87

The tool I develop needs to grant access rights "Full Control" to a file created by it. It needs to be read, modified and deleted from all windows accounts and even possible future accounts. Could this be achieved?

I know I can try this for a SPECIFIC_USER:

FileSystemAccessRule rule = new FileSystemAccessRule(SPECIFIC_USER, FileSystemRights.FullControl, AccessControlType.Allow);
FileSecurity fSecurity = File.GetAccessControl(filePath);
fSecurity.SetAccessRule(rule);
File.SetAccessControl(filePath, fSecurity);

But how do I grant it to all users? And even possible future accounts? If the latter part is not possible, how to go about the first requirement?

Thanks.

EDIT:

This is the code which worked for me. Taken from the answerer's link.

private void GrantAccess(string fullPath)
{
    DirectoryInfo dInfo = new DirectoryInfo(fullPath);
    DirectorySecurity dSecurity = dInfo.GetAccessControl();
    dSecurity.AddAccessRule(new FileSystemAccessRule(
        new SecurityIdentifier(WellKnownSidType.WorldSid, null), 
        FileSystemRights.FullControl,
        InheritanceFlags.ObjectInherit |
           InheritanceFlags.ContainerInherit,
        PropagationFlags.NoPropagateInherit,
        AccessControlType.Allow));

    dInfo.SetAccessControl(dSecurity);
}

Note the PropagationFlags.NoPropagateInherit which is required (mentioned towards the last in the link). It does grant privilege to even future accounts.

nawfal
  • 70,104
  • 56
  • 326
  • 368
  • 18
    Note to people, don't use "everyone", instead use `new SecurityIdentifier(WellKnownSidType.WorldSid, null)` which returns a SecurityIdentifier object. Everyone only works on english windows installations, using the other method ensures it's compatible with multiple language versions. – Angelo Vargas Apr 24 '13 at 15:17
  • @trukin can you make it an answer? thanks – nawfal Apr 24 '13 at 18:27
  • @nawfal: I'm having same issue, and I need to give access of my installation folder once application installed, but where can I write this code? – Hina Khuman Jan 09 '18 at 07:33
  • @HinaKhuman Giving installation folder privileges are better handled by the installer. I dont know which one you are using but it should be pretty straight forward. If you wanna do it from C# then call the GrantAccess method from wherever you want but your application itself should have the rights. – nawfal Jan 09 '18 at 11:19
  • @nawfal: Thanks! see detailed question here: https://stackoverflow.com/q/48165315/5743676 – Hina Khuman Jan 09 '18 at 11:21

3 Answers3

139

Note to people using this.

When using literal strings for the FileSystemAccessRule, it should be WellKnownSidType.WorldSid instead of "everyone".

The reason is because there are multiple Window languages and Everyone only applies to EN ones, so for Spanish, it might be "Todos" (or something else).

using System.Security.AccessControl;
using System.Security.Principal;
using System.IO;

private void GrantAccess(string fullPath)
{
    DirectoryInfo dInfo = new DirectoryInfo(fullPath);
    DirectorySecurity dSecurity = dInfo.GetAccessControl();
    dSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit, AccessControlType.Allow));
    dInfo.SetAccessControl(dSecurity);
}
adjan
  • 13,371
  • 2
  • 31
  • 48
Angelo Vargas
  • 1,961
  • 1
  • 13
  • 17
  • Thank-you so much.. been struggling with decompressing files and setting permissions to .mdf files (because I got read-only errors). Thanks! – CularBytes Jan 24 '15 at 15:17
  • May I ask the purpose of the return value? – hypehuman Jun 26 '15 at 21:26
  • @hypehuman oh none really, it was meant to be called from somewhere and if it failed (say GrantAccess caught an exception, then it would return false), then whatever code uses that should not continue since no permissions were granted. – Angelo Vargas Jun 27 '15 at 06:33
  • DirectorySecurity is not found. What is the reference lib? i added 3 lines 'using...', still error. – anhtv13 Sep 25 '19 at 08:49
  • 2
    Do not forget to include `InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit` or it will only add the user/group without applying any permissions to it (the user/group will only have special permissions). Just spent an hour trying to understand why it would appply any permissions to the group, so hope this saves someone some time! – Kappacake Jun 21 '21 at 09:53
13

You will need to give full control to "Everyone" group on the machine. Found this post on MSDN which talks about it.

Hope this works for you.

Amar Palsapure
  • 9,590
  • 1
  • 27
  • 46
  • Thanks, Ill see to that. Does this grant access to even future accounts? – nawfal Feb 02 '12 at 07:26
  • Thanks it did work and grants access to future user accounts as well. Please accept my edit so that others know what exactly should be done. – nawfal Feb 02 '12 at 11:18
0

Here is similar code, but limited to doing so for a single file which is what brought me here. Though for better security, you may wish to use WellKnownSidType.AuthenticatedUserSid instead of WordSid.

var fileSecurity = new System.Security.AccessControl.FileSecurity();
var everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
var rule = new FileSystemAccessRule(everyone, FileSystemRights.FullControl, AccessControlType.Allow);
fileSecurity.AddAccessRule(rule);
  
File.SetAccessControl(path, fileSecurity);
Herb F
  • 135
  • 8