <returns></returns>
private static DirectorySecurity authority_triming(DirectoryInfo src_dir, DirectoryInfo dst_dir)
{
try
{
DirectorySecurity src_dir_security = src_dir.GetAccessControl(); // 移管元のアクセス権取得
DirectorySecurity dst_dir_security = dst_dir.GetAccessControl(); // 移管先のアクセス権取得
Func <string, string> get_account_name = (string identity_reference) =>
{
int cat_pint = identity_reference.LastIndexOf('\\') + 1;
return(identity_reference.Substring(cat_pint));
};
dst_dir_security.SetAccessRuleProtection(src_dir_security.AreAccessRulesProtected, src_dir_security.AreAccessRulesCanonical); // ディレクトリのアクセス権の継承に関しての設定
dst_dir.SetAccessControl(dst_dir_security); // 継承権の設定
dst_dir_security = dst_dir.GetAccessControl(); // 継承権の再設定を行なったので、オブジェクトを再取得
foreach (FileSystemAccessRule dst_rules in dst_dir_security.GetAccessRules(true, true, typeof(NTAccount)))
{
string dst_account_name = get_account_name(dst_rules.IdentityReference.ToString());
bool chek_flg = true;
foreach (FileSystemAccessRule src_rules in src_dir_security.GetAccessRules(true, true, typeof(NTAccount)))
{
string src_account_name = get_account_name(src_rules.IdentityReference.ToString());
if (dst_account_name.Equals(src_account_name))
{
chek_flg = false;
break;
}
}
if (chek_flg)
{
dst_dir_security.PurgeAccessRules(dst_rules.IdentityReference);
}
}
dst_dir.SetAccessControl(dst_dir_security); // アクセス権の設定
return(dst_dir_security);
}
catch (Exception e)
{
loger_manager.write_log($"適応先:\t{dst_dir.FullName}\t{e.Message}", "error");
return(null);
}
}
/// <summary>
/// 项目中用,文件夹只保留everyone权限,其中允许用户读,但不允许写
/// by the way,代码结果是给文件夹一个特殊权限,点进去高级看,会发现这个特殊权限的子项和写入权限的子项是一样的
/// </summary>
/// <param name="dirName"></param>
public static void OnlyKeepEveryonePermissionsWithWriteNotAllowed(string dirName)
{
DirectoryInfo dirinfo = new DirectoryInfo(dirName);
DirectorySecurity objSecObj = dirinfo.GetAccessControl();
AuthorizationRuleCollection acl = objSecObj.GetAccessRules(true, true,
typeof(System.Security.Principal.NTAccount));
objSecObj.SetAccessRuleProtection(true, false); //to remove inherited permissions
foreach (FileSystemAccessRule ace in acl) //to remove any other permission
{
objSecObj.PurgeAccessRules(ace.IdentityReference); //same as use objSecObj.RemoveAccessRuleSpecific(ace);
}
InheritanceFlags inherits = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
FileSystemAccessRule everyoneFileSystemAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.ReadAndExecute | FileSystemRights.ListDirectory | FileSystemRights.Read, inherits, PropagationFlags.None, AccessControlType.Allow);
FileSystemAccessRule everyoneFileSystemAccessRule2 = new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Deny);
bool isModified = false;
objSecObj.ModifyAccessRule(AccessControlModification.Add, everyoneFileSystemAccessRule2, out isModified);
objSecObj.ModifyAccessRule(AccessControlModification.Add, everyoneFileSystemAccessRule, out isModified);
dirinfo.SetAccessControl(objSecObj);
}
public static void LockFolder(string folderPath)
{
if (!Directory.Exists(folderPath))
{
return;
}
DirectoryInfo di = new DirectoryInfo(folderPath);
di.Attributes = FileAttributes.Directory | FileAttributes.Hidden;
DirectorySecurity ds = Directory.GetAccessControl(folderPath);
ds.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
FileSystemAccessRule fsa = new FileSystemAccessRule("IIS_IUSRS", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
ds.AddAccessRule(fsa);
var lsAccess = ds.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule fsar in lsAccess)
{
string userName = fsar.IdentityReference.Value;
if (!userName.Contains("IIS_IUSRS"))
{
ds.PurgeAccessRules(fsar.IdentityReference);
}
//ds.RemoveAccessRule(fsar);
}
//FileSystemAccessRule fsa2 = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
//ds.RemoveAccessRule(fsa2);
Directory.SetAccessControl(folderPath, ds);
}
public void OnTimer(object sender, System.Timers.ElapsedEventArgs args)
{
// TODO: Insert monitoring activities here.
eventLog1.WriteEntry("Monitoring the System", EventLogEntryType.Information, eventId++);
string caminho = @"D:\inetpub\";
foreach (string pastaCliente in Directory.GetDirectories(caminho))
{
foreach (string pastasInterna in Directory.GetDirectories(pastaCliente))
{
if (pastasInterna.Remove(0, pastaCliente.Length).ToLower() == @"\imagens")
{
// Dar permissão a pasta
// Create a new DirectoryInfo object.
DirectoryInfo dInfo = new DirectoryInfo(pastasInterna);
DirectorySecurity oDirSec = Directory.GetAccessControl(pastasInterna);
// Define o usuário Everyone (Todos)
SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
//SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
NTAccount oAccount = sid.Translate(typeof(NTAccount)) as NTAccount;
oDirSec.PurgeAccessRules(oAccount);
FileSystemAccessRule fsAR = new FileSystemAccessRule("IIS_IUSRS",
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// Atribui a regra de acesso alterada
oDirSec.SetAccessRule(fsAR);
Directory.SetAccessControl(pastasInterna, oDirSec);
// USUARIO IUSR
fsAR = new FileSystemAccessRule("IUSR",
FileSystemRights.Modify,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// Atribui a regra de acesso alterada
oDirSec.SetAccessRule(fsAR);
Directory.SetAccessControl(pastasInterna, oDirSec);
eventLog1.WriteEntry(oDirSec.ToString(), EventLogEntryType.Information);
/*
* // Get a DirectorySecurity object that represents the
* // current security settings.
* DirectorySecurity dSecurity = dInfo.GetAccessControl();
*
* // Add the FileSystemAccessRule to the security settings.
* dSecurity.AddAccessRule(new FileSystemAccessRule(@"WIN10-EWERTON\Usuários",
* FileSystemRights.FullControl,
* AccessControlType.Allow));
*
*/
eventLog1.WriteEntry(pastasInterna.ToString() + " adicionado direito", EventLogEntryType.Information);
}
else
{
eventLog1.WriteEntry(pastasInterna.Remove(0, pastaCliente.Length).ToLower() + " Não é pasta imagem", EventLogEntryType.Information);
}
}
}
}
