Inherited permissions lost while giving NTFS permi

2019-06-20 19:11发布

站内问答 / C#
1690 1 5

I was trying to give NTFS permissions on a UNC path for a specific user, but I see different behavior depending on the UNC path. Below is the code (from MSDN) which I am using to give permissions and the result in each scenario,

static void GiveNTFSPermissions(string folderPath, 
                                string ntAccountName, 
                                FileSystemRights accessRights)
{
    DirectorySecurity dirSecurity = Directory.GetAccessControl(folderPath);

    FileSystemAccessRule newAccessRule =
         new FileSystemAccessRule(
               ntAccountName,
               accessRights,
               AccessControlType.Allow);

    dirSecurity.AddAccessRule(newAccessRule);

    Directory.SetAccessControl(folderPath, dirSecurity);
}

Suppose I have a share named “RootShare” on my local machine, and another folder “InsideRootShare” inside it.

Scenario1: When I call,

GiveNTFSPermissions(@"\\sri-devpc\RootShare",
                    @"domain\username",
                    FileSystemRights.Write);

Inherited permissions were lost on the shared path,

Scenario2: When I call,

GiveNTFSPermissions(@"\\sri-devpc\RootShare\InsideRootShare", 
                    @"domain\username", 
                    FileSystemRights.Write);

Inherited permissions were intact.

I have tried with different constructors of FileSystemAccessRule but no luck.

What is the reason behind this behavior, and any workaround for this?

1条回答
霸刀☆藐视天下
2楼-- · 2019-06-20 19:48

We ran into similar issues working with file system permission while working on Dropkick's security module. The solution we came up with is as follows. This will successfully set permissions on any folder without changing the inheritance rules on the folder.

    public void SetFileSystemRights(string target, string group, FileSystemRights permission)
    {
        if (!IsDirectory(target) && !IsFile(target))
            return;

        var oldSecurity = Directory.GetAccessControl(target);
        var newSecurity = new DirectorySecurity();

        newSecurity.SetSecurityDescriptorBinaryForm(oldSecurity.GetSecurityDescriptorBinaryForm());

        var accessRule = new FileSystemAccessRule(group,
                                                  permission,
                                                  InheritanceFlags.None,
                                                  PropagationFlags.NoPropagateInherit,
                                                  AccessControlType.Allow);
        bool result;
        newSecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out result);

        if (!result) Log.AddError("Something wrong happened");

        accessRule = new FileSystemAccessRule(group,
                                              permission,
                                              InheritanceFlags.ContainerInherit |
                                              InheritanceFlags.ObjectInherit,
                                              PropagationFlags.InheritOnly,
                                              AccessControlType.Allow);

        result = false;
        newSecurity.ModifyAccessRule(AccessControlModification.Add, accessRule, out result);
        if (!result) Log.AddError("Something wrong happened");

        Directory.SetAccessControl(target, newSecurity);

        if (result) Log.AddGood("Permissions set for '{0}' on folder '{1}'", group, target);

        if (!result) Log.AddError("Something wrong happened");
    }

Found the link that I originally used to figure this out.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)