/// <summary> /// InternalUpdateDirectoryACLs method implementation /// </summary> internal static void InternalUpdateDirectoryACLs(string fulldir) { if (!Loaded) { Initialize(); } bool mustsave = false; DirectorySecurity fSecurity = Directory.GetAccessControl(fulldir, AccessControlSections.Access); SecurityIdentifier localacc = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); fSecurity.PurgeAccessRules(localacc); fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); if (ADFSDomainAdminServiceAdministrationAllowed) { SecurityIdentifier domainacc = new SecurityIdentifier(WellKnownSidType.AccountDomainAdminsSid, null); fSecurity.PurgeAccessRules(domainacc); fSecurity.AddAccessRule(new FileSystemAccessRule(domainacc, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(domainacc, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(domainacc, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); } if (!string.IsNullOrEmpty(ADFSAdminGroupSID)) { SecurityIdentifier adfsgroup = new SecurityIdentifier(ADFSAdminGroupSID); fSecurity.PurgeAccessRules(adfsgroup); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); mustsave = true; } if (!string.IsNullOrEmpty(ADFSAccountSID)) { SecurityIdentifier adfsaccount = new SecurityIdentifier(ADFSAccountSID); fSecurity.PurgeAccessRules(adfsaccount); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsaccount, FileSystemRights.FullControl, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsaccount, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsaccount, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow)); mustsave = true; } if (mustsave) { Directory.SetAccessControl(fulldir, fSecurity); } }
public void CanDeleteFileWithDenyACL() { string file = GetFullPath("File with space"); string directory = Path.GetDirectoryName(file); File.WriteAllText(file, string.Empty); try { FileInfo fi = new FileInfo(file); FileSecurity accessControl = fi.GetAccessControl(AccessControlSections.All); accessControl.PurgeAccessRules(WindowsIdentity.GetCurrent().User); accessControl.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Deny)); fi.SetAccessControl(accessControl); DirectoryInfo di = new DirectoryInfo(directory); DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All); ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User); ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.CreateFiles, AccessControlType.Deny)); di.SetAccessControl(ds); XAssert.IsTrue(File.Exists(file)); FileUtilities.DeleteFile(file); XAssert.IsFalse(File.Exists(file)); } finally { DirectoryInfo di = new DirectoryInfo(directory); DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All); ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User); ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Allow)); di.SetAccessControl(ds); di.Delete(true); } }
/// <summary> /// Remove all user permissions from folder. /// </summary> /// If the user with name `username` exists, it will be preserved. /// <param name="fullPath">Full path to the folder on which to remove /// all user permissions.</param> /// <param name="username">Name of the user that will keep the /// permissions.</param> public static void RemovePermissionsForAllUsersButOne(string fullPath, string username) { // Is the function being run by an administrator? if (!LocalUserManager.IsAdministrator()) { // Inform const string msg = "This method must be run by an administrator."; sLogger.Error(msg); throw new InvalidOperationException(msg); } DirectoryInfo dirinfo = new DirectoryInfo(fullPath); DirectorySecurity dsec = dirinfo.GetAccessControl(AccessControlSections.All); AuthorizationRuleCollection rules = dsec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); foreach (AccessRule rule in rules) { if (rule.IdentityReference.Value != username) { dsec.PurgeAccessRules(rule.IdentityReference); dsec.ModifyAccessRule(AccessControlModification.RemoveAll, rule, out bool value); // Inform sLogger.Info("Removed permission from '" + fullPath + "' for '" + username + "'."); } } }
public static void SetAccessDirectory(string dirPath) { if (!Directory.Exists(dirPath)) { Directory.CreateDirectory(dirPath); } // Pega a segurança atual da pasta DirectorySecurity oDirSec = Directory.GetAccessControl(dirPath); // Define o usuário Everyone (Todos) SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); //SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null); NTAccount oAccount = sid.Translate(typeof(NTAccount)) as NTAccount; oDirSec.PurgeAccessRules(oAccount); FileSystemAccessRule fsAR = new FileSystemAccessRule(oAccount, FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); // Atribui a regra de acesso alterada oDirSec.SetAccessRule(fsAR); Directory.SetAccessControl(dirPath, oDirSec); }
