C# File/Directory Permissions

No Comments

Today’s code problem comes from my real-world experience. I was working on an app to help manage file-rights here at my job.

The frustrating part was that it looked so simple. The default code from Microsoft shows that this is almost trivial:

1
2
3
4
5
6
7
8
9
// Get the directory security object.
DirectorySecurity dSecurity = Directory.GetAccessControl(dirName);
 
// change the rights on the object.
dSecurity.AddAccessRule(new FileSystemAccessRule(account,
rights, controlType));
 
// Set the new access settings.
Directory.SetAccessControl(dirName, dSecurity);
// Get the directory security object.
DirectorySecurity dSecurity = Directory.GetAccessControl(dirName);

// change the rights on the object.
dSecurity.AddAccessRule(new FileSystemAccessRule(account,
rights, controlType));

// Set the new access settings.
Directory.SetAccessControl(dirName, dSecurity);

But when you do it this way, you can no longer see the checkmarks in the default security tab. You have to go into “Advanced” to see your permissions.

Why?

Because doing it this way sets all of your permissions as “special” permissions, not any of the default standard permissions. Note that your file permissions are set properly. The rights really are set. You just can’t see the nice little check marks in windows.

I did some research to set the ACE (Access Control Entry) so that the checkmarks would re-appear, and found the following snippet of code:

1
2
3
4
5
6
dSecurity.AddAccessRule(new FileSystemAccessRule(
     IdentityReference, FileSystemRights, 
     InheritanceFlags.ContainerInherit |
     InheritanceFlags.ObjectInherit, 
     PropagationFlags.None,
     AccessControlType));
dSecurity.AddAccessRule(new FileSystemAccessRule(
     IdentityReference, FileSystemRights, 
     InheritanceFlags.ContainerInherit |
     InheritanceFlags.ObjectInherit, 
     PropagationFlags.None,
     AccessControlType));

So if I just do this after I set the new security the magic little checkboxes will reappear, right? YES! They did. But then all of the checkboxes for all OTHER users of that file or directory went away!!!

(*sigh*)

So, after doing some research, testing and playing, I’ve found a hack that will re-set the nice little checkboxes in the security tab. It’s ugly. It’s painful. But it works…. mostly. (more on that in just a second.)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DirectorySecurity dSecurity = Directory.GetAccessControl(dirName);
 
// change the rights on the object.
dSecurity.AddAccessRule(new FileSystemAccessRule(account,
rights, controlType));
 
// Call my Bug-Fix routine
MSBugFix(dSecurity);
 
// Set the new access settings.
Directory.SetAccessControl(dirName, dSecurity);
 
...
 
private void MSBugFix(DirectorySecurity dSecurity)
{
// RESET EVERYONE'S ACE So that it will view properly
// in the Security tab. (MS BUG FIX!!)
AuthorizationRuleCollection acl = dSecurity.GetAccessRules(
true, true, typeof(System.Security.Principal.NTAccount));
 
foreach (FileSystemAccessRule ace in acl)
{
dSecurity.AddAccessRule(new FileSystemAccessRule(
ace.IdentityReference, ace.FileSystemRights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None, ace.AccessControlType));
}
}
DirectorySecurity dSecurity = Directory.GetAccessControl(dirName);

// change the rights on the object.
dSecurity.AddAccessRule(new FileSystemAccessRule(account,
rights, controlType));

// Call my Bug-Fix routine
MSBugFix(dSecurity);

// Set the new access settings.
Directory.SetAccessControl(dirName, dSecurity);

...

private void MSBugFix(DirectorySecurity dSecurity)
{
// RESET EVERYONE'S ACE So that it will view properly
// in the Security tab. (MS BUG FIX!!)
AuthorizationRuleCollection acl = dSecurity.GetAccessRules(
true, true, typeof(System.Security.Principal.NTAccount));

foreach (FileSystemAccessRule ace in acl)
{
dSecurity.AddAccessRule(new FileSystemAccessRule(
ace.IdentityReference, ace.FileSystemRights,
InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit,
PropagationFlags.None, ace.AccessControlType));
}
}

This works, but can be a bit slower if you have many files to do. Gee… I wonder why? Oh.. right. The nasty ALL USERS loop in there. But it does work…. until you install Service Patch 3 on the machine.

When you install Service Pack 3, the nice little checkboxes go away again. Note that your permissions and access to the files remain. You can still get to your files, you just have to go to “Advanced” to see the actual settings on your files.

If anyone has an actual fix for this issue, (not the ugly hack I had to develop) I would love to hear it. Until then, we just won’t be installing SP3.

EDIT: Some people have asked, why do I care about those pretty little check boxes. If everything works, whay do the checkboxes have to do with anything? We have an application at work that uses the same logic that sets those check boxes to do backups and restores. When those check boxes aren’t happy, the backups don’t run right because they assume that they don’t have access.

Leave a Reply