public static DirectorySecurity GetAccessControl(string path, AccessControlSections includeSections)
{
var normalizedPath = Path.NormalizeLongPath(Path.GetFullPath(path));
IntPtr sidOwner, sidGroup, dacl, sacl, byteArray;
var securityInfos = Common.ToSecurityInfos(includeSections);
var errorCode = (int)NativeMethods.GetSecurityInfoByName(normalizedPath,
(uint)ResourceType.FileObject,
(uint)securityInfos,
out sidOwner,
out sidGroup,
out dacl,
out sacl,
out byteArray);
Common.ThrowIfError(errorCode, byteArray);
var length = NativeMethods.GetSecurityDescriptorLength(byteArray);
var binaryForm = new byte[length];
Marshal.Copy(byteArray, binaryForm, 0, (int)length);
NativeMethods.LocalFree(byteArray);
var ds = new DirectorySecurity();
ds.SetSecurityDescriptorBinaryForm(binaryForm);
return(ds);
}
//http://www.west-wind.com/weblog/posts/4072.aspx
public void SetFileSystemRights(string target, string group, FileSystemRights permission, DeploymentResult r)
{
if (!IsDirectory(target) && !IsFile(target))
{
return;
}
var oldSecurity = Directory.GetAccessControl(target);
var newSecurity = new DirectorySecurity();
newSecurity.SetSecurityDescriptorBinaryForm(oldSecurity.GetSecurityDescriptorBinaryForm());
var accessRule = new FileSystemAccessRule(group,
permission,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
bool result;
newSecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out result);
if (!result)
{
r.AddError("Something wrong happened");
}
accessRule = new FileSystemAccessRule(group,
permission,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow);
result = false;
newSecurity.ModifyAccessRule(AccessControlModification.Add, accessRule, out result);
if (!result)
{
r.AddError("Something wrong happened");
}
Directory.SetAccessControl(target, newSecurity);
if (result)
{
r.AddGood("Permissions set for '{0}' on folder '{1}'", group, target);
}
if (!result)
{
r.AddError("Something wrong happened");
}
}
private void SetSecurityDescriptor(string path, ObjectSecurity sd, AccessControlSections sections)
{
var currentPrivilegeState = new PlatformInvokes.TOKEN_PRIVILEGE();
byte[] securityDescriptorBinary = null;
try
{
// Get the binary form of the descriptor.
PlatformInvokes.EnableTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
securityDescriptorBinary = sd.GetSecurityDescriptorBinaryForm();
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeBackupPrivilege", ref currentPrivilegeState);
}
try
{
PlatformInvokes.EnableTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState);
// Transfer it to the new file / directory.
// We keep these two code branches so that we can have more
// granular information when we ouput the object type via
// WriteSecurityDescriptorObject.
if (Directory.Exists(path))
{
DirectorySecurity newDescriptor = new DirectorySecurity();
newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections);
new DirectoryInfo(path).SetAccessControl(newDescriptor);
WriteSecurityDescriptorObject(newDescriptor, path);
}
else
{
FileSecurity newDescriptor = new FileSecurity();
newDescriptor.SetSecurityDescriptorBinaryForm(securityDescriptorBinary, sections);
new FileInfo(path).SetAccessControl(newDescriptor);
WriteSecurityDescriptorObject(newDescriptor, path);
}
}
finally
{
PlatformInvokes.RestoreTokenPrivilege("SeRestorePrivilege", ref currentPrivilegeState);
}
}
/// <summary>
/// Gets the security information of specified handle from file system
/// </summary>
/// <param name="sidHandle">Handle to get file security information</param>
/// <returns><see cref="CommonObjectSecurity"/>Result</returns>
private CommonObjectSecurity ReceiveFileSystemSecurityInformation(out IntPtr sidHandle)
{
IntPtr zeroHandle = new IntPtr();
IntPtr pSecurityDescriptor = new IntPtr();
try
{
var namedSecInfoResult = Win32SafeNativeMethods.GetNamedSecurityInfo(PathInfo.FullNameUnc, Win32SecurityObjectType.SeFileObject,
Win32FileSystemEntrySecurityInformation.OwnerSecurityInformation | Win32FileSystemEntrySecurityInformation.DaclSecurityInformation,
out sidHandle, out zeroHandle, out zeroHandle, out zeroHandle, out pSecurityDescriptor);
var win32Error = Marshal.GetLastWin32Error();
// Cancel if call failed
if (namedSecInfoResult != 0)
{
Win32ErrorCodes.NativeExceptionMapping(PathInfo.FullName, win32Error);
}
var securityDescriptorLength = Win32SafeNativeMethods.GetSecurityDescriptorLength(pSecurityDescriptor);
var securityDescriptorDataArray = new byte[securityDescriptorLength];
