static Locations()
{
if (WindowsUtils.IsWindowsNT)
{
_secureSharedAcl = new DirectorySecurity();
_secureSharedAcl.SetOwner(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null));
_secureSharedAcl.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
_secureSharedAcl.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier("S-1-1-0" /*Everyone*/), FileSystemRights.ReadAndExecute, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
_secureSharedAcl.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null), FileSystemRights.ReadAndExecute, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
_secureSharedAcl.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
_secureSharedAcl.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null), FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
}
}
/// <summary>It is neccessary to modify the download directory access rights, because as default only creator/owner has the right to change the newly created directory.
/// But of course we want to allow all authenticated users to download auto updates. Thus we modify the access to the download directory, so that authenticated users have the right to modify files/folders. </summary>
/// <param name="downloadDirectory">The download directory.</param>
private void SetDownloadDirectoryAccessRights(string downloadDirectory)
{
try
{
var authenticatedUser = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null);
var inheritance = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
var propagation = PropagationFlags.None;
var security = new DirectorySecurity();
security.AddAccessRule(new FileSystemAccessRule(authenticatedUser, FileSystemRights.Modify, inheritance, propagation, AccessControlType.Allow));
security.SetAccessRuleProtection(false, true);
Directory.SetAccessControl(downloadDirectory, security);
}
catch (Exception)
{
}
}
private static void SetAcl(string path, SearchResult user, FileSystemRights right)
{
var userId = user.Properties["userPrincipalName"][0].ToString();
var fullUserName = user.Properties["name"][0].ToString();
var fullPath = path + fullUserName;
var dir = new DirectoryInfo(fullPath);
var ds = new DirectorySecurity();
ds.SetAccessRuleProtection(true, false);
var uacl = new FileSystemAccessRule(userId,
right,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
ds.AddAccessRule(uacl);
var domainAdmins = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, AppSettings.GeneralSettings.DomainSid);
var pacl = new FileSystemAccessRule(domainAdmins,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
ds.AddAccessRule(pacl);
var system = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
var sacl = new FileSystemAccessRule(system,
FileSystemRights.FullControl,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
ds.AddAccessRule(sacl);
dir.SetAccessControl(ds);
}
internal static void CreateDirectory(string path, IsolatedStorageScope scope)
{
if (Directory.Exists(path))
return;
DirectoryInfo info = Directory.CreateDirectory(path);
if (IsMachine(scope) && RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
{
// Need to emulate COMIsolatedStorage::CreateDirectoryWithDacl(), which gives the following rights:
//
// World / Everyone (S-1-1-0 / SECURITY_WORLD_RID) -> (FILE_GENERIC_WRITE | FILE_GENERIC_READ) & (~WRITE_DAC)
// Creator Owner (S-1-3-0 / SECURITY_CREATOR_OWNER_RID) -> FILE_ALL_ACCESS
// Local Admins (S-1-5-32 / SECURITY_BUILTIN_DOMAIN_RID & DOMAIN_ALIAS_RID_ADMINS) -> FILE_ALL_ACCESS
//
// When looking at rights through the GUI it looks like this:
//
// "Everyone" -> Read, Write
// "Administrators" -> Full control
// "CREATOR OWNER" -> Full control
//
// With rights applying to "This folder, subfolders, and files". No inheritance from the parent folder.
//
// Note that trying to reset the rules for CREATOR OWNER leaves the current directory with the actual creator's SID.
// (But applies CREATOR OWNER as expected for items and subdirectories.) Setting up front when creating the directory
// doesn't exhibit this behavior, but as we can't currently do that we'll take the rough equivalent for now.
