Esempio n. 1
0
        public override void InitializeEnlistmentACLs(string enlistmentPath)
        {
            // The following permissions are typically present on deskop and missing on Server
            //
            //   ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
            //          [OBJECT_INHERIT_ACE]
            //          [CONTAINER_INHERIT_ACE]
            //          [INHERIT_ONLY_ACE]
            //        DELETE
            //        GENERIC_EXECUTE
            //        GENERIC_WRITE
            //        GENERIC_READ
            DirectorySecurity rootSecurity = Directory.GetAccessControl(enlistmentPath);
            AccessRule        authenticatedUsersAccessRule = rootSecurity.AccessRuleFactory(
                new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
                unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
                true,
                InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                PropagationFlags.None,
                AccessControlType.Allow);

            // The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
            // https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
            rootSecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
            Directory.SetAccessControl(enlistmentPath, rootSecurity);
        }
Esempio n. 2
0
        /// <summary>
        /// Creates the specified directory (and its ancestors) if they do not
        /// already exist.
        ///
        /// If the specified directory does not exist this method:
        ///
        ///  - Creates the directory and its ancestors
        ///  - Adjusts the ACLs of 'directoryPath' (the ancestors' ACLs are not
        ///    modified).
        /// </summary>
        /// <returns>
        /// - true if the directory already exists -or- the directory was successfully created
        ///   with the proper ACLS
        /// - false otherwise
        /// </returns>
        /// <remarks>
        /// The following permissions are typically present on deskop and missing on Server.
        /// These are the permissions added by this method.
        ///
        ///   ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
        ///          [OBJECT_INHERIT_ACE]
        ///          [CONTAINER_INHERIT_ACE]
        ///          [INHERIT_ONLY_ACE]
        ///        DELETE
        ///        GENERIC_EXECUTE
        ///        GENERIC_WRITE
        ///        GENERIC_READ
        /// </remarks>
        public bool TryCreateDirectoryAccessibleByAuthUsers(string directoryPath, out string error, ITracer tracer = null)
        {
            if (Directory.Exists(directoryPath))
            {
                error = null;
                return(true);
            }

            try
            {
                // Create the directory first and then adjust the ACLs as needed
                Directory.CreateDirectory(directoryPath);

                // Use AccessRuleFactory rather than creating a FileSystemAccessRule because the NativeMethods.FileAccess flags
                // we're specifying are not valid for the FileSystemRights parameter of the FileSystemAccessRule constructor
                DirectorySecurity directorySecurity            = Directory.GetAccessControl(directoryPath);
                AccessRule        authenticatedUsersAccessRule = directorySecurity.AccessRuleFactory(
                    new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
                    unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
                    true,
                    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                    PropagationFlags.None,
                    AccessControlType.Allow);

                // The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
                // https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
                directorySecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
                Directory.SetAccessControl(directoryPath, directorySecurity);
            }
            catch (Exception e) when(e is IOException || e is UnauthorizedAccessException || e is SystemException)
            {
                if (tracer != null)
                {
                    EventMetadata metadataData = new EventMetadata();
                    metadataData.Add("Exception", e.ToString());
                    metadataData.Add(nameof(directoryPath), directoryPath);
                    tracer.RelatedError(metadataData, $"{nameof(this.TryCreateDirectoryAccessibleByAuthUsers)}: Failed to create and configure directory");
                }

                error = e.Message;
                return(false);
            }

            error = null;
            return(true);
        }
Esempio n. 3
0
        public bool TryCreateEnlistmentFolders()
        {
            try
            {
                Directory.CreateDirectory(this.EnlistmentRoot);

                // The following permissions are typically present on deskop and missing on Server
                //
                //   ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
                //          [OBJECT_INHERIT_ACE]
                //          [CONTAINER_INHERIT_ACE]
                //          [INHERIT_ONLY_ACE]
                //        DELETE
                //        GENERIC_EXECUTE
                //        GENERIC_WRITE
                //        GENERIC_READ
                DirectorySecurity rootSecurity = Directory.GetAccessControl(this.EnlistmentRoot);
                AccessRule        authenticatedUsersAccessRule = rootSecurity.AccessRuleFactory(
                    new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
                    unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
                    true,
                    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                    PropagationFlags.None,
                    AccessControlType.Allow);

                // The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
                // https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
                rootSecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
                Directory.SetAccessControl(this.EnlistmentRoot, rootSecurity);

                Directory.CreateDirectory(this.WorkingDirectoryRoot);
                this.CreateHiddenDirectory(this.DotGVFSRoot);
            }
            catch (IOException)
            {
                return(false);
            }

            return(true);
        }
Esempio n. 4
0
        /// <summary>
        /// 移除 指定目录 指定用户的 权限
        /// </summary>
        /// <param name="DirectoryName"></param>
        /// <param name="Account"></param>
        public static void RemoveDirectoryAccountSecurity(string DirectoryName, string Account)
        {
            DirectoryInfo dInfo = new DirectoryInfo(DirectoryName);

            if (dInfo.Exists)
            {
                System.Security.Principal.NTAccount myAccount = new System.Security.Principal.NTAccount(System.Environment.MachineName, Account);

                DirectorySecurity dSecurity = dInfo.GetAccessControl();

                FileSystemAccessRule AccessRule  = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Allow);
                FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Deny);

                InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
                PropagationFlags pFlags = PropagationFlags.InheritOnly | PropagationFlags.NoPropagateInherit;

                dSecurity.AccessRuleFactory(myAccount, 983551, false, iFlags, pFlags, AccessControlType.Allow);

                dSecurity.RemoveAccessRuleAll(AccessRule);
                dSecurity.RemoveAccessRuleAll(AccessRule2);

                dInfo.SetAccessControl(dSecurity);
            }
        }