public override void InitializeEnlistmentACLs(string enlistmentPath)
{
// The following permissions are typically present on deskop and missing on Server
//
// ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\Authenticated Users
// [OBJECT_INHERIT_ACE]
// [CONTAINER_INHERIT_ACE]
// [INHERIT_ONLY_ACE]
// DELETE
// GENERIC_EXECUTE
// GENERIC_WRITE
// GENERIC_READ
DirectorySecurity rootSecurity = DirectoryEx.GetAccessControl(enlistmentPath);
AccessRule authenticatedUsersAccessRule = rootSecurity.AccessRuleFactory(
new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, null),
unchecked ((int)(NativeMethods.FileAccess.DELETE | NativeMethods.FileAccess.GENERIC_EXECUTE | NativeMethods.FileAccess.GENERIC_WRITE | NativeMethods.FileAccess.GENERIC_READ)),
true,
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
PropagationFlags.None,
AccessControlType.Allow);
// The return type of the AccessRuleFactory method is the base class, AccessRule, but the return value can be cast safely to the derived class.
// https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.accessrulefactory(v=vs.110).aspx
rootSecurity.AddAccessRule((FileSystemAccessRule)authenticatedUsersAccessRule);
DirectoryEx.SetAccessControl(enlistmentPath, rootSecurity);
}
public bool TryCreateOrUpdateDirectoryToAdminModifyPermissions(ITracer tracer, string directoryPath, out string error)
{
try
{
DirectorySecurity directorySecurity;
if (Directory.Exists(directoryPath))
{
directorySecurity = DirectoryEx.GetAccessControl(directoryPath);
}
else
{
directorySecurity = new DirectorySecurity();
}
// Protect the access rules from inheritance and remove any inherited rules
directorySecurity.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
// Remove any existing ACLs and add new ACLs for users and admins
RemoveAllFileSystemAccessRulesFromDirectorySecurity(directorySecurity);
AddUsersAccessRulesToDirectorySecurity(directorySecurity, grantUsersModifyPermissions: false);
AddAdminAccessRulesToDirectorySecurity(directorySecurity);
DirectoryEx.CreateDirectory(directoryPath, directorySecurity);
// Ensure the ACLs are set correctly if the directory already existed
DirectoryEx.SetAccessControl(directoryPath, directorySecurity);
}
catch (Exception e) when(e is IOException || e is SystemException)
{
EventMetadata metadata = new EventMetadata();
metadata.Add("Exception", e.ToString());
tracer.RelatedError(metadata, $"{nameof(this.TryCreateOrUpdateDirectoryToAdminModifyPermissions)}: Exception while creating/configuring directory");
error = e.Message;
return(false);
}
error = null;
return(true);
}