DirectorySecurity security = new DirectorySecurity();
// Don't inherit the existing rules
security.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
security.AddAccessRule(new FileSystemAccessRule(
identity: new SecurityIdentifier(WellKnownSidType.WorldSid, null),
fileSystemRights: FileSystemRights.Read | FileSystemRights.Write,
inheritanceFlags: InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
propagationFlags: PropagationFlags.None,
type: AccessControlType.Allow));
security.AddAccessRule(new FileSystemAccessRule(
identity: new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
fileSystemRights: FileSystemRights.FullControl,
inheritanceFlags: InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
propagationFlags: PropagationFlags.None,
type: AccessControlType.Allow));
security.AddAccessRule(new FileSystemAccessRule(
identity: new SecurityIdentifier(WellKnownSidType.CreatorOwnerSid, null),
fileSystemRights: FileSystemRights.FullControl,
inheritanceFlags: InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
propagationFlags: PropagationFlags.None,
type: AccessControlType.Allow));
info.SetAccessControl(security);
}
}
private static DirectorySecurity GetDirectorySecurity(string fullControlMembers, string readWriteMembers)
{
System.Security.AccessControl.DirectorySecurity dirSecturity = new System.Security.AccessControl.DirectorySecurity();
dirSecturity.SetAccessRuleProtection(true, false); // Break inheritance and discard parent's access rules
AddReadWriteAccess(dirSecturity, Environment.UserName); // Set Read/Write access for the current user
System.Security.Principal.SecurityIdentifier systemSID = new System.Security.Principal.SecurityIdentifier(System.Security.Principal.WellKnownSidType.LocalSystemSid, null);
AddAccessRule(dirSecturity, GetFullControlAccessRule(systemSID)); // Set Full Access for "System" Account
if (!String.IsNullOrEmpty(readWriteMembers))
{
try
{
foreach (string trustee in readWriteMembers.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
{
try
{
AddReadWriteAccess(dirSecturity, trustee);
}
catch (Exception ex) { Logger.Write(20015, "Unable to set Read/Write permissions on destination folder. " + ex.Message, Logger.MessageSeverity.Error, System.Diagnostics.EventLogEntryType.Error); }
}
}
catch (Exception ex) { Logger.Write(20015, "Unable to set Read/Write permissions on destination folder. " + ex.Message, Logger.MessageSeverity.Error, System.Diagnostics.EventLogEntryType.Error); }
}
if (!String.IsNullOrEmpty(fullControlMembers))
{
try
{
foreach (string trustee in fullControlMembers.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries))
{
try
{
AddFullControlAccess(dirSecturity, trustee);
}
catch (Exception ex) { Logger.Write(20016, "Unable to set Full Control permissions on destination folder. " + ex.Message, Logger.MessageSeverity.Error, System.Diagnostics.EventLogEntryType.Error); }
}
}
catch (Exception ex) { Logger.Write(20016, "Unable to set Full Control permissions on destination folder. " + ex.Message, Logger.MessageSeverity.Error, System.Diagnostics.EventLogEntryType.Error); }
}
return(dirSecturity);
}
private void GrantAccess()
{
try
{
var dSecurity = new DirectorySecurity();
dSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.Modify | FileSystemRights.Synchronize,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None, AccessControlType.Allow));
dSecurity.SetAccessRuleProtection(false, true);
Directory.CreateDirectory(_settingsPath, dSecurity);
}
catch (Exception e)
{
throw new Exception("Unable to GrantAccess()" + e);
}
}
private void WriteParametersFile(IEnumerable<string> keys)
{
if (!Directory.Exists(Destination()))
{
Directory.CreateDirectory(Destination());
}
var directorySecurity = new DirectorySecurity();
directorySecurity.SetAccessRuleProtection(true, false);
directorySecurity.SetAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null), FileSystemRights.FullControl, AccessControlType.Allow));
Directory.SetAccessControl(Destination(), directorySecurity);
var parameters = new Dictionary<string, string>();
foreach (string key in keys)
{
var value = Context.Parameters[key];
parameters.Add(key, value);
}
var javaScriptSerializer = new System.Web.Script.Serialization.JavaScriptSerializer();