/// <summary> /// Reverts changes made by <see cref="AddNetworkPermissions"/>. /// </summary> protected void RemoveNetworkPermissions() { DirectoryInfo dirInfo = new DirectoryInfo(ServiceHelper.ServiceDir); DirectorySecurity dirSecurity = dirInfo.GetAccessControl(); dirSecurity.PurgeAccessRules(_networkServiceId); dirInfo.SetAccessControl(dirSecurity); }
public void SetAclDirectory(string path, FileSystemRights rights) { if (path is null) { throw new ArgumentNullException(nameof(path)); } try { Console.WriteLine((InstallMode == InstallMode.Install ? "# set acl on directory: " : "# remove acl on directory: ") + path); if (InstallMode == InstallMode.Install) { CreatePath(path); DirectorySecurity acl = Directory.GetAccessControl(path); acl.SetAccessRule(new FileSystemAccessRule(AccountIdentity, rights, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)); Directory.SetAccessControl(path, acl); } else { if (Directory.Exists(path)) { DirectorySecurity acl = Directory.GetAccessControl(path); acl.PurgeAccessRules(AccountIdentity); Directory.SetAccessControl(path, acl); } } } catch (Exception err) { if (err is DirectoryNotFoundException) { err = new DirectoryNotFoundException("Directory not found."); } err = new InstallerException((InstallMode == InstallMode.Install ? "SetAclDirectory('" + path + "') failed." : "RemoveAclDirectory('" + path + "') failed."), err); if (InstallMode == InstallMode.Install) { throw err; } else { DisplayError(err); } } }
private static Task CreateKeyDirectoryAsync(DirectoryInfo keyDir) { return(Task.Factory.StartNew(() => { var identity = new NTAccount(Environment.UserDomainName, Environment.UserName); var security = new DirectorySecurity(); security.PurgeAccessRules(identity); security.AddAccessRule(new FileSystemAccessRule(identity, FileSystemRights.Read, AccessControlType.Allow)); security.AddAccessRule(new FileSystemAccessRule(identity, FileSystemRights.Write, AccessControlType.Allow)); security.AddAccessRule(new FileSystemAccessRule(identity, FileSystemRights.Modify, AccessControlType.Allow)); keyDir.Create(security); })); }
/// <summary> /// /// </summary> /// <param name="Path">Directory path</param> /// <param name="Name">Directory Name</param> /// <param name="Username">Username</param> /// <return>True or False</return> public static void RemovePermissions(String Path, String Name, String Username) { String strDirectory = BuildDirectory(Path, Name); DirectoryInfo dirinfo = new DirectoryInfo(strDirectory); DirectorySecurity dsec = dirinfo.GetAccessControl(AccessControlSections.All); AuthorizationRuleCollection rules = dsec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); foreach (AccessRule rule in rules) { if (rule.IdentityReference.Value == Username) { bool value; dsec.PurgeAccessRules(rule.IdentityReference); dsec.ModifyAccessRule(AccessControlModification.RemoveAll, rule, out value); dirinfo.SetAccessControl(dsec); } } }
/// <summary> /// 为文件夹移除某个用户的权限 /// </summary> /// <param name="dirName"></param> /// <param name="username"></param> static void removePermissions(string dirName, string username) { string user = System.Environment.UserDomainName + "\\" + username; DirectoryInfo dirinfo = new DirectoryInfo(dirName); DirectorySecurity dsec = dirinfo.GetAccessControl(AccessControlSections.All); AuthorizationRuleCollection rules = dsec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); foreach (AccessRule rule in rules) { if (rule.IdentityReference.Value == user) { bool value; dsec.PurgeAccessRules(rule.IdentityReference); dsec.ModifyAccessRule(AccessControlModification.RemoveAll, rule, out value); } } }
/// <summary> /// コピー元でアクセス権の継承が切られている場合、コピー先で継承によって追加されいるアクセス権を削除する /// </summary> /// <param name="src_dir">移管元ディレクトリ</param> /// <param name="dst_dir">移管先ディレクトリ</param> /// <returns></returns> private static DirectorySecurity authority_triming(DirectoryInfo src_dir, DirectoryInfo dst_dir) { try { DirectorySecurity src_dir_security = src_dir.GetAccessControl(); // 移管元のアクセス権取得 DirectorySecurity dst_dir_security = dst_dir.GetAccessControl(); // 移管先のアクセス権取得 Func <string, string> get_account_name = (string identity_reference) => { int cat_pint = identity_reference.LastIndexOf('\\') + 1; return(identity_reference.Substring(cat_pint)); }; dst_dir_security.SetAccessRuleProtection(src_dir_security.AreAccessRulesProtected, src_dir_security.AreAccessRulesCanonical); // ディレクトリのアクセス権の継承に関しての設定 dst_dir.SetAccessControl(dst_dir_security); // 継承権の設定 dst_dir_security = dst_dir.GetAccessControl(); // 継承権の再設定を行なったので、オブジェクトを再取得 foreach (FileSystemAccessRule dst_rules in dst_dir_security.GetAccessRules(true, true, typeof(NTAccount))) { string dst_account_name = get_account_name(dst_rules.IdentityReference.ToString()); bool chek_flg = true; foreach (FileSystemAccessRule src_rules in src_dir_security.GetAccessRules(true, true, typeof(NTAccount))) { string src_account_name = get_account_name(src_rules.IdentityReference.ToString()); if (dst_account_name.Equals(src_account_name)) { chek_flg = false; break; } } if (chek_flg) { dst_dir_security.PurgeAccessRules(dst_rules.IdentityReference); } } dst_dir.SetAccessControl(dst_dir_security); // アクセス権の設定 return(dst_dir_security); } catch (Exception e) { loger_manager.write_log($"適応先:\t{dst_dir.FullName}\t{e.Message}", "error"); return(null); } }
