private void SetFolderPermissionBySid(string path, string account, NtfsPermission permission)
{
try
{
if (!FileUtils.DirectoryExists(path))
{
FileUtils.CreateDirectory(path);
Log.WriteInfo(string.Format("Created {0} folder", path));
}
Log.WriteStart(string.Format("Setting '{0}' permission for '{1}' folder for '{2}' account", permission, path, account));
SecurityUtils.GrantNtfsPermissionsBySid(path, account, permission, true, true);
Log.WriteEnd("Set security permissions");
}
catch (Exception ex)
{
if (Utils.IsThreadAbortException(ex))
{
return;
}
Log.WriteError("Security error", ex);
}
}
private void SetFolderPermissionBySid(string path, string account, NtfsPermission permission)
{
try
{
if (!FileUtils.DirectoryExists(path))
{
FileUtils.CreateDirectory(path);
Log.WriteInfo(string.Format("Created {0} folder", path));
}
Log.WriteStart(string.Format("Setting '{0}' permission for '{1}' folder for '{2}' account", permission, path, account));
SecurityUtils.GrantNtfsPermissionsBySid(path, account, permission, true, true);
Log.WriteEnd("Set security permissions");
}
catch (Exception ex)
{
if (Utils.IsThreadAbortException(ex))
return;
Log.WriteError("Security error", ex);
}
}
/// <summary>
/// Grants NTFS permissions by SID
/// </summary>
/// <param name="path"></param>
/// <param name="sid"></param>
/// <param name="permissions"></param>
/// <param name="inheritParentPermissions"></param>
/// <param name="preserveOriginalPermissions"></param>
internal static void GrantNtfsPermissionsBySid(string path, string sid,
NtfsPermission permissions, bool inheritParentPermissions, bool preserveOriginalPermissions)
{
// remove trailing slash if any
if (path.EndsWith("\\"))
{
path = path.Substring(0, path.Length - 1);
}
// get security settings
ManagementObject logicalFileSecuritySetting = wmi.GetObject(String.Format(
"Win32_LogicalFileSecuritySetting.Path='{0}'", path));
// get original security descriptor
ManagementBaseObject outParams = logicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor", null, null);
ManagementBaseObject originalDescriptor = ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
// create new descriptor
ManagementBaseObject descriptor = wmi.GetClass("Win32_SecurityDescriptor").CreateInstance();
descriptor.Properties["ControlFlags"].Value = inheritParentPermissions ? (uint)33796 : (uint)37892;
// get original ACEs
ManagementBaseObject[] originalAces = ((ManagementBaseObject[])(originalDescriptor.Properties["DACL"].Value));
// create a new ACEs list
List <ManagementBaseObject> aces = new List <ManagementBaseObject>();
// copy original ACEs if required
if (preserveOriginalPermissions)
{
foreach (ManagementBaseObject originalAce in originalAces)
{
// we don't want to include inherited and current ACEs
ManagementBaseObject objTrustee = (ManagementBaseObject)originalAce.Properties["Trustee"].Value;
string trusteeSid = (string)objTrustee.Properties["SIDString"].Value;
bool inheritedAce = ((AceFlags)originalAce.Properties["AceFlags"].Value & AceFlags.INHERITED_ACE) > 0;
if (String.Compare(trusteeSid, sid, true) != 0 && !inheritedAce)
{
aces.Add(originalAce);
}
}
}
// create new trustee object
ManagementObject trustee = GetTrustee(sid);
// system access mask
uint mask = 0;
if ((permissions & NtfsPermission.FullControl) > 0)
{
mask |= 0x1f01ff;
}
if ((permissions & NtfsPermission.Modify) > 0)
{
mask |= 0x1301bf;
}
if ((permissions & NtfsPermission.Write) > 0)
{
mask |= 0x100116 | 0x10000 | 0x40;
}
if ((permissions & NtfsPermission.Read) > 0)
{
mask |= 0x120089;
}
bool executeEnabled = ((permissions & NtfsPermission.Execute) > 0);
bool listEnabled = ((permissions & NtfsPermission.ListFolderContents) > 0);
bool equalState = (executeEnabled == listEnabled);
// create and add to be modified ACE
ManagementObject ace;
