Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Inherited permissions lost while giving NTFS permissions

Tags:

c#

permissions

I was trying to give NTFS permissions on a UNC path for a specific user, but I see different behavior depending on the UNC path. Below is the code (from MSDN) which I am using to give permissions and the result in each scenario,

static void GiveNTFSPermissions(string folderPath, 
                                string ntAccountName, 
                                FileSystemRights accessRights)
{
    DirectorySecurity dirSecurity = Directory.GetAccessControl(folderPath);

    FileSystemAccessRule newAccessRule =
         new FileSystemAccessRule(
               ntAccountName,
               accessRights,
               AccessControlType.Allow);

    dirSecurity.AddAccessRule(newAccessRule);

    Directory.SetAccessControl(folderPath, dirSecurity);
}

Suppose I have a share named “RootShare” on my local machine, and another folder “InsideRootShare” inside it.

Scenario1: When I call,

GiveNTFSPermissions(@"\\sri-devpc\RootShare",
                    @"domain\username",
                    FileSystemRights.Write);

Inherited permissions were lost on the shared path,

Scenario2: When I call,

GiveNTFSPermissions(@"\\sri-devpc\RootShare\InsideRootShare", 
                    @"domain\username", 
                    FileSystemRights.Write);

Inherited permissions were intact.

I have tried with different constructors of FileSystemAccessRule but no luck.

What is the reason behind this behavior, and any workaround for this?

like image 766
sri Avatar asked Sep 10 '12 15:09

sri


People also ask

How does inheritance work with NTFS permissions?

Opposed to share level permissions, NTFS permissions offer the possibility to let files and subfolders inherit NTFS permissions from their parent folders. The inheritance chain can be interrupted at any level, from the top down to a file, by disabling inheritance.

Does NTFS standard permissions override sharing permissions?

If you use share permissions and NTFS permissions together, the most restrictive permission will take precedence over the other. For example, if NTFS share permissions are set to Full Control, but share permissions are set to “Read,” the user will only be able to read the file or look at the items in the folder.

What happens when you enable inheritance on a folder?

Inheritance makes it easier to create permission settings that don't have to be repeated for each and every sub-folder and file in a main folder. All you need to do is create an access control list for the parent folder, and all the sub-folders and files will inherit these permissions automatically.


1 Answers

We ran into similar issues working with file system permission while working on Dropkick's security module. The solution we came up with is as follows. This will successfully set permissions on any folder without changing the inheritance rules on the folder.

    public void SetFileSystemRights(string target, string group, FileSystemRights permission)
    {
        if (!IsDirectory(target) && !IsFile(target))
            return;

        var oldSecurity = Directory.GetAccessControl(target);
        var newSecurity = new DirectorySecurity();

        newSecurity.SetSecurityDescriptorBinaryForm(oldSecurity.GetSecurityDescriptorBinaryForm());

        var accessRule = new FileSystemAccessRule(group,
                                                  permission,
                                                  InheritanceFlags.None,
                                                  PropagationFlags.NoPropagateInherit,
                                                  AccessControlType.Allow);
        bool result;
        newSecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out result);

        if (!result) Log.AddError("Something wrong happened");

        accessRule = new FileSystemAccessRule(group,
                                              permission,
                                              InheritanceFlags.ContainerInherit |
                                              InheritanceFlags.ObjectInherit,
                                              PropagationFlags.InheritOnly,
                                              AccessControlType.Allow);

        result = false;
        newSecurity.ModifyAccessRule(AccessControlModification.Add, accessRule, out result);
        if (!result) Log.AddError("Something wrong happened");

        Directory.SetAccessControl(target, newSecurity);

        if (result) Log.AddGood("Permissions set for '{0}' on folder '{1}'", group, target);

        if (!result) Log.AddError("Something wrong happened");
    }

Found the link that I originally used to figure this out.

like image 52
Matthew Brubaker Avatar answered Oct 01 '22 08:10

Matthew Brubaker