/// <summary> /// 项目中用,文件夹只保留everyone权限,其中允许用户读,但不允许写 /// by the way,代码结果是给文件夹一个特殊权限,点进去高级看,会发现这个特殊权限的子项和写入权限的子项是一样的 /// </summary> /// <param name="dirName"></param> public static void OnlyKeepEveryonePermissionsWithWriteNotAllowed(string dirName) { DirectoryInfo dirinfo = new DirectoryInfo(dirName); DirectorySecurity objSecObj = dirinfo.GetAccessControl(); AuthorizationRuleCollection acl = objSecObj.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); objSecObj.SetAccessRuleProtection(true, false); //to remove inherited permissions foreach (FileSystemAccessRule ace in acl) //to remove any other permission { objSecObj.PurgeAccessRules(ace.IdentityReference); //same as use objSecObj.RemoveAccessRuleSpecific(ace); } InheritanceFlags inherits = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit; FileSystemAccessRule everyoneFileSystemAccessRule = new FileSystemAccessRule("Everyone", FileSystemRights.ReadAndExecute | FileSystemRights.ListDirectory | FileSystemRights.Read, inherits, PropagationFlags.None, AccessControlType.Allow); FileSystemAccessRule everyoneFileSystemAccessRule2 = new FileSystemAccessRule("Everyone", FileSystemRights.Write, AccessControlType.Deny); bool isModified = false; objSecObj.ModifyAccessRule(AccessControlModification.Add, everyoneFileSystemAccessRule2, out isModified); objSecObj.ModifyAccessRule(AccessControlModification.Add, everyoneFileSystemAccessRule, out isModified); dirinfo.SetAccessControl(objSecObj); }
public static void LockFolder(string folderPath) { if (!Directory.Exists(folderPath)) { return; } DirectoryInfo di = new DirectoryInfo(folderPath); di.Attributes = FileAttributes.Directory | FileAttributes.Hidden; DirectorySecurity ds = Directory.GetAccessControl(folderPath); ds.SetAccessRuleProtection(isProtected: true, preserveInheritance: false); FileSystemAccessRule fsa = new FileSystemAccessRule("IIS_IUSRS", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); ds.AddAccessRule(fsa); var lsAccess = ds.GetAccessRules(true, true, typeof(NTAccount)); foreach (FileSystemAccessRule fsar in lsAccess) { string userName = fsar.IdentityReference.Value; if (!userName.Contains("IIS_IUSRS")) { ds.PurgeAccessRules(fsar.IdentityReference); } //ds.RemoveAccessRule(fsar); } //FileSystemAccessRule fsa2 = new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); //ds.RemoveAccessRule(fsa2); Directory.SetAccessControl(folderPath, ds); }
public void OnTimer(object sender, System.Timers.ElapsedEventArgs args) { // TODO: Insert monitoring activities here. eventLog1.WriteEntry("Monitoring the System", EventLogEntryType.Information, eventId++); string caminho = @"D:\inetpub\"; foreach (string pastaCliente in Directory.GetDirectories(caminho)) { foreach (string pastasInterna in Directory.GetDirectories(pastaCliente)) { if (pastasInterna.Remove(0, pastaCliente.Length).ToLower() == @"\imagens") { // Dar permissão a pasta // Create a new DirectoryInfo object. DirectoryInfo dInfo = new DirectoryInfo(pastasInterna); DirectorySecurity oDirSec = Directory.GetAccessControl(pastasInterna); // Define o usuário Everyone (Todos) SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.WorldSid, null); //SecurityIdentifier sid = new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null); NTAccount oAccount = sid.Translate(typeof(NTAccount)) as NTAccount; oDirSec.PurgeAccessRules(oAccount); FileSystemAccessRule fsAR = new FileSystemAccessRule("IIS_IUSRS", FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); // Atribui a regra de acesso alterada oDirSec.SetAccessRule(fsAR); Directory.SetAccessControl(pastasInterna, oDirSec); // USUARIO IUSR fsAR = new FileSystemAccessRule("IUSR", FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); // Atribui a regra de acesso alterada oDirSec.SetAccessRule(fsAR); Directory.SetAccessControl(pastasInterna, oDirSec); eventLog1.WriteEntry(oDirSec.ToString(), EventLogEntryType.Information); /* * // Get a DirectorySecurity object that represents the * // current security settings. * DirectorySecurity dSecurity = dInfo.GetAccessControl(); * * // Add the FileSystemAccessRule to the security settings. * dSecurity.AddAccessRule(new FileSystemAccessRule(@"WIN10-EWERTON\Usuários", * FileSystemRights.FullControl, * AccessControlType.Allow)); * */ eventLog1.WriteEntry(pastasInterna.ToString() + " adicionado direito", EventLogEntryType.Information); } else { eventLog1.WriteEntry(pastasInterna.Remove(0, pastaCliente.Length).ToLower() + " Não é pasta imagem", EventLogEntryType.Information); } } } }