/// <summary> /// InternalUpdateSystemFilesACLs method implementation /// </summary> internal static void InternalUpdateSystemFilesACLs(string fullpath, bool fulltosystemonly = false) { if (!Loaded) { Initialize(); } FileSecurity fSecurity = File.GetAccessControl(fullpath, AccessControlSections.Access); fSecurity.SetAccessRuleProtection(true, false); SecurityIdentifier localsys = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null); fSecurity.PurgeAccessRules(localsys); fSecurity.AddAccessRule(new FileSystemAccessRule(localsys, FileSystemRights.FullControl, AccessControlType.Allow)); SecurityIdentifier localacc = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null); fSecurity.PurgeAccessRules(localacc); if (!fulltosystemonly) { fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, AccessControlType.Allow)); } else { fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.Read, AccessControlType.Allow)); } if (!string.IsNullOrEmpty(ADFSAccountSID)) { SecurityIdentifier adfsacc = new SecurityIdentifier(ADFSAccountSID); fSecurity.PurgeAccessRules(adfsacc); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsacc, FileSystemRights.Read, AccessControlType.Allow)); } if (!string.IsNullOrEmpty(ADFSServiceSID)) { SecurityIdentifier adfsserv = new SecurityIdentifier(ADFSServiceSID); fSecurity.PurgeAccessRules(adfsserv); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsserv, FileSystemRights.Read, AccessControlType.Allow)); } if (!string.IsNullOrEmpty(ADFSAdminGroupSID)) { SecurityIdentifier adfsgroup = new SecurityIdentifier(ADFSAdminGroupSID); fSecurity.PurgeAccessRules(adfsgroup); fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.Read, AccessControlType.Allow)); } File.SetAccessControl(fullpath, fSecurity); }
public void CanDeleteFileWithDenyACL() { string file = GetFullPath("File with space"); string directory = Path.GetDirectoryName(file); File.WriteAllText(file, string.Empty); try { FileInfo fi = new FileInfo(file); FileSecurity accessControl = fi.GetAccessControl(AccessControlSections.All); accessControl.PurgeAccessRules(WindowsIdentity.GetCurrent().User); accessControl.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Deny)); fi.SetAccessControl(accessControl); DirectoryInfo di = new DirectoryInfo(directory); DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All); ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User); ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.CreateFiles, AccessControlType.Deny)); di.SetAccessControl(ds); XAssert.IsTrue(File.Exists(file)); FileUtilities.DeleteFile(file); XAssert.IsFalse(File.Exists(file)); } finally { DirectoryInfo di = new DirectoryInfo(directory); DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All); ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User); ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Allow)); di.SetAccessControl(ds); di.Delete(true); } }
static void ReplacePermissions(string filepath, WellKnownSidType sidType, FileSystemRights allow) { FileSecurity sec = File.GetAccessControl(filepath); SecurityIdentifier sid = new SecurityIdentifier(sidType, null); sec.PurgeAccessRules(sid); //remove existing sec.AddAccessRule(new FileSystemAccessRule(sid, allow, AccessControlType.Allow)); File.SetAccessControl(filepath, sec); }
public void SetAclFile(string path, FileSystemRights rights) { if (path is null) { throw new ArgumentNullException(nameof(path)); } try { Console.WriteLine((InstallMode == InstallMode.Install ? "# set acl on file: " : "# remove acl on file: ") + path); if (InstallMode == InstallMode.Install || File.Exists(path)) { FileSecurity acl = File.GetAccessControl(path); if (InstallMode == InstallMode.Install) { acl.SetAccessRule(new FileSystemAccessRule(AccountIdentity, rights, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow)); } else { acl.PurgeAccessRules(AccountIdentity); } File.SetAccessControl(path, acl); } } catch (Exception err) { if (err is FileNotFoundException) { err = new FileNotFoundException("File not found."); } err = new InstallerException((InstallMode == InstallMode.Install ? "SetAclFile('" + path + "') failed." : "RemoveAclFile('" + path + "') failed."), err); if (InstallMode == InstallMode.Install) { throw err; } else { DisplayError(err); } } }
public static void WriteWindows(string file, SecureWriteCallback callback) { using (FileStream stream = File.Open(file, FileMode.Create, FileAccess.Write, FileShare.None)) { FileSecurity acl = File.GetAccessControl(file); acl.SetAccessRuleProtection(true, false); foreach (FileSystemAccessRule entry in acl.GetAccessRules(true, true, typeof(NTAccount))) { acl.PurgeAccessRules(entry.IdentityReference); } acl.AddAccessRule(new FileSystemAccessRule(stream.GetAccessControl().GetOwner(typeof(NTAccount)), FileSystemRights.FullControl, AccessControlType.Allow)); File.SetAccessControl(file, acl); callback.Invoke(stream); } }
private static void SetFileAccessRule(string username, string uniqueKeyContainerName) { var filePath = Path.Combine(WellKnownPaths.RSA_MACHINEKEYS, uniqueKeyContainerName); var fs = new FileSecurity(filePath, AccessControlSections.All); AuthorizationRuleCollection accessRules = fs.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)); fs.SetAccessRuleProtection(true, false); foreach (FileSystemAccessRule accessRule in accessRules) { fs.PurgeAccessRules(accessRule.IdentityReference); } fs.AddAccessRule(new FileSystemAccessRule(username, FileSystemRights.FullControl, AccessControlType.Allow)); File.SetAccessControl(filePath, fs); }
/// <summary> /// Sets the permissions for the log file. /// Gives Full Control to NT AUTHORITY\SYSTEM and Modify to BUILTIN\Administrators. /// Removes all inherited rules and any other permissions. /// </summary> private static void SetLogFilePermissions() { try { // Get a FileSecurity object that represents the current security settings for the file. FileInfo FileInfo = new FileInfo(logFile); FileSecurity fSecurity = FileInfo.GetAccessControl(); // Set NT AUTHORITY\SYSTEM with Full Control fSecurity.SetAccessRule(new FileSystemAccessRule(SystemAccount, FileSystemRights.FullControl, AccessControlType.Allow)); FileInfo.SetAccessControl(fSecurity); // Set BUILTIN\Administrators with Modify (everything except change permissions) fSecurity.SetAccessRule(new FileSystemAccessRule(BuiltinAdministrators, FileSystemRights.Modify, AccessControlType.Allow)); FileInfo.SetAccessControl(fSecurity); // Wipe inherited rules - must add the new rules first to ensure that there is are some access rules. fSecurity.SetAccessRuleProtection(true, false); FileInfo.SetAccessControl(fSecurity); // Remove all other permissions foreach (FileSystemAccessRule ar in fSecurity.GetAccessRules(true, true, typeof(NTAccount))) { if (ar.IdentityReference.Value != SystemAccount && ar.IdentityReference.Value != BuiltinAdministrators) { // Purge AccessRules for the identity from the security settings. fSecurity.PurgeAccessRules(ar.IdentityReference); FileInfo.SetAccessControl(fSecurity); } } } catch (Exception ex) { LogError("Error setting log file permissions: " + ex.Message); } }