/// <summary>
/// Gets the application access rules implied by the access rights to the file.
/// </summary>
public static void SetAccessRules(String filePath, IList <ApplicationAccessRule> accessRules, bool replaceExisting)
{
// get the current permissions from the file or directory.
FileSystemSecurity security = null;
FileInfo fileInfo = new FileInfo(filePath);
DirectoryInfo directoryInfo = null;
if (!fileInfo.Exists)
{
directoryInfo = new DirectoryInfo(filePath);
if (!directoryInfo.Exists)
{
throw new FileNotFoundException("File or directory does not exist.", filePath);
}
security = directoryInfo.GetAccessControl(AccessControlSections.Access);
}
else
{
security = fileInfo.GetAccessControl(AccessControlSections.Access);
}
if (replaceExisting)
{
// can't use inhieritance when setting permissions
security.SetAccessRuleProtection(true, false);
// remove all existing access rules.
AuthorizationRuleCollection authorizationRules = security.GetAccessRules(true, true, typeof(NTAccount));
for (int ii = 0; ii < authorizationRules.Count; ii++)
{
FileSystemAccessRule accessRule = authorizationRules[ii] as FileSystemAccessRule;
// only care about file system rules.
if (accessRule == null)
{
continue;
}
security.RemoveAccessRule(accessRule);
}
}
// allow children to inherit rules for directories.
InheritanceFlags flags = InheritanceFlags.None;
if (directoryInfo != null)
{
flags = InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit;
}
// add the new rules.
for (int ii = 0; ii < accessRules.Count; ii++)
{
ApplicationAccessRule applicationRule = accessRules[ii];
IdentityReference identityReference = applicationRule.IdentityReference;
if (identityReference == null)
{
if (applicationRule.IdentityName.StartsWith("S-"))
{
SecurityIdentifier sid = new SecurityIdentifier(applicationRule.IdentityName);
if (!sid.IsValidTargetType(typeof(NTAccount)))
{
continue;
}
identityReference = sid.Translate(typeof(NTAccount));
}
else
{
identityReference = new NTAccount(applicationRule.IdentityName);
}
}
FileSystemAccessRule fileRule = null;
switch (applicationRule.Right)
{
case ApplicationAccessRight.Run:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Read : Configure,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
break;
}
case ApplicationAccessRight.Update:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Update : ConfigureOnly | UpdateOnly,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
security.SetAccessRule(fileRule);
break;
}
case ApplicationAccessRight.Configure:
{
fileRule = new FileSystemAccessRule(
identityReference,
(applicationRule.RuleType == AccessControlType.Allow) ? Configure : ConfigureOnly,
flags,
PropagationFlags.None,
ApplicationAccessRule.Convert(applicationRule.RuleType));
break;
}
}
try
{
security.SetAccessRule(fileRule);
}
catch (Exception e)
{
Utils.Trace(
"Could not set access rule for account '{0}' on file '{1}'. Error={2}",
applicationRule.IdentityName,
filePath,
e.Message);
}
}
if (directoryInfo != null)
{
directoryInfo.SetAccessControl((DirectorySecurity)security);
return;
}
fileInfo.SetAccessControl((FileSecurity)security);
}
public NtStatus SetFileSecurity(string fileName, FileSystemSecurity security, AccessControlSections sections,
IDokanFileInfo info)
{
return(DokanResult.NotImplemented);
}
public NtStatus GetFileSecurity(string fileName, out FileSystemSecurity security, AccessControlSections sections, DokanFileInfo info)
{
throw new NotImplementedException();
}
// return true if there is new relation(s) created
private bool InsertFileDescriptorRelation(string filenode, FileSystemSecurity sd, bool skipInherited, string knownOwner)
{
bool newRelation = false;
if (!sd.GetOwner(typeof(SecurityIdentifier)).Value.Equals(knownOwner, StringComparison.InvariantCultureIgnoreCase))
{
Storage.InsertRelation(sd.GetOwner(typeof(SecurityIdentifier)).Value, MappingType.Sid, filenode, MappingType.Name, RelationType.FILE_OWNER);
newRelation = true;
}
// relations can be duplicated - will slow down import
Dictionary <string, List <RelationType> > relationToAdd = new Dictionary <string, List <RelationType> >();
foreach (FileSystemAccessRule accessrule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
// ignore audit / denied ace
if (accessrule.AccessControlType != AccessControlType.Allow)
{
continue;
}
if (skipInherited && accessrule.IsInherited)
{
continue;
}
// GEN_RIGHT_ALL
if ((accessrule.FileSystemRights & FileSystemRights.FullControl) == FileSystemRights.FullControl)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.GEN_RIGHT_ALL);
}
// GEN_RIGHT_WRITE
if ((accessrule.FileSystemRights & FileSystemRights.Write) == FileSystemRights.Write)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.GEN_RIGHT_WRITE);
}
// STAND_RIGHT_WRITE_DAC
if ((accessrule.FileSystemRights & FileSystemRights.ChangePermissions) == FileSystemRights.ChangePermissions)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.STAND_RIGHT_WRITE_DAC);
}
// STAND_RIGHT_WRITE_OWNER
if ((accessrule.FileSystemRights & FileSystemRights.TakeOwnership) == FileSystemRights.TakeOwnership)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.STAND_RIGHT_WRITE_OWNER);
}
// FILE_WRITEDATA_ADDFILE
if ((accessrule.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.FS_RIGHT_WRITEDATA_ADDFILE);
}
// FILE_APPENDDATA_ADDSUBDIR
if ((accessrule.FileSystemRights & FileSystemRights.AppendData) == FileSystemRights.AppendData)
{
IncludeRelationInDictionary(relationToAdd, accessrule.IdentityReference.Value, RelationType.FS_RIGHT_APPENDDATA_ADDSUBDIR);
}
}
foreach (string target in relationToAdd.Keys)
{
foreach (RelationType link in relationToAdd[target])
{
Storage.InsertRelation(target, MappingType.Sid, filenode, MappingType.Name, link);
newRelation = true;
}
}
return(newRelation);
}
