public void TakeOwn(string filepath)
{
FileSecurity fileS = File.GetAccessControl(filepath);
SecurityIdentifier cu = WindowsIdentity.GetCurrent().User;
SecurityIdentifier everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
try
{
Privileges.EnablePrivilege(SecurityEntity.SE_TAKE_OWNERSHIP_NAME);
}
catch (Exception)
{
console.AppendText("Failed to get SeTakeOwnershipPrivledge\r\n");
}
fileS.SetOwner(cu);
File.SetAccessControl(filepath, fileS);
fileS.SetAccessRuleProtection(false, false);
fileS.RemoveAccessRuleAll(new FileSystemAccessRule(everyone, FileSystemRights.FullControl, AccessControlType.Deny));
fileS.RemoveAccessRuleAll(new FileSystemAccessRule(cu, FileSystemRights.FullControl, AccessControlType.Deny));
fileS.SetAccessRule(new FileSystemAccessRule(everyone, FileSystemRights.FullControl, AccessControlType.Allow));
fileS.SetAccessRule(new FileSystemAccessRule(cu, FileSystemRights.FullControl, AccessControlType.Allow));
File.SetAccessControl(filepath, fileS);
File.SetAttributes(filepath, FileAttributes.Normal);
}
private static void SetFileSystemAcls()
{
if (!File.Exists(PGINA_CONFIG_EXE))
{
throw new Exception(string.Format("Unable to find configuration executable: {0}", PGINA_CONFIG_EXE));
}
m_logger.InfoFormat("Setting ACLs on {0}", PGINA_CONFIG_EXE);
FileSystemAccessRule userReadAndExecute = new FileSystemAccessRule(USERS_GROUP, FileSystemRights.ReadAndExecute, AccessControlType.Allow);
FileSystemAccessRule userRead = new FileSystemAccessRule(USERS_GROUP, FileSystemRights.Read, AccessControlType.Allow);
FileSystemAccessRule adminFull = new FileSystemAccessRule(ADMIN_GROUP, FileSystemRights.FullControl, AccessControlType.Allow);
FileSystemAccessRule systemFull = new FileSystemAccessRule(SYSTEM_ACCT, FileSystemRights.FullControl, AccessControlType.Allow);
FileSystemAccessRule authedUsersMod = new FileSystemAccessRule(AUTHED_USERS, FileSystemRights.Modify, AccessControlType.Allow);
FileSystemAccessRule usersMod = new FileSystemAccessRule(USERS_GROUP, FileSystemRights.Modify, AccessControlType.Allow);
FileSecurity fs = File.GetAccessControl(PGINA_CONFIG_EXE);
fs.SetAccessRuleProtection(true, false);
fs.RemoveAccessRuleAll(authedUsersMod);
fs.RemoveAccessRuleAll(usersMod);
fs.AddAccessRule(userReadAndExecute);
fs.AddAccessRule(adminFull);
fs.AddAccessRule(systemFull);
File.SetAccessControl(PGINA_CONFIG_EXE, fs);
}
/// <summary>
/// 移除 指定文件 指定用户的 权限
/// </summary>
/// <param name="fileName">指定文件</param>
/// <param name="Account"> 指定用户</param>
public static void RemoveFileAccountSecurity(string fileName, string Account)
{
FileInfo fInfo = new FileInfo(fileName);
if (fInfo.Exists)
{
FileSecurity fSecurity = fInfo.GetAccessControl();
FileSystemAccessRule AccessRule = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Allow);
FileSystemAccessRule AccessRule2 = new FileSystemAccessRule(Account, FileSystemRights.FullControl, AccessControlType.Deny);
fSecurity.RemoveAccessRuleAll(AccessRule);
fSecurity.RemoveAccessRuleAll(AccessRule2);
fInfo.SetAccessControl(fSecurity);
}
}
public void RemoveAccessRuleAll_Succeeds()
{
var accessRuleAppendData = new FileSystemAccessRule(Helpers.s_LocalSystemNTAccount, FileSystemRights.AppendData,
AccessControlType.Allow);
var accessRuleRead = new FileSystemAccessRule(Helpers.s_LocalSystemNTAccount,
FileSystemRights.Read, AccessControlType.Allow);
var accessRuleWrite = new FileSystemAccessRule(Helpers.s_LocalSystemNTAccount,
FileSystemRights.Write, AccessControlType.Allow);
var accessRuleReadPermissionDeny = new FileSystemAccessRule(Helpers.s_LocalSystemNTAccount,
FileSystemRights.ReadPermissions, AccessControlType.Deny);
var accessRuleReadNetworkService = new FileSystemAccessRule(Helpers.s_NetworkServiceNTAccount,
FileSystemRights.Read, AccessControlType.Allow);
var fileSecurity = new FileSecurity();
fileSecurity.AddAccessRule(accessRuleAppendData);
fileSecurity.AddAccessRule(accessRuleRead);
fileSecurity.AddAccessRule(accessRuleReadPermissionDeny);
fileSecurity.AddAccessRule(accessRuleReadNetworkService);
//Removing all the access rules of the "System" user with the access control type "allow".
