C# - Windows ACL - Applying Inherited Permissions

2019-01-18 00:24发布

问题:

I've been having problems programatically assigning permissions to Folders / Registry entries. I have managed to assign inheriting permissions using the following code:

FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow);

DirectorySecurity security = new DirectorySecurity(); 
security.SetAccessRule(rule);

Directory.CreateDirectory(dir);
Directory.SetAccessControl(dir, security);

This correctly sets my file permissions on all the child folders i create as an administrator. However, it does not set the permissions on the dir folder itself. I've played around with a fair few permutations for inheritance and propogation, but not had any joy.

For example, I have:

dir = %programfiles%\Test

If i have created a folder in test (%programfiles%\Test\SubFolder), I have full permissions assigned to it for my user, but I do not have full permissions on %programfiles%\Test. This is really annoying, as I would like to give my user full permissions to do whatever with the Test directory as well.

I am having similar problems with registry permissions, but I believe that if i can solve one, i can solve both of the outstanding issues.

Does anyone know how this can be resolved?

Regards
Tris

回答1:

For the folder:

FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME, 
    FileSystemRights.FullControl, AccessControlType.Allow);

For subfolders and files:

FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
    FileSystemRights.FullControl, InheritanceFlags.ContainerInherit |  
    InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, 
    AccessControlType.Allow);

both lines need to be in your project. then you get acls that apply to this folder, subfolders and files



回答2:

I'm hardly an expert here, but after having to figure this out for my own purposes, I believe that Dave's answer, although functional, is overly complicated. You should be able to achieve this with just one rule:

FileSystemAccessRule rule = new FileSystemAccessRule(LOGON_USER_NAME,
    FileSystemRights.FullControl,
    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
    PropagationFlags.None, 
    AccessControlType.Allow);

The PropagationFlags.InheritOnly parameter used by the OP in their original code is what prevents the access rule from applying to the object itself.

Also, you might as well set the directory's security as you're creating it, since .NET provides an overload for just that purpose:

Directory.CreateDirectory(dir, security);