Menu
I was trying to give NTFS permissions on a UNC path for a specific user, but I see different behavior depending on the UNC path. Below is the code (from MSDN) which I am using to give permissions and the result in each scenario,
static void GiveNTFSPermissions(string folderPath,
string ntAccountName,
FileSystemRights accessRights)
{
DirectorySecurity dirSecurity = Directory.GetAccessControl(folderPath);
FileSystemAccessRule newAccessRule =
new FileSystemAccessRule(
ntAccountName,
accessRights,
AccessControlType.Allow);
dirSecurity.AddAccessRule(newAccessRule);
Directory.SetAccessControl(folderPath, dirSecurity);
}
Suppose I have a share named “RootShare” on my local machine, and another folder “InsideRootShare” inside it.
Scenario1:
When I call,
GiveNTFSPermissions(@"\\sri-devpc\RootShare",
@"domain\username",
FileSystemRights.Write);
Inherited permissions were lost on the shared path,
Scenario2: When I call,
GiveNTFSPermissions(@"\\sri-devpc\RootShare\InsideRootShare",
@"domain\username",
FileSystemRights.Write);
Inherited permissions were intact.
I have tried with different constructors of FileSystemAccessRule but no luck.
What is the reason behind this behavior, and any workaround for this?
766
Opposed to share level permissions, NTFS permissions offer the possibility to let files and subfolders inherit NTFS permissions from their parent folders. The inheritance chain can be interrupted at any level, from the top down to a file, by disabling inheritance.
If you use share permissions and NTFS permissions together, the most restrictive permission will take precedence over the other. For example, if NTFS share permissions are set to Full Control, but share permissions are set to “Read,” the user will only be able to read the file or look at the items in the folder.
Inheritance makes it easier to create permission settings that don't have to be repeated for each and every sub-folder and file in a main folder. All you need to do is create an access control list for the parent folder, and all the sub-folders and files will inherit these permissions automatically.
We ran into similar issues working with file system permission while working on Dropkick's security module. The solution we came up with is as follows. This will successfully set permissions on any folder without changing the inheritance rules on the folder.
public void SetFileSystemRights(string target, string group, FileSystemRights permission)
{
if (!IsDirectory(target) && !IsFile(target))
return;
var oldSecurity = Directory.GetAccessControl(target);
var newSecurity = new DirectorySecurity();
newSecurity.SetSecurityDescriptorBinaryForm(oldSecurity.GetSecurityDescriptorBinaryForm());
var accessRule = new FileSystemAccessRule(group,
permission,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
bool result;
newSecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out result);
if (!result) Log.AddError("Something wrong happened");
accessRule = new FileSystemAccessRule(group,
permission,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.InheritOnly,
AccessControlType.Allow);
result = false;
newSecurity.ModifyAccessRule(AccessControlModification.Add, accessRule, out result);
if (!result) Log.AddError("Something wrong happened");
Directory.SetAccessControl(target, newSecurity);
if (result) Log.AddGood("Permissions set for '{0}' on folder '{1}'", group, target);
if (!result) Log.AddError("Something wrong happened");
}
Found the link that I originally used to figure this out.
52
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