string jsonString = javaScriptSerializer.Serialize(parameters);
var configFile = DestinationFilename("parameters.json");
File.WriteAllText(configFile, jsonString);
}
public static Boolean ReplaceDirectorySecurity(string dir, string[] Account, FileSystemRights Rights, AccessControlType ControlType, InheritanceFlags Inherit, PropagationFlags Propagation)
{
DirectoryInfo dInfo = new DirectoryInfo(dir);
DirectorySecurity dSecurity = new DirectorySecurity();
try
{
dSecurity.SetAccessRuleProtection(true, false);
foreach (string account in Account)
{
dSecurity.ResetAccessRule(new FileSystemAccessRule(account, Rights, Inherit, Propagation, ControlType));
}
dInfo.SetAccessControl(dSecurity);
}
catch (Exception ex)
{
LibraryLogging.Error("unable to ReplaceDirectorySecurity for {0} error {1}", dir, ex.Message);
return false;
}
return true;
}
private static DirectorySecurity GetDirectorySecurity()
{
DirectorySecurity directorySecurity = new DirectorySecurity();
directorySecurity.SetAccessRuleProtection(true, false);
using (WindowsIdentity current = WindowsIdentity.GetCurrent())
{
directorySecurity.SetOwner((IdentityReference) current.User);
for (int index = 0; index < TemporaryDataStorage.DirectoryAccessRules.Length; ++index)
directorySecurity.AddAccessRule(TemporaryDataStorage.DirectoryAccessRules[index]);
if (!current.User.IsWellKnown(WellKnownSidType.LocalSystemSid) && !current.User.IsWellKnown(WellKnownSidType.NetworkServiceSid) && !current.User.IsWellKnown(WellKnownSidType.LocalServiceSid))
directorySecurity.AddAccessRule(new FileSystemAccessRule((IdentityReference) current.User, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
return directorySecurity;
}
}
/// <summary>
/// Blocks inheritance on this directory.
/// </summary>
/// <param name="path">The path to the directory to block inheritance on.</param>
/// <param name="security">The DirectorySecurity object of the directory that will be changed.</param>
/// <param name="addInheritedPermissions">If true, copies the directory's inherited permissions as explicit permissions on the directory.</param>
/// <param name="commitChanges">Indicates whether changes should be commited to this entry. Useful when combining multiple commands.</param>
/// <returns>True if inheritance was blocked on the directory, false if the directory does not exist, or inheritance could not be
/// blocked.</returns>
public static bool BlockInheritance(string path, ref DirectorySecurity security, bool addInheritedPermissions, bool commitChanges)
{
// Check whether a path and security object were supplied.
if (!string.IsNullOrEmpty(path) && security != null)
{
// A path and security object were supplied.
// Check whether the directory exists.
if (SystemDirectory.Exists(path))
{
// The directory exists.
// Remove inheritance from the directory and copy inherited permissions if necessary.
try
{
security.SetAccessRuleProtection(true, addInheritedPermissions);
}
catch (InvalidOperationException)
{
// This method attempted to remove inherited rules from a non-canonical Discretionary Access Control List (DACL).
return false;
}
// Commit the changes if necessary.
if (commitChanges)
{
try
{
SystemDirectory.SetAccessControl(path, security);
}
catch (UnauthorizedAccessException)
{
// The current process does not have access to the directory specified by path.
// Or the current process does not have sufficient privilege to set the ACL entry.
return false;
}
catch (PlatformNotSupportedException)
{
// The current operating system is not Windows 2000 or later.
return false;
}
}
return true;
}
else
{
// The directory does not exist.
return false;
}
}
else
{
// A path or security object were not supplied.
return false;
}
}
private static void SetWritePermissions(string parentPath, string relativePath)
{
// Everyone, FullControl
string path = Path.Combine(parentPath, relativePath);
if (!Directory.Exists(path))
Directory.CreateDirectory(path);
SecurityIdentifier everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
DirectorySecurity security = new DirectorySecurity();
security.SetAccessRuleProtection(true, false);
security.AddAccessRule(new FileSystemAccessRule(everyone, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
Directory.SetAccessControl(path, security);
}
