private static void SetRegistryAcls()
{
string pGinaSubKey = pGina.Shared.Settings.pGinaDynamicSettings.pGinaRoot;
using (RegistryKey key = Registry.LocalMachine.CreateSubKey(pGinaSubKey))
{
if (key != null)
{
//m_logger.InfoFormat("Setting ACLs on {0}", key.Name);
RegistryAccessRule allowRead = new RegistryAccessRule(
USERS_GROUP, RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule adminFull = new RegistryAccessRule(
ADMIN_GROUP, RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule systemFull = new RegistryAccessRule(
SYSTEM_ACCT, RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistrySecurity keySec = key.GetAccessControl();
//if (//m_logger.IsDebugEnabled)
{
//m_logger.DebugFormat("{0} before update:", key.Name);
ShowSecurity(keySec);
}
// Remove inherited rules
keySec.SetAccessRuleProtection(true, false);
// Add full control for administrators and system.
keySec.AddAccessRule(adminFull);
keySec.AddAccessRule(systemFull);
// Remove any read rules for users (if they exist)
keySec.RemoveAccessRuleAll(allowRead);
// Apply the rules..
key.SetAccessControl(keySec);
//if (//m_logger.IsDebugEnabled)
{
//m_logger.DebugFormat("{0} after update: ", key.Name);
ShowSecurity(keySec);
}
}
}
}
private static void SetRegistryAcls()
{
string ToopherSubKey = Abstractions.Settings.DynamicSettings.ROOT_KEY;
using (RegistryKey key = Registry.LocalMachine.CreateSubKey(ToopherSubKey)) {
if (key != null)
{
RegistryAccessRule allowRead = new RegistryAccessRule(
USERS_GROUP, RegistryRights.ReadKey,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule adminFull = new RegistryAccessRule(
ADMIN_GROUP, RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistryAccessRule systemFull = new RegistryAccessRule(
SYSTEM_ACCT, RegistryRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow);
RegistrySecurity keySec = key.GetAccessControl();
// Remove inherited rules
keySec.SetAccessRuleProtection(true, false);
// Add full control for administrators and system.
keySec.AddAccessRule(adminFull);
keySec.AddAccessRule(systemFull);
// Remove any read rules for users (if they exist)
keySec.RemoveAccessRuleAll(allowRead);
// Apply the rules..
key.SetAccessControl(keySec);
}
}
}
public static void Main()
{
string user = Environment.UserDomainName + "\\"
+ Environment.UserName;
// Create a security object that grants no access.
RegistrySecurity mSec = new RegistrySecurity();
// Add a rule that grants the current user the right
// to read and enumerate the name/value pairs in a key,
// to read its access and audit rules, to enumerate
// its subkeys, to create subkeys, and to delete the key.
// The rule is inherited by all contained subkeys.
//
RegistryAccessRule rule = new RegistryAccessRule(user,
RegistryRights.ReadKey | RegistryRights.WriteKey
| RegistryRights.Delete,
InheritanceFlags.ContainerInherit,
PropagationFlags.None,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Add a rule that allows the current user the right
// right to set the name/value pairs in a key.
// This rule is inherited by contained subkeys, but
// propagation flags limit it to immediate child
// subkeys.
rule = new RegistryAccessRule(user,
RegistryRights.ChangePermissions,
InheritanceFlags.ContainerInherit,
PropagationFlags.InheritOnly | PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
mSec.AddAccessRule(rule);
// Add a rule that denies the current user the right
// to set the name/value pairs in a key. This rule
// has no inheritance or propagation flags, so it
// affects only the key itself.
rule = new RegistryAccessRule(user,
RegistryRights.SetValue,
AccessControlType.Deny);
mSec.AddAccessRule(rule);
// Display the rules in the security object.
ShowSecurity(mSec);
// Create a rule that allows the current user the
// right to change the ownership of the key, with
// no inheritance or propagation flags. The rights
// and flags are ignored by RemoveAccessRuleAll,
// and all rules that allow access for the current
// user are removed.
rule = new RegistryAccessRule(user,
RegistryRights.TakeOwnership,
AccessControlType.Allow);
mSec.RemoveAccessRuleAll(rule);
// Show that all rules that allow access have been
// removed.
ShowSecurity(mSec);
}
private void RemoveRegistryAccessRuleAll(RegistrySecurity permissions, SecurityIdentifier securityIdentifier)
{
permissions.RemoveAccessRuleAll(new RegistryAccessRule(securityIdentifier, RegistryRights.FullControl, AccessControlType.Allow));
}
