Support for File Security in .NET Core

Question

We were porting a .NET 4.0 class Library to .NET Core 1.1 and struck with an issue of very limit support for file Security and permissions in .NET Core CLR.

We were trying to set the access control permissions to a file as below, and it seems that FileInfo doesn't have any SetAccessControl or GetAccessControl anymore.

 // Get a FileSecurity object that represents the
    // current security settings.
    FileSecurity fSecurity = File.GetAccessControl(fileName);

    // Add the FileSystemAccessRule to the security settings.
    fSecurity.AddAccessRule(new FileSystemAccessRule(account,
        rights, controlType));

    // Set the new access settings.
    File.SetAccessControl(fileName, fSecurity);

The goal is just to add execution right to the current owner of a file.

Answer 1

Wow, so much information out there and even though the documentation says that in .NET Core 3.1 you cannot do DirectoryInfo.SetAccessRule, it compiled and worked!

UPDATE: Aha! The documentation says this IS supported and it works. https://learn.microsoft.com/en-us/dotnet/api/system.io.filesystemaclextensions?view=dotnet-plat-ext-3.1 DOES have a SetAccessControl method

Be sure to add the System.IO.FileSystem.AccessControl NuGet package.

Here's what I had in .NET Framework:

var ds = new DirectorySecurity();
ds.AddAccessRule(new FileSystemAccessRule(adminSI, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
ds.SetAccessRuleProtection(true, false); // disable inheritance and clear any inherited permissions

Directory.SetAccessControl(<path to directory>, ds);

And here's what it is working in .NET Core 3.1. Only the last line is different:

var ds = new DirectorySecurity();
ds.AddAccessRule(new FileSystemAccessRule(adminSI, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
ds.SetAccessRuleProtection(true, false); // disable inheritance and clear any inherited permissions

System.IO.FileSystemAclExtensions.SetAccessControl(new DirectoryInfo(<path to directory>), ds);

Answer 2

These APIs haven't been included in .NET Standard due to low use and being Windows specific.

See discussion here regarding its exclusion from .NET Standard: https://github.com/dotnet/standard/issues/15

As a workaround there is a NuGet package which provides this functionality: https://www.nuget.org/packages/System.IO.FileSystem.AccessControl/

Also a related question: How to modify file access control in .NET Core

Answer 3

In dotnet standard/core:

Import the NuGet package as user bvpb mentioned. System.IO.FileSystem.AccessControl

Then instead of this (which only works in .NET Framework):

FileSecurity fSecurity = File.GetAccessControl(fileName);

use this (which works in all versions of .NET):

FileSecurity fSecurity = new FileSecurity(fileName, AccessControlSections.Owner | 
                AccessControlSections.Group |
                AccessControlSections.Access);

You may need AccessControllSections.All instead which requires the account running this code to have more permissions.