Exemple #1
0
        /// <summary>
        /// Gets the application access rules implied by the access rights to the file.
        /// </summary>
        public static IList <ApplicationAccessRule> GetAccessRules(String filePath)
        {
            // get the current permissions from the file or directory.
            FileSystemSecurity security = null;

            FileInfo      fileInfo      = new FileInfo(filePath);
            DirectoryInfo directoryInfo = null;

            if (!fileInfo.Exists)
            {
                directoryInfo = new DirectoryInfo(filePath);

                if (!directoryInfo.Exists)
                {
                    throw new FileNotFoundException("File or directory does not exist.", filePath);
                }

                security = directoryInfo.GetAccessControl(AccessControlSections.Access);
            }
            else
            {
                security = fileInfo.GetAccessControl(AccessControlSections.Access);
            }

            // combine the access rules into a set of abstract application rules.
            List <ApplicationAccessRule> accessRules = new List <ApplicationAccessRule>();

            AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));

            for (int ii = 0; ii < authorizationRules.Count; ii++)
            {
                FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;

                // only care about file system rules.
                if (accessRule == null)
                {
                    continue;
                }

                ApplicationAccessRule rule = new ApplicationAccessRule();

                rule.RuleType     = ApplicationAccessRule.Convert(accessRule.AccessControlType);
                rule.IdentityName = accessRule.IdentityReference.Value;
                rule.Right        = ApplicationAccessRight.None;

                // create an allow rule.
                if (rule.RuleType == AccessControlType.Allow)
                {
                    // check if all rights required for configuration access exist.
                    if (((int)accessRule.FileSystemRights & (int)Configure) == (int)Configure)
                    {
                        rule.Right = ApplicationAccessRight.Configure;
                    }

                    // check if all rights required for update access exist.
                    else if (((int)accessRule.FileSystemRights & (int)Update) == (int)Update)
                    {
                        rule.Right = ApplicationAccessRight.Update;
                    }

                    // check if all rights required for read access exist.
                    else if (((int)accessRule.FileSystemRights & (int)Read) == (int)Read)
                    {
                        rule.Right = ApplicationAccessRight.Run;
                    }
                }

                // create a deny rule.
                else if (rule.RuleType == AccessControlType.Deny)
                {
                    // check if any rights required for read access are denied.
                    if (((int)accessRule.FileSystemRights & (int)Read) != 0)
                    {
                        rule.Right = ApplicationAccessRight.Run;
                    }

                    // check if any rights required for update access are denied.
                    else if (((int)accessRule.FileSystemRights & (int)Update) != 0)
                    {
                        rule.Right = ApplicationAccessRight.Update;
                    }

                    // check if any rights required for configure access are denied.
                    else if (((int)accessRule.FileSystemRights & (int)Configure) != 0)
                    {
                        rule.Right = ApplicationAccessRight.Configure;
                    }
                }

                // add rule if not trivial.
                if (rule.Right != ApplicationAccessRight.None)
                {
                    accessRules.Add(rule);
                }
            }

            return(accessRules);
        }
Exemple #2
0
        /// <summary>
        /// Gets the application access rules implied by the access rights to the file.
        /// </summary>
        public static void SetAccessRules(String filePath, IList <ApplicationAccessRule> accessRules, bool replaceExisting)
        {
            // get the current permissions from the file or directory.
            FileSystemSecurity security = null;

            FileInfo      fileInfo      = new FileInfo(filePath);
            DirectoryInfo directoryInfo = null;

            if (!fileInfo.Exists)
            {
                directoryInfo = new DirectoryInfo(filePath);

                if (!directoryInfo.Exists)
                {
                    throw new FileNotFoundException("File or directory does not exist.", filePath);
                }

                security = directoryInfo.GetAccessControl(AccessControlSections.Access);
            }
            else
            {
                security = fileInfo.GetAccessControl(AccessControlSections.Access);
            }

            if (replaceExisting)
            {
                // can't use inhieritance when setting permissions
                security.SetAccessRuleProtection(true, false);

                // remove all existing access rules.
                AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));

                for (int ii = 0; ii < authorizationRules.Count; ii++)
                {
                    FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;

                    // only care about file system rules.
                    if (accessRule == null)
                    {
                        continue;
                    }

                    security.RemoveAccessRule(accessRule);
                }
            }

            // allow children to inherit rules for directories.
            InheritanceFlags flags = InheritanceFlags.None;

            if (directoryInfo != null)
            {
                flags = InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit;
            }

            // add the new rules.
            for (int ii = 0; ii < accessRules.Count; ii++)
            {
                ApplicationAccessRule applicationRule = accessRules[ii];

                IdentityReference identityReference = applicationRule.IdentityReference;

                if (identityReference == null)
                {
                    if (applicationRule.IdentityName.StartsWith("S-"))
                    {
                        SecurityIdentifier sid = new SecurityIdentifier(applicationRule.IdentityName);

                        if (!sid.IsValidTargetType(typeof(NTAccount)))
                        {
                            continue;
                        }

                        identityReference = sid.Translate(typeof(NTAccount));
                    }
                    else
                    {
                        identityReference = new NTAccount(applicationRule.IdentityName);
                    }
                }

                FileSystemAccessRule fileRule = null;

                switch (applicationRule.Right)
                {
                case ApplicationAccessRight.Run:
                {
                    fileRule = new FileSystemAccessRule(
                        identityReference,
                        (applicationRule.RuleType == AccessControlType.Allow) ? Read : Configure,
                        flags,
                        PropagationFlags.None,
                        ApplicationAccessRule.Convert(applicationRule.RuleType));

                    break;
                }

                case ApplicationAccessRight.Update:
                {
                    fileRule = new FileSystemAccessRule(
                        identityReference,
                        (applicationRule.RuleType == AccessControlType.Allow) ? Update : ConfigureOnly | UpdateOnly,
                        flags,
                        PropagationFlags.None,
                        ApplicationAccessRule.Convert(applicationRule.RuleType));

                    security.SetAccessRule(fileRule);
                    break;
                }

                case ApplicationAccessRight.Configure:
                {
                    fileRule = new FileSystemAccessRule(
                        identityReference,
                        (applicationRule.RuleType == AccessControlType.Allow) ? Configure : ConfigureOnly,
                        flags,
                        PropagationFlags.None,
                        ApplicationAccessRule.Convert(applicationRule.RuleType));

                    break;
                }
                }

                try
                {
                    security.SetAccessRule(fileRule);
                }
                catch (Exception e)
                {
                    Utils.Trace(
                        "Could not set access rule for account '{0}' on file '{1}'. Error={2}",
                        applicationRule.IdentityName,
                        filePath,
                        e.Message);
                }
            }

            if (directoryInfo != null)
            {
                directoryInfo.SetAccessControl((DirectorySecurity)security);
                return;
            }

            fileInfo.SetAccessControl((FileSecurity)security);
        }