Marshal.Copy(pSecurityDescriptor, securityDescriptorDataArray, 0, ( int )securityDescriptorLength);
CommonObjectSecurity securityInfo;
if (PathInfo.Attributes.Contains(FileAttributes.Directory))
{
securityInfo = new DirectorySecurity();
securityInfo.SetSecurityDescriptorBinaryForm(securityDescriptorDataArray);
}
else
{
securityInfo = new FileSecurity();
securityInfo.SetSecurityDescriptorBinaryForm(securityDescriptorDataArray);
}
return(securityInfo);
}
finally
{
Win32SafeNativeMethods.LocalFree(zeroHandle);
Win32SafeNativeMethods.LocalFree(pSecurityDescriptor);
}
}
public void TestAccessDenied()
{
string child2 = Path.Combine(TestFolder, @"child1\child2");
DirectorySecurity acl = Directory.GetAccessControl(child2);
byte[] original = acl.GetSecurityDescriptorBinaryForm();
acl.AddAccessRule(
new FileSystemAccessRule(
new SecurityIdentifier(WellKnownSidType.WorldSid, null),
FileSystemRights.ListDirectory,
AccessControlType.Deny)
);
Directory.SetAccessControl(child2, acl);
try
{
//By default it ignores AccessDenied
FindFile ff = new FindFile(child2, "*", false, false);
ff.FileFound += (o, e) => Assert.Fail("Should not find a file");
ff.Find();
//Now raise the AccessDenied
ff.RaiseOnAccessDenied = true;
try
{
ff.Find();
Assert.Fail("Should throw Access Denied.");
}
catch (System.ComponentModel.Win32Exception we)
{ Assert.AreEqual(5, we.NativeErrorCode); }
}
finally
{
acl.SetSecurityDescriptorBinaryForm(original, AccessControlSections.All);
Directory.SetAccessControl(child2, acl);
}
}
public override Int32 Create(
String FileName,
UInt32 CreateOptions,
UInt32 GrantedAccess,
UInt32 FileAttributes,
Byte[] SecurityDescriptor,
UInt64 AllocationSize,
out Object FileNode,
out Object FileDesc0,
out FileInfo FileInfo,
out String NormalizedName)
{
FileDesc FileDesc = null;
try
{
FileName = ConcatPath(FileName);
if (0 == (CreateOptions & FILE_DIRECTORY_FILE))
{
FileSecurity Security = null;
if (null != SecurityDescriptor)
{
Security = new FileSecurity();
Security.SetSecurityDescriptorBinaryForm(SecurityDescriptor);
}
FileDesc = new FileDesc(
new FileStream(
FileName,
FileMode.CreateNew,
(FileSystemRights)GrantedAccess | FileSystemRights.WriteAttributes,
FileShare.Read | FileShare.Write | FileShare.Delete,
4096,
0,
Security));
FileDesc.SetFileAttributes(FileAttributes | (UInt32)System.IO.FileAttributes.Archive);
}
else
{
if (Directory.Exists(FileName))
{
ThrowIoExceptionWithNtStatus(STATUS_OBJECT_NAME_COLLISION);
}
DirectorySecurity Security = null;
if (null != SecurityDescriptor)
{
Security = new DirectorySecurity();
Security.SetSecurityDescriptorBinaryForm(SecurityDescriptor);
}
FileDesc = new FileDesc(
Directory.CreateDirectory(FileName, Security));
FileDesc.SetFileAttributes(FileAttributes);
}
FileNode = default(Object);
FileDesc0 = FileDesc;
NormalizedName = default(String);
return(FileDesc.GetFileInfo(out FileInfo));
}
catch
{
if (null != FileDesc && null != FileDesc.Stream)
{
FileDesc.Stream.Dispose();
}
throw;
}
}
public override Int32 Create(
String fileName,
UInt32 createOptions,
UInt32 grantedAccess,
UInt32 fileAttributes,
Byte[] securityDescriptor,
UInt64 allocationSize,
out Object fileNode,
out Object fileDesc0,
out FileInfo fileInfo,
out String normalizedName)
{
fileNode = default(Object);
normalizedName = default(String);
FileDescriptor fileDesc = null;
try
{
var path = GetWritePath(fileName);
// directory or file?
if (0 == (createOptions & FILE_DIRECTORY_FILE))
{
// file
FileSecurity Security = null;
if (null != securityDescriptor)
{
Security = new FileSecurity();
Security.SetSecurityDescriptorBinaryForm(securityDescriptor);
}
fileDesc = new FileDescriptor(fileName,
new FileStream(
path,
FileMode.CreateNew,
(FileSystemRights)grantedAccess | FileSystemRights.WriteAttributes,
FileShare.Read | FileShare.Write | FileShare.Delete,
4096,
0,
Security), true);
fileDesc.SetFileAttributes(fileAttributes | (UInt32)System.IO.FileAttributes.Archive);
}
else
{
// directory
if (Directory.Exists(path))
{
Utils.ThrowIoExceptionWithNtStatus(STATUS_OBJECT_NAME_COLLISION);
}
DirectorySecurity Security = null;
if (null != securityDescriptor)
{
Security = new DirectorySecurity();
Security.SetSecurityDescriptorBinaryForm(securityDescriptor);
}
fileDesc = new FileDescriptor(fileName, Directory.CreateDirectory(path, Security), true);
fileDesc.SetFileAttributes(fileAttributes);
}
// assign the file descriptor
fileDesc0 = fileDesc;
return(fileDesc.GetFileInfo(out fileInfo));
}
catch
{
if (null != fileDesc)
{
fileDesc.Dispose();
}
throw;
}
}
