Access control for files and directories (2) Add access control

The operation of file and Directory access control is essentially the same, and for the same operation the book does not duplicate examples in general, and the reader can practice it on its own.

Code Listing 7-9 is a simple example that demonstrates adding access control to a file.

Code Listing 7-9 adding access control to a file

using (FileStream file = new FileStream (@ "E:\AclTest\acltest.txt", FileMode.Open, FileAccess.ReadWrite))
    
{
    
FileSecurity Security = file. GetAccessControl ();
    
FileSystemAccessRule rule = new FileSystemAccessRule (The
    
new NTAccount (@ "Xuanhuncomputer\xuanhun"), Filesystemrights.read,
    
accesscontroltype.allow);
    
     
    
 Security. Addaccessrule (rule);
    
     
    
File. Setaccesscontrol (security);
}

Now analyze code listing 7-9 to learn more about controlling the details of adding a single file access control. The first thing to do is get an instance of access to the file, use FileStream here, and maybe using file or FileInfo is your preferred option. The security object (type FileSecurity) that retrieves the file by calling the GetAccessControl method, in addition to containing other content, contains an ordered set of access rules that collectively determine the rights that each user and group has to the file. In the example, a new access rule is added to the FileSecurity object to grant access to the file to the user named Xuanhun. Before the change takes effect, it must be persisted in storage. This last step is done by invoking the Setaccesscontrol method.

Listing 7-9 shows how to assign access to an existing file, so how do you assign permissions at the beginning of the file creation? There is an important security reason for this: the objects that ensure security are always created with some default security semantics. By default, objects in a layered resource manager (such as a file system or registry) inherit their security settings from their parent objects, and files inherit their security settings from their parent directory. The default rights depend on the type of object you are creating, and may not be what you want. For example, you rarely intentionally create an object that everyone has full access to, but this may happen to be the permissions specified by the default security settings. You cannot simply create objects with the default security settings and modify these settings later, because protecting them after you have created them opens an opportunity window (between creation and modification), during which the object may be hijacked. Hijacking can cause the creator to lose control of the object just created, which can have disastrous consequences. Listing 7-10 shows how to configure an access rule when creating a file.

Code Listing 7-10 Adding a rule for a newly created file

FileSecurity Security = new FileSecurity ();
    
         FileSystemAccessRule rule = new FileSystemAccessRule (The
    
             new NTAccount (@ "Xuanhuncomputer\xuanhun"), Filesystemrights.read,
    
             accesscontroltype.allow);
    
         Security. Addaccessrule (rule);
    
         FileStream file = new FileStream (
    
             @ "M:\temp\sample.txt", FileMode.CreateNew,  Filesystemrights.read,
    
             Fileshare.none, 4096, fileoptions.none, security);

Code Listing 7-10 performs the same operations as listing 7-9, but in a different order, without having to persist the changes (because the object is new). Before creating the file, create a FileSecurity object and populate it with the required access rules. The FileSecurity instance is then passed to the file's constructor, which is correctly protected from the outset.

----------------Note: This part of the text is adapted from the ". NET Security Secrets."

Author: Hyun-Soul

Source: http://www.cnblogs.com/xuanhun/

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/net/