Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Support for File Security in .NET Core

We were porting a .NET 4.0 class Library to .NET Core 1.1 and struck with an issue of very limit support for file Security and permissions in .NET Core CLR.

We were trying to set the access control permissions to a file as below, and it seems that FileInfo doesn't have any SetAccessControl or GetAccessControl anymore.

 // Get a FileSecurity object that represents the
    // current security settings.
    FileSecurity fSecurity = File.GetAccessControl(fileName);

    // Add the FileSystemAccessRule to the security settings.
    fSecurity.AddAccessRule(new FileSystemAccessRule(account,
        rights, controlType));

    // Set the new access settings.
    File.SetAccessControl(fileName, fSecurity);

The goal is just to add execution right to the current owner of a file.

like image 861
user7403074 Avatar asked Jan 11 '17 07:01

user7403074


3 Answers

Wow, so much information out there and even though the documentation says that in .NET Core 3.1 you cannot do DirectoryInfo.SetAccessRule, it compiled and worked!

UPDATE: Aha! The documentation says this IS supported and it works. https://learn.microsoft.com/en-us/dotnet/api/system.io.filesystemaclextensions?view=dotnet-plat-ext-3.1 DOES have a SetAccessControl method

Be sure to add the System.IO.FileSystem.AccessControl NuGet package.

Here's what I had in .NET Framework:

var ds = new DirectorySecurity();
ds.AddAccessRule(new FileSystemAccessRule(adminSI, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
ds.SetAccessRuleProtection(true, false); // disable inheritance and clear any inherited permissions

Directory.SetAccessControl(<path to directory>, ds);

And here's what it is working in .NET Core 3.1. Only the last line is different:

var ds = new DirectorySecurity();
ds.AddAccessRule(new FileSystemAccessRule(adminSI, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
ds.SetAccessRuleProtection(true, false); // disable inheritance and clear any inherited permissions

System.IO.FileSystemAclExtensions.SetAccessControl(new DirectoryInfo(<path to directory>), ds);
like image 133
Jon R Avatar answered Oct 27 '22 04:10

Jon R


These APIs haven't been included in .NET Standard due to low use and being Windows specific.

See discussion here regarding its exclusion from .NET Standard: https://github.com/dotnet/standard/issues/15

As a workaround there is a NuGet package which provides this functionality: https://www.nuget.org/packages/System.IO.FileSystem.AccessControl/

Also a related question: How to modify file access control in .NET Core

like image 31
bvpb Avatar answered Oct 27 '22 06:10

bvpb


In dotnet standard/core:

Import the NuGet package as user bvpb mentioned. System.IO.FileSystem.AccessControl

Then instead of this (which only works in .NET Framework):

FileSecurity fSecurity = File.GetAccessControl(fileName);

use this (which works in all versions of .NET):

FileSecurity fSecurity = new FileSecurity(fileName, AccessControlSections.Owner | 
                AccessControlSections.Group |
                AccessControlSections.Access);

You may need AccessControllSections.All instead which requires the account running this code to have more permissions.

like image 3
Ambrose Leung Avatar answered Oct 27 '22 05:10

Ambrose Leung