if (equalState ||
(permissions & NtfsPermission.FullControl) > 0 ||
(permissions & NtfsPermission.Modify) > 0) // both "Execute" and "List" enabled or disabled
{
if ((permissions & NtfsPermission.Execute) > 0)
{
mask |= (uint)SystemAccessMask.FILE_TRAVERSE;
}
ace = wmi.GetClass("Win32_Ace").CreateInstance();
ace["Trustee"] = trustee;
ace["AceFlags"] = AceFlags.OBJECT_INHERIT_ACE | AceFlags.CONTAINER_INHERIT_ACE;
ace["AceType"] = 0; // "Allow" type
ace["AccessMask"] = mask;
aces.Add(ace);
}
else // either "Execute" or "List" enabled or disabled
{
// we should place a separate permissions for folders and files
// add FOLDER specific permissions
uint foldersMask = mask;
if ((permissions & NtfsPermission.ListFolderContents) > 0)
{
foldersMask |= (uint)SystemAccessMask.FILE_TRAVERSE;
}
ace = wmi.GetClass("Win32_Ace").CreateInstance();
ace["Trustee"] = trustee;
ace["AceFlags"] = AceFlags.CONTAINER_INHERIT_ACE;
ace["AceType"] = 0; // "Allow" type
ace["AccessMask"] = foldersMask; // set default permissions
aces.Add(ace);
// add files specific permissions
uint filesMask = mask;
if ((permissions & NtfsPermission.Execute) > 0)
{
filesMask |= (uint)SystemAccessMask.FILE_TRAVERSE;
}
ace = wmi.GetClass("Win32_Ace").CreateInstance();
ace["Trustee"] = trustee;
ace["AceFlags"] = AceFlags.OBJECT_INHERIT_ACE;
ace["AceType"] = 0; // "Allow" type
ace["AccessMask"] = filesMask; // set default permissions
aces.Add(ace);
}
// set newly created ACEs
ManagementBaseObject[] newAces = aces.ToArray();
descriptor.Properties["DACL"].Value = newAces;
// set security descriptor
ManagementBaseObject inParams = logicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = descriptor;
outParams = logicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor", inParams, null);
// check results
uint result = (uint)(outParams.Properties["ReturnValue"].Value);
logicalFileSecuritySetting.Dispose();
}
/// <summary>
/// Grants NTFS permissions by username
/// </summary>
/// <param name="path"></param>
/// <param name="accountName"></param>
/// <param name="permissions"></param>
/// <param name="inheritParentPermissions"></param>
/// <param name="preserveOriginalPermissions"></param>
internal static void GrantNtfsPermissions(string path, string domain, string accountName,
NtfsPermission permissions, bool inheritParentPermissions, bool preserveOriginalPermissions)
{
GrantNtfsPermissionsBySid(path, GetSid(accountName, domain), permissions, inheritParentPermissions,
preserveOriginalPermissions);
}
/// <summary>
/// Grants NTFS permissions by SID
/// </summary>
/// <param name="path"></param>
/// <param name="sid"></param>
/// <param name="permissions"></param>
/// <param name="inheritParentPermissions"></param>
/// <param name="preserveOriginalPermissions"></param>
internal static void GrantNtfsPermissionsBySid(string path, string sid,
NtfsPermission permissions, bool inheritParentPermissions, bool preserveOriginalPermissions)
{
// remove trailing slash if any
if(path.EndsWith("\\"))
path = path.Substring(0, path.Length - 1);
// get security settings
ManagementObject logicalFileSecuritySetting = wmi.GetObject(String.Format(
"Win32_LogicalFileSecuritySetting.Path='{0}'", path));
// get original security descriptor
ManagementBaseObject outParams = logicalFileSecuritySetting.InvokeMethod("GetSecurityDescriptor", null, null);
ManagementBaseObject originalDescriptor = ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
// create new descriptor
ManagementBaseObject descriptor = wmi.GetClass("Win32_SecurityDescriptor").CreateInstance();
descriptor.Properties["ControlFlags"].Value = inheritParentPermissions ? (uint)33796 : (uint)37892;
// get original ACEs
ManagementBaseObject[] originalAces = ((ManagementBaseObject[])(originalDescriptor.Properties["DACL"].Value ) );
