Hi all,

I'm trying to use the new ACL functonality in .NET 2.0 to set permissions
for a Web application in a pre-installer configuration app.

I seem to be able to set the permissions and add users to the ACLs ok, but I
can't figure out how to set the inheritance for the directory.

There's an PropagationFlags property on the FileSystemAccessRule class, but
it's read only and I can't see anything that allows me to set the
propagation for the new ACLs or on the directory...

Anybody have any ideas on how to do this?


Below is some rough code I'm working with

/// <summary>
/// Sets the actual ACL based on the property settings of this class
/// </summary>
/// <returns></returns>
public bool SetAcl()
{
if ( this.Pathname == null || this.Pathname == "")
{
ErrorMessage += "Path cannot be empty.";
return false;
}

// *** Strip off trailing backslash which isn't supported
this.Pathname = this.Pathname.TrimEnd('\\');

FileSystemRights Rights = (FileSystemRights) 0;

if (this.UserRights == "R")
Rights = FileSystemRights.Read;
else if (this.UserRights == "C")
Rights = FileSystemRights.ChangePermissions;
else if (this.UserRights == "F")
Rights = FileSystemRights.FullControl;

FileSystemAccessRule AccessRule = new
FileSystemAccessRule(this.Username, Rights, AccessControlType.Allow);

//if (this.InheritSubDirectories)
// AccessRule.PropagationFlags =
PropagationFlags.InheritOnly;



DirectoryInfo Info = new DirectoryInfo(this.Pathname);

DirectorySecurity Security =
Info.GetAccessControl(AccessControlSections.Access);
Security.AddAccessRule(AccessRule);

Info.SetAccessControl( Security );

return true;
}


--

Rick Strahl
West Wind Technologies
www.west-wind.com
www.west-wind.com/weblog

Take a look at the other FileSystemAccessRule constructor overrides, they
take InheritanceFlags and PropagationFlags.

Willy.


[quoted text, click to view]

Thanks Willy,

That helped some. I see the propagation now.

Took me a while to get this working right though nevertheless. The
propagation options are very confusing. It appears you need to set the
non-propagation rules first, then add the propagation rules separately. It
seems like this should be done in one pass instead of two. Maybe I'm missing
something but here's what this ended up like:

public bool SetAcl()
{
if ( this.Pathname == null || this.Pathname == "")
{
ErrorMessage += "Path cannot be empty.";
return false;
}

// *** Strip off trailing backslash which isn't supported
this.Pathname = this.Pathname.TrimEnd('\\');

FileSystemRights Rights = (FileSystemRights) 0;

if (this.UserRights == "R")
Rights = FileSystemRights.ReadAndExecute;
else if (this.UserRights == "C")
Rights = FileSystemRights.ChangePermissions;
else if (this.UserRights == "F")
Rights = FileSystemRights.FullControl;

// *** Add Access Rule to the actual directory itself
FileSystemAccessRule AccessRule = new
FileSystemAccessRule(this.Username, Rights,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);

DirectoryInfo Info = new DirectoryInfo(this.Pathname);
DirectorySecurity Security =
Info.GetAccessControl(AccessControlSections.Access);

bool Result = false;
Security.ModifyAccessRule(AccessControlModification.Set, AccessRule, out
Result);


// *** Always allow objects to inherit on a directory
InheritanceFlags iFlags = InheritanceFlags.ObjectInherit;
if (this.InheritSubDirectories)
iFlags = InheritanceFlags.ContainerInherit |
InheritanceFlags.ObjectInherit;

// *** Add Access rule for the inheritance
AccessRule = new FileSystemAccessRule(this.Username, Rights,
iFlags,
PropagationFlags.InheritOnly,
AccessControlType.Allow);
Result = false;
Security.ModifyAccessRule(AccessControlModification.Add, AccessRule, out
Result);

//Security.AddAccessRule(AccessRule);

Info.SetAccessControl(Security);


return true;
}

Notice the two FileSystemAccessRules and subsequent assignments.

It works, but it's very non-intuitive if that's the only way to accomplish
this. This is another instance where the BCL follows a complex Windows API
to the letter when a few options could have made operation much simpler.

Thanks for your help!


+++ Rick ---


However, I still can't seem to get the permissions set properly. What I need
is basically:

This Folder only AND Subfolder and Files only

When I run my code I get the subfolder and files propagation right. However,
I Can't seem to get the permissions to show up properly for the actual
target folder. In this folder, if I bring up the Security dialog after
runnign the code I see Special Permissions checked rather than the
permissions I checked. In the special permissions then I correctly see the
permissions assigned to the sub folders and files, but not hte current
folder itself.



--

Rick Strahl
West Wind Technologies
www.west-wind.com
www.west-wind.com/weblog

[quoted text, click to view]

[quoted text, click to view]

Note that you'll rarely want to give another user FullControl. The
reason is that the user gets more generic access than the file system
access. For example, the user will have the right to change ownership,
which means that user could take ownership of the secure object and then
deny access to anyone else but themselves. Even if you are the creator
of the object in this situation you will no longer have access.

In any case, you should *always* practice the principle of least
rights - only give a user as many rights as they need and no more. If
you follow this principle you will never give out FullControl.

[quoted text, click to view]

If you use InheritanceFlags.None then the propagation flag is ignored,
so for better readability it is best to use PropagationFlags.None.
NoPropagateInherit has a specific meaning, that is, the ACE will be
inherited by child objects but not by grandchild objects. There's more
details here:

http://msdn.microsoft.com/msdnmag/issues/04/11/AccessControlinNET/default.aspx

Richard
--
Fusion Tutorial: http://www.grimes.demon.co.uk/workshops/fusionWS.htm
Security Tutorial:
http://www.grimes.demon.co.uk/workshops/securityWS.htm