/// <summary>
/// InternalUpdateSystemFilesACLs method implementation
/// </summary>
internal static void InternalUpdateSystemFilesACLs(string fullpath, bool fulltosystemonly = false)
{
if (!Loaded)
{
Initialize();
}
FileSecurity fSecurity = File.GetAccessControl(fullpath, AccessControlSections.Access);
fSecurity.SetAccessRuleProtection(true, false);
SecurityIdentifier localsys = new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);
fSecurity.PurgeAccessRules(localsys);
fSecurity.AddAccessRule(new FileSystemAccessRule(localsys, FileSystemRights.FullControl, AccessControlType.Allow));
SecurityIdentifier localacc = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
fSecurity.PurgeAccessRules(localacc);
if (!fulltosystemonly)
{
fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.FullControl, AccessControlType.Allow));
}
else
{
fSecurity.AddAccessRule(new FileSystemAccessRule(localacc, FileSystemRights.Read, AccessControlType.Allow));
}
if (!string.IsNullOrEmpty(ADFSAccountSID))
{
SecurityIdentifier adfsacc = new SecurityIdentifier(ADFSAccountSID);
fSecurity.PurgeAccessRules(adfsacc);
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsacc, FileSystemRights.Read, AccessControlType.Allow));
}
if (!string.IsNullOrEmpty(ADFSServiceSID))
{
SecurityIdentifier adfsserv = new SecurityIdentifier(ADFSServiceSID);
fSecurity.PurgeAccessRules(adfsserv);
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsserv, FileSystemRights.Read, AccessControlType.Allow));
}
if (!string.IsNullOrEmpty(ADFSAdminGroupSID))
{
SecurityIdentifier adfsgroup = new SecurityIdentifier(ADFSAdminGroupSID);
fSecurity.PurgeAccessRules(adfsgroup);
fSecurity.AddAccessRule(new FileSystemAccessRule(adfsgroup, FileSystemRights.Read, AccessControlType.Allow));
}
File.SetAccessControl(fullpath, fSecurity);
}
public void CanDeleteFileWithDenyACL()
{
string file = GetFullPath("File with space");
string directory = Path.GetDirectoryName(file);
File.WriteAllText(file, string.Empty);
try
{
FileInfo fi = new FileInfo(file);
FileSecurity accessControl = fi.GetAccessControl(AccessControlSections.All);
accessControl.PurgeAccessRules(WindowsIdentity.GetCurrent().User);
accessControl.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Deny));
fi.SetAccessControl(accessControl);
DirectoryInfo di = new DirectoryInfo(directory);
DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All);
ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User);
ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.CreateFiles, AccessControlType.Deny));
di.SetAccessControl(ds);
XAssert.IsTrue(File.Exists(file));
FileUtilities.DeleteFile(file);
XAssert.IsFalse(File.Exists(file));
}
finally
{
DirectoryInfo di = new DirectoryInfo(directory);
DirectorySecurity ds = di.GetAccessControl(AccessControlSections.All);
ds.PurgeAccessRules(WindowsIdentity.GetCurrent().User);
ds.AddAccessRule(new FileSystemAccessRule(WindowsIdentity.GetCurrent().User, FileSystemRights.FullControl, AccessControlType.Allow));
di.SetAccessControl(ds);
di.Delete(true);
}
}
static void ReplacePermissions(string filepath, WellKnownSidType sidType, FileSystemRights allow)
{
FileSecurity sec = File.GetAccessControl(filepath);
SecurityIdentifier sid = new SecurityIdentifier(sidType, null);
sec.PurgeAccessRules(sid); //remove existing
sec.AddAccessRule(new FileSystemAccessRule(sid, allow, AccessControlType.Allow));
File.SetAccessControl(filepath, sec);
}
public void SetAclFile(string path, FileSystemRights rights)
{
if (path is null)
{
throw new ArgumentNullException(nameof(path));
}
try {
Console.WriteLine((InstallMode == InstallMode.Install ? "# set acl on file: " : "# remove acl on file: ") + path);