// create a new ACEs list
List<ManagementBaseObject> aces = new List<ManagementBaseObject>();
// copy original ACEs if required
if(preserveOriginalPermissions)
{
foreach(ManagementBaseObject originalAce in originalAces)
{
// we don't want to include inherited and current ACEs
ManagementBaseObject objTrustee = (ManagementBaseObject)originalAce.Properties["Trustee"].Value;
string trusteeSid = (string)objTrustee.Properties["SIDString"].Value;
bool inheritedAce = ((AceFlags)originalAce.Properties["AceFlags"].Value & AceFlags.INHERITED_ACE) > 0;
if(String.Compare(trusteeSid, sid, true) != 0 && !inheritedAce)
aces.Add(originalAce);
}
}
// create new trustee object
ManagementObject trustee = GetTrustee(sid);
// system access mask
uint mask = 0;
if((permissions & NtfsPermission.FullControl) > 0)
mask |= 0x1f01ff;
if((permissions & NtfsPermission.Modify) > 0)
mask |= 0x1301bf;
if((permissions & NtfsPermission.Write) > 0)
mask |= 0x100116 | 0x10000 | 0x40;
if((permissions & NtfsPermission.Read) > 0)
mask |= 0x120089;
bool executeEnabled = ((permissions & NtfsPermission.Execute) > 0);
bool listEnabled = ((permissions & NtfsPermission.ListFolderContents) > 0);
bool equalState = (executeEnabled == listEnabled);
// create and add to be modified ACE
ManagementObject ace;
if(equalState ||
(permissions & NtfsPermission.FullControl) > 0 ||
(permissions & NtfsPermission.Modify) > 0) // both "Execute" and "List" enabled or disabled
{
if((permissions & NtfsPermission.Execute) > 0)
mask |= (uint)SystemAccessMask.FILE_TRAVERSE;
ace = wmi.GetClass("Win32_Ace").CreateInstance();
ace["Trustee"] = trustee;
ace["AceFlags"] = AceFlags.OBJECT_INHERIT_ACE | AceFlags.CONTAINER_INHERIT_ACE;
ace["AceType"] = 0; // "Allow" type
ace["AccessMask"] = mask;
aces.Add(ace);
}
else // either "Execute" or "List" enabled or disabled
{
// we should place a separate permissions for folders and files
// add FOLDER specific permissions
uint foldersMask = mask;
if((permissions & NtfsPermission.ListFolderContents) > 0)
foldersMask |= (uint)SystemAccessMask.FILE_TRAVERSE;
ace = wmi.GetClass("Win32_Ace").CreateInstance();
ace["Trustee"] = trustee;
ace["AceFlags"] = AceFlags.CONTAINER_INHERIT_ACE;
ace["AceType"] = 0; // "Allow" type
ace["AccessMask"] = foldersMask; // set default permissions
aces.Add(ace);
// add files specific permissions
uint filesMask = mask;
if((permissions & NtfsPermission.Execute) > 0)
filesMask |= (uint)SystemAccessMask.FILE_TRAVERSE;
ace = wmi.GetClass("Win32_Ace").CreateInstance();
ace["Trustee"] = trustee;
ace["AceFlags"] = AceFlags.OBJECT_INHERIT_ACE;
ace["AceType"] = 0; // "Allow" type
ace["AccessMask"] = filesMask; // set default permissions
aces.Add(ace);
}
// set newly created ACEs
ManagementBaseObject[] newAces = aces.ToArray();
descriptor.Properties["DACL"].Value = newAces;
// set security descriptor
ManagementBaseObject inParams = logicalFileSecuritySetting.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = descriptor;
outParams = logicalFileSecuritySetting.InvokeMethod("SetSecurityDescriptor", inParams, null);
// check results
uint result = (uint)(outParams.Properties["ReturnValue"].Value);
logicalFileSecuritySetting.Dispose();
}
/// <summary>
/// Grants NTFS permissions by username
/// </summary>
/// <param name="path"></param>
/// <param name="accountName"></param>
/// <param name="permissions"></param>
/// <param name="inheritParentPermissions"></param>
/// <param name="preserveOriginalPermissions"></param>
internal static void GrantNtfsPermissions(string path, string domain, string accountName,
NtfsPermission permissions, bool inheritParentPermissions, bool preserveOriginalPermissions)
{
GrantNtfsPermissionsBySid(path, GetSid(accountName, domain), permissions, inheritParentPermissions,
preserveOriginalPermissions);
}
