Why can I not set this ACL rule in C#?

2020-03-27 18:23发布

问题:

Running as an elevated admin on Vista SP1, my C# app tries to set the following rule with the following code. No error is produced, but neither is any change on the directory's ACL. What am I missing?

public static void Main( string args[] )
{
    string dirPath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "Company"), "Product" );
    Directory.Create(dirPath);
    _SetAcl(dirPath, "Users", FileSystemRights.FullControl);
}

private static void _SetAcl(string path, string identity, FileSystemRights rights)
{
    var info = new DirectoryInfo(path);
    var acl = info.GetAccessControl();

    var rule1 = new FileSystemAccessRule(identity, rights, AccessControlType.Allow);
    bool modified;
    acl.ModifyAccessRule(AccessControlModification.Reset, rule1, out modified);

    var inheritanceFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
    var rule2 = new FileSystemAccessRule(identity, rights, inheritanceFlags,
                                        PropagationFlags.InheritOnly, AccessControlType.Allow);
    acl.ModifyAccessRule(AccessControlModification.Add, rule2, out modified);
}

Update: Just add the following code as the last line of the _SetAcl method, and my code is good to go.

info.SetAccessControl(acl);

回答1:

To finish the process you must call DirectoryInfo.SetAccessControl() with the modified ACL.

GetAccessControl() really returns a copy of the ACL. You're free to modify it but it won't take effect until you call SetAccessControl()