| Groups | Blog | Home |
dotnet security : How can I control folder permissions when creating a folder
Data" folder. Unfortunately it often sets the security of the created folder such that normal users can't write to the folder. I thought All Users was by definition accessible to all users. I can see that normal users have read/write access to: All Users All Users\Application Data All Users\Application Data\My Application But when I create: All Users\Application Data\My Application\My Data it sets up the security so only the owner or other Admins have write access. Sometimes it denies read access as well. The first time you run the application it has to write licensing info to the "Program Files\My Application" directory so it has to be run by an administrator. The unfortunate side-effect of that is that the data folder is always created by an administrator so normal users get locked out of it. This isn't even consistent. I have a few different products within the same product family. Some of them end up with permissions that allow normal users to have access to the folder, others deny them access but they all use the exact same Directory.CreateDirectory() call to create the folder. The only difference I can think of is that the folders that give read/write access have a space in the parent folder name. Why doesn't my data folder inherit it's permissions from the parent folder? Is there something I need to do to make it inherit? Of course, I also need all the files in my data folder to inherit the permissions of the parent folder.
Shawn,
I started playing with an ACL library but it seemed like massive overkill. Can you explain why a new folder under All Users\Application Data wouldn't give access to all users? I'd also like to know why it only happens sometimes. I have 4 folders on my system created exactly the same way, two have the same permissions as the parent folder, the other two limit access to the creator and administrators. I thought folders under All Users would always inherit permissions such that everyone would have access to them. My problem would be solved if I could find an ACL library that would let me set "inherit from parent" right after I create the folder. Steve [quoted text, click to view] ""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message solution, you'll need to find a third party ACL library. (I believe you'llnews:%23rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl... > Hi Steve, > > If you're using v1.1 or 1.0 of the framework, there is no built in ACL be [quoted text, click to view] > able to find on on gotdotnet.com to help you out). For v2.0, we'll be cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12adding a new System.Security.AccessControl namespace and exposing > methods on the various File, Directory, and Registry classes to allow directly working with ACLs on your file system. > > -Shawn > http://blogs.msdn.com/shawnfa > > -- > > This posting is provided "AS IS" with no warranties, and confers no rights. > Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they > originated. > -------------------- > >Date: Mon, 23 Aug 2004 15:33:39 -0700 > >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com> > >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) > >X-Accept-Language: en-us, en > >MIME-Version: 1.0 > >Subject: How can I control folder permissions when creating a folder > >Content-Type: text/plain; charset=us-ascii; format=flowed > >Content-Transfer-Encoding: 7bit > >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> > >Newsgroups: microsoft.public.dotnet.security > >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146 > >Lines: 1 > >Path: ..phx.gbl [quoted text, click to view] > >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212 > >X-Tomcat-NG: microsoft.public.dotnet.security > > > >I have an application that stores data in the "All Users\Application > >Data" folder. Unfortunately it often sets the security of the created > >folder such that normal users can't write to the folder. > > > >I thought All Users was by definition accessible to all users. > > > >I can see that normal users have read/write access to: > >All Users > >All Users\Application Data > >All Users\Application Data\My Application > > > >But when I create: > >All Users\Application Data\My Application\My Data > >it sets up the security so only the owner or other Admins have write > >access. Sometimes it denies read access as well. > > > >The first time you run the application it has to write licensing info to > >the "Program Files\My Application" directory so it has to be run by an > >administrator. The unfortunate side-effect of that is that the data > >folder is always created by an administrator so normal users get locked > >out of it. > > > >This isn't even consistent. I have a few