private static void CreateTempDirectoryWithAcl(string folder, string identity)
{
// Dacl Sddl string:
// D: Dacl type
// D; Deny access
// OI; Object inherit ace
// SD; Standard delete function
// wIdentity.User Sid of the given user.
// A; Allow access
// OICI; Object inherit, container inherit
// FA File access
// BA Built-in administrators
// S: Sacl type
// ML;; Mandatory Label
// NW;;; No write policy
// HI High integrity processes only
string sddl = "D:(D;OI;SD;;;" + identity + ")(A;OICI;FA;;;BA)S:(ML;OI;NW;;;HI)";
try
{
var dir = Directory.CreateDirectory(folder);
DirectorySecurity dirSec = new DirectorySecurity();
dirSec.SetSecurityDescriptorSddlForm(sddl);
dirSec.SetAccessRuleProtection(true, false); // disable inheritance
dir.SetAccessControl(dirSec);
// Cleaning out the directory, in case someone managed to sneak in between creation and setting ACL.
DirectoryInfo dirInfo = new DirectoryInfo(folder);
foreach (FileInfo file in dirInfo.GetFiles())
{
file.Delete();
}
foreach (DirectoryInfo subDirInfo in dirInfo.GetDirectories())
{
subDirInfo.Delete(true);
}
}
catch (Exception exc)
{
throw Contracts.ExceptParam(nameof(folder), $"Failed to create folder for the provided path: {folder}. \nException: {exc.Message}");
}
}