. Net (C #): sets access control for File System Objects

I have written several articles about Windows Access Control:

• Implementation of Windows Access Control in. Net (C #) (ACE, SD, DACL, SACL)
• . Net (C #): Use Ram to create a file that only the current user can access.
• . Net (C #): Use objectsecurity. setaccessruleprotection to retain access control data

 

This article plays a complementary role.

 

Let's talk about setting up Object Access Control for a file system in Windows (specifically in Windows 7). For example, we want to make this object accessible (and controlled) only by the owner ), at the same time, this object does not inherit any control options of the parent container.

Select advanced from the Security tab of the property:

Here the inherited access control options are clearly included.

 

Select change permission, and then select cancel from parent object to inherit permissions:

 

After you cancel this option, Windows will prompt you whether to display and define the inherited permissions or delete all the permissions? (There is another cancellation operation ).

Well, since we only need to define the permissions that the owner can access, and do not need other inherited permissions, select Delete.

 

Next, add a permission for the current user:

 

Finally, select the required permissions:

 

Next, perform the above operations in. net. The following method can be used to cyclically set the access control options for the subfolders and subfolders in a folder according to the above requirements:

// + Using system. IO;

// + Using system. Security. Principal;

// + Using system. Security. accesscontrol;

Static void setmyaccessrules (string folder)

{

VaR currentidentity = windowsidentity. getcurrent ();

Foreach (var file in directory. getfiles (folder ))

{

// Create an access rule (only add full control for the current user)

VaR accessrule = new filesystemaccessrule (currentidentity. User, filesystemrights. fullcontrol, accesscontroltype. Allow );

// Create a security Description: The filesecurity object for the file.

VaR filesecur = new filesecurity ();

// Add an access rule

Filesecur. addaccessrule (accessrule );

// Set inheritance options

Filesecur. setaccessruleprotection (true, false );

// Set the file

File. setaccesscontrol (file, filesecur );

 

}

Foreach (VAR dir in directory. getdirectories (folder ))

{

// Create an access rule (only add full control for the current user)

VaR accessrule = new filesystemaccessrule (currentidentity. User, filesystemrights. fullcontrol, accesscontroltype. Allow );

// Create a security Description: directory-specific directorysecurity object

VaR dirsecur = new directorysecurity ();

// Add an access rule

Dirsecur. addaccessrule (accessrule );

// Set inheritance options

Dirsecur. setaccessruleprotection (true, false );

// Set the folder

Directory. setaccesscontrol (Dir, dirsecur );

 

Setmyaccessrules (DIR );

}

}

 

After this method is called, in Windows 7, the file object is set to (only) the current user due to the permission, and the file icon adds a small lock:

 

 

If all the sub-objects in a folder are defined in this way, it will take a lot of time to remove the access permission one by one, in this way, I wrote a small method to remove all display and definition permissions in the folder, so that the file object can retain the default inheritance options and code;

// + Using system. IO;

// + Using system. Security. Principal;

// + Using system. Security. accesscontrol;

Static void clearmyaccessrules (string folder)

{

Foreach (var file in directory. getfiles (folder ))

{

// Create an empty ACL

VaR filesecurity = new filesecurity ();

// Set inheritance

Filesecurity. setaccessruleprotection (false, true );

// Set the file

File. setaccesscontrol (file, filesecurity );

}

Foreach (VAR dir in directory. getdirectories (folder ))

{

// Create an empty ACL

VaR dirsecurity = new directorysecurity ();

// Set inheritance

Dirsecurity. setaccessruleprotection (false, true );

// Set the folder

Directory. setaccesscontrol (Dir, dirsecurity );

 

Clearmyaccessrules (DIR );

}

}

 

In this way, the access control options of file objects are retained to the default state: