0

I am trying to write a tool, limiting the ability to mess up file server structures. Within this project I am trying to limit the user to save files in directories, but prevent the user from creating subdirectories in specific folder. The subdirectory will be created another way, wich already works.

But I am facing the problem, that ntfs permission seem to mix "create directories" and "append data". Now the "append data" part is the one (when on deny) preventing users from saving files in a directory, wich is not wanted. But when on allow, the same permission makes it possible to create subdirectories.

In windows explorer security window the both permissions are set with the same checkbox, but as the enumeration FileSystemRights has both CreateDirectories and AppendData, I thought I could set them appart from another.

directorySecurity.AddAccessRule(
                    new FileSystemAccessRule(sidAll, FileSystemRights.CreateDirectories, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                    PropagationFlags.None, AccessControlType.Deny)
                    );

                directorySecurity.AddAccessRule(
                    new FileSystemAccessRule(sidAll, FileSystemRights.AppendData, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                    PropagationFlags.None, AccessControlType.Allow)
                    );

                directoryInfo.SetAccessControl(directorySecurity);

But when setting one to allow and one to deny, both are denied.

Any thoughts or hints on this?

Shumachine
  • 61
  • 12

1 Answers1

3

The problem is solved the following way:

// Create a new DirectoryInfo object.
DirectoryInfo directoryInfo = new DirectoryInfo(_folderPath);

// Get a DirectorySecurity object that represents the 
// current security settings.
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();
SecurityIdentifier sidAll = new SecurityIdentifier("S-1-1-0");


//Set the permissions for files in that folder to allow

FileSystemRights rights = FileSystemRights.Modify | 
                          FileSystemRights.ReadAndExecute | 
                          FileSystemRights.ListDirectory |
                          FileSystemRights.Read |
                          FileSystemRights.Write 

directorySecurity.AddAccessRule(
            new FileSystemAccessRule(
                sidAll,
                rights,
                InheritanceFlags.ContainerInherit |
                InheritanceFlags.ObjectInherit, 
                PropagationFlags.None,
                AccessControlType.Allow)
            );

FileSystemRights subfolderRights = FileSystemRights.CreateDirectories |
                                   FileSystemRights.DeleteSubdirectoriesAndFiles |
                                   FileSystemRights.Delete;

//Set the rights for subfolders of the 

directorySecurity.AddAccessRule(
            new FileSystemAccessRule(
                sidAll,
                subfolderRights,
                InheritanceFlags.ContainerInherit, PropagationFlags.None,
                AccessControlType.Deny)
            );

// Set the new access settings.
directoryInfo.SetAccessControl(directorySecurity);

Note the differences in the InheritanceFlags-parameters and the AccessControllType-parameters. A friend of mine gave me the solution, but I was not yet able to investigate on the differences of the InheritanceFlags-parameters. As soon as I have had the time, I will try to give a hint on how they work.

The SecurityIdentifier sidAll is here just used as an example.

Shumachine
  • 61
  • 12
  • `SecurityIdentifier sidAll is here just used as an example.` What is SecurityIdentifier ? How can I get it from a username ? – Kiquenet Jun 06 '18 at 13:21
  • Sorry for the late answer: Please see this https://learn.microsoft.com/en-us/windows/desktop/secauthz/well-known-sids and this https://stackoverflow.com/questions/1040623/convert-a-username-to-a-sid-string-in-c-net – Shumachine Dec 02 '18 at 21:32