fileSecurity.RemoveAccessRuleAll(accessRuleWrite);
AuthorizationRuleCollection rules =
fileSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.Equal(2, rules.Count);
var existingAccessRule = (FileSystemAccessRule)rules[0];
Assert.Equal(new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null).Translate(typeof(NTAccount)), existingAccessRule.IdentityReference);
Assert.Equal(AccessControlType.Deny, existingAccessRule.AccessControlType);
Assert.Equal(FileSystemRights.ReadPermissions, existingAccessRule.FileSystemRights);
existingAccessRule = (FileSystemAccessRule)rules[1];
Assert.Equal(Helpers.s_NetworkServiceNTAccount, existingAccessRule.IdentityReference);
Assert.Equal(AccessControlType.Allow, existingAccessRule.AccessControlType);
}
public void RemoveAccessRuleAll_Succeeds()
{
var accessRuleAppendData = new FileSystemAccessRule(@"NT AUTHORITY\SYSTEM", FileSystemRights.AppendData,
AccessControlType.Allow);
var accessRuleRead = new FileSystemAccessRule(@"NT AUTHORITY\SYSTEM",
FileSystemRights.Read, AccessControlType.Allow);
var accessRuleWrite = new FileSystemAccessRule(@"NT AUTHORITY\SYSTEM",
FileSystemRights.Write, AccessControlType.Allow);
var accessRuleReadPermissionDeny = new FileSystemAccessRule(@"NT AUTHORITY\SYSTEM",
FileSystemRights.ReadPermissions, AccessControlType.Deny);
var accessRuleReadNetworkService = new FileSystemAccessRule(@"NT AUTHORITY\Network Service",
FileSystemRights.Read, AccessControlType.Allow);
var fileSecurity = new FileSecurity();
fileSecurity.AddAccessRule(accessRuleAppendData);
fileSecurity.AddAccessRule(accessRuleRead);
fileSecurity.AddAccessRule(accessRuleReadPermissionDeny);
fileSecurity.AddAccessRule(accessRuleReadNetworkService);
//Removing all the access rules of the "System" user with the access control type "allow".
fileSecurity.RemoveAccessRuleAll(accessRuleWrite);
AuthorizationRuleCollection rules =
fileSecurity.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount));
Assert.Equal(2, rules.Count);
var existingAccessRule = (FileSystemAccessRule)rules[0];
Assert.Equal(new NTAccount(@"NT AUTHORITY\SYSTEM"), existingAccessRule.IdentityReference);
Assert.Equal(AccessControlType.Deny, existingAccessRule.AccessControlType);
Assert.Equal(FileSystemRights.ReadPermissions, existingAccessRule.FileSystemRights);
existingAccessRule = (FileSystemAccessRule)rules[1];
Assert.Equal(new NTAccount(@"NT AUTHORITY\Network Service"), existingAccessRule.IdentityReference);
Assert.Equal(AccessControlType.Allow, existingAccessRule.AccessControlType);
}
// Adds an ACL entry on the specified file for the specified account.
public static bool RemoveFileSecurity(string fileName, string accountName)
{
// Cannot remove filesecurity if account doesn't exist
if (!string.IsNullOrEmpty(accountName) &&
AccessControlList.AccountExist(accountName))
{
SecurityIdentifier sid = AccessControlList.GetAccount(accountName);
// Get a FileSecurity object that represents the
// current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Remove the FileSystemAccessRule from the security settings.
fSecurity.RemoveAccessRuleAll(new FileSystemAccessRule(accountName, FileSystemRights.ReadAndExecute, AccessControlType.Allow));
// Set the new access settings.
