/// <summary>
/// Replaces the permissions of the directory at the given <paramref name="targetPath"/>
/// with the inheritable permissions from the directory at the given <paramref name="sourcePath"/>.
/// </summary>
/// <param name="sourcePath">The path to the directory from which to derive inheritable permissions.</param>
/// <param name="targetPath">The path to the directory to which to apply the derived permissions.</param>
public static void ApplyInheritableDirectoryPermissions(string sourcePath, string targetPath)
{
string sourceAbsolutePath = GetAbsolutePath(sourcePath);
string targetAbsolutePath = GetAbsolutePath(targetPath);
DirectorySecurity sourceSecurity = Directory.GetAccessControl(sourceAbsolutePath);
DirectorySecurity targetSecurity = Directory.GetAccessControl(targetAbsolutePath);
IdentityReference targetOwner = targetSecurity.GetOwner(typeof(NTAccount));
IdentityReference targetGroup = targetSecurity.GetGroup(typeof(NTAccount));
targetSecurity = new DirectorySecurity();
// This prevents permissions modifications by the target directory's parents (the target's inherited permissions)
targetSecurity.SetAccessRuleProtection(true, false);
foreach (FileSystemAccessRule rule in sourceSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
InheritanceFlags inheritanceFlags = rule.InheritanceFlags;
// If the inheritance flags indicate that this rule
// is not inheritable by subfolders, skip it
if (!inheritanceFlags.HasFlag(InheritanceFlags.ContainerInherit))
{
continue;
}
IdentityReference identityReference = rule.IdentityReference;
FileSystemRights fileSystemRights = rule.FileSystemRights;
AccessControlType accessControlType = rule.AccessControlType;
// If the rule is associated with the CREATOR OWNER identity, add an additional rule
// for the target's owner that applies only to the target directory (not inheritable)
if (identityReference.Value == "CREATOR OWNER")
{
targetSecurity.AddAccessRule(new FileSystemAccessRule(targetOwner, fileSystemRights, accessControlType));
}
// If the rule is associated with the CREATOR GROUP identity, add an additional rule
// for the target's group that applies only to the target directory (not inheritable)
if (identityReference.Value == "CREATOR GROUP")
{
targetSecurity.AddAccessRule(new FileSystemAccessRule(targetGroup, fileSystemRights, accessControlType));
}
// If the rule applies only to objects within the source directory,
// clear inheritance flags so it will not propagate to subfolders
// and files within the target directory
if (rule.PropagationFlags.HasFlag(PropagationFlags.NoPropagateInherit))
{
inheritanceFlags = InheritanceFlags.None;
}
// Inherited permissions never inherit propagation flags
PropagationFlags propagationFlags = PropagationFlags.None;
targetSecurity.AddAccessRule(new FileSystemAccessRule(identityReference, fileSystemRights, inheritanceFlags, propagationFlags, accessControlType));
}
Directory.SetAccessControl(targetAbsolutePath, targetSecurity);
}