if (InstallMode == InstallMode.Install || File.Exists(path))
{
FileSecurity acl = File.GetAccessControl(path);
if (InstallMode == InstallMode.Install)
{
acl.SetAccessRule(new FileSystemAccessRule(AccountIdentity,
rights,
InheritanceFlags.None,
PropagationFlags.None,
AccessControlType.Allow));
}
else
{
acl.PurgeAccessRules(AccountIdentity);
}
File.SetAccessControl(path, acl);
}
}
catch (Exception err) {
if (err is FileNotFoundException)
{
err = new FileNotFoundException("File not found.");
}
err = new InstallerException((InstallMode == InstallMode.Install ? "SetAclFile('" + path + "') failed." : "RemoveAclFile('" + path + "') failed."), err);
if (InstallMode == InstallMode.Install)
{
throw err;
}
else
{
DisplayError(err);
}
}
}
public static void WriteWindows(string file, SecureWriteCallback callback)
{
using (FileStream stream = File.Open(file, FileMode.Create, FileAccess.Write, FileShare.None))
{
FileSecurity acl = File.GetAccessControl(file);
acl.SetAccessRuleProtection(true, false);
foreach (FileSystemAccessRule entry in acl.GetAccessRules(true, true, typeof(NTAccount)))
{
acl.PurgeAccessRules(entry.IdentityReference);
}
acl.AddAccessRule(new FileSystemAccessRule(stream.GetAccessControl().GetOwner(typeof(NTAccount)), FileSystemRights.FullControl, AccessControlType.Allow));
File.SetAccessControl(file, acl);
callback.Invoke(stream);
}
}
private static void SetFileAccessRule(string username, string uniqueKeyContainerName)
{
var filePath = Path.Combine(WellKnownPaths.RSA_MACHINEKEYS, uniqueKeyContainerName);
var fs = new FileSecurity(filePath, AccessControlSections.All);
AuthorizationRuleCollection accessRules = fs.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
fs.SetAccessRuleProtection(true, false);
foreach (FileSystemAccessRule accessRule in accessRules)
{
fs.PurgeAccessRules(accessRule.IdentityReference);
}
fs.AddAccessRule(new FileSystemAccessRule(username, FileSystemRights.FullControl, AccessControlType.Allow));
File.SetAccessControl(filePath, fs);
}
/// <summary>
/// Sets the permissions for the log file.
/// Gives Full Control to NT AUTHORITY\SYSTEM and Modify to BUILTIN\Administrators.
/// Removes all inherited rules and any other permissions.
/// </summary>
private static void SetLogFilePermissions()
{
try
{
// Get a FileSecurity object that represents the current security settings for the file.
FileInfo FileInfo = new FileInfo(logFile);
FileSecurity fSecurity = FileInfo.GetAccessControl();
// Set NT AUTHORITY\SYSTEM with Full Control
fSecurity.SetAccessRule(new FileSystemAccessRule(SystemAccount, FileSystemRights.FullControl, AccessControlType.Allow));
FileInfo.SetAccessControl(fSecurity);
// Set BUILTIN\Administrators with Modify (everything except change permissions)
fSecurity.SetAccessRule(new FileSystemAccessRule(BuiltinAdministrators, FileSystemRights.Modify, AccessControlType.Allow));
FileInfo.SetAccessControl(fSecurity);
// Wipe inherited rules - must add the new rules first to ensure that there is are some access rules.
fSecurity.SetAccessRuleProtection(true, false);
FileInfo.SetAccessControl(fSecurity);
// Remove all other permissions
foreach (FileSystemAccessRule ar in fSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
if (ar.IdentityReference.Value != SystemAccount && ar.IdentityReference.Value != BuiltinAdministrators)
{
// Purge AccessRules for the identity from the security settings.
fSecurity.PurgeAccessRules(ar.IdentityReference);
FileInfo.SetAccessControl(fSecurity);
}
}
}
catch (Exception ex)
{
LogError("Error setting log file permissions: " + ex.Message);
}
}