File.SetAccessControl(fileName, fSecurity);
return(true);
}
else
{
return(false);
}
}
/// <summary>
/// 删除指定用户的ACL
/// </summary>
/// <param name="identity">Windows帐户</param>
/// <param name="filePath">文件路径</param>
public static void RemoveAccessRule(string filePath, string identity)
{
if (File.Exists(filePath))
{
FileSecurity _fs = File.GetAccessControl(filePath);
_fs.RemoveAccessRuleAll(new FileSystemAccessRule(identity, FileSystemRights.FullControl, AccessControlType.Allow));
File.SetAccessControl(filePath, _fs);
}
else if (Directory.Exists(filePath))
{
DirectorySecurity _fs = Directory.GetAccessControl(filePath);
_fs.RemoveAccessRuleAll(new FileSystemAccessRule(identity, FileSystemRights.FullControl, AccessControlType.Allow));
Directory.SetAccessControl(filePath, _fs);
}
else
{
throw new FileNotFoundException("要操作的文件没有找到", filePath);
}
}
public void RemoveAccessRuleAll_InvalidFileSystemAccessRule()
{
var fileSecurity = new FileSecurity();
AssertExtensions.Throws <ArgumentNullException>("rule", () => fileSecurity.RemoveAccessRuleAll(null));
}
public static FileSecurity RemoveAllSystemAccessRule(FileSecurity fs)
{
try
{
fs.RemoveAccessRuleAll(new FileSystemAccessRule("SYSTEM", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("Administrators", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("NETWORK", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("NETWORK SERVICE", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("LOCAL SERVICE", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("CREATOR OWNER", FileSystemRights.FullControl, AccessControlType.Allow));
fs.RemoveAccessRuleAll(new FileSystemAccessRule("Users", FileSystemRights.FullControl, AccessControlType.Allow));
}
catch { }
try { fs.RemoveAccessRuleAll(new FileSystemAccessRule("Power Users", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
try { fs.RemoveAccessRuleAll(new FileSystemAccessRule("IIS_WPG", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
try { fs.RemoveAccessRuleAll(new FileSystemAccessRule("Guests", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
return(fs);
}
/// <summary>
/// 删除所有的系统访问权限
/// </summary>
/// <param name="filePath">文件路径</param>
public static void RemoveAllSystemAccessRule(string filePath)
{
if (File.Exists(filePath))
{
FileSecurity _fs = File.GetAccessControl(filePath);
try
{
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("SYSTEM", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("Administrators", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("NETWORK", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("NETWORK SERVICE", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("LOCAL SERVICE", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("CREATOR OWNER", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("Users", FileSystemRights.FullControl, AccessControlType.Allow));
}
catch { }
try { _fs.RemoveAccessRuleAll(new FileSystemAccessRule("Power Users", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
try { _fs.RemoveAccessRuleAll(new FileSystemAccessRule("IIS_WPG", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
try { _fs.RemoveAccessRuleAll(new FileSystemAccessRule("Guests", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
File.SetAccessControl(filePath, _fs);
}
else if (Directory.Exists(filePath))
{
DirectorySecurity _fs = Directory.GetAccessControl(filePath);
try
{
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("SYSTEM", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("Everyone", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("Administrators", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("NETWORK", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("NETWORK SERVICE", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("LOCAL SERVICE", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("CREATOR OWNER", FileSystemRights.FullControl, AccessControlType.Allow));
_fs.RemoveAccessRuleAll(new FileSystemAccessRule("Users", FileSystemRights.FullControl, AccessControlType.Allow));
}
catch { }
try { _fs.RemoveAccessRuleAll(new FileSystemAccessRule("Power Users", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
try { _fs.RemoveAccessRuleAll(new FileSystemAccessRule("IIS_WPG", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
try { _fs.RemoveAccessRuleAll(new FileSystemAccessRule("Guests", FileSystemRights.FullControl, AccessControlType.Allow)); }
catch { }
Directory.SetAccessControl(filePath, _fs);
}
else
{
throw new FileNotFoundException("要操作的文件没有找到", filePath);
}
}
public static void RemoveFileSecurity(string fileName, string account, FileSystemRights rights, AccessControlType controlType)
{
fSecurity = File.GetAccessControl(fileName);
fSecurity.RemoveAccessRuleAll(new FileSystemAccessRule(account, rights, controlType));
File.SetAccessControl(fileName, fSecurity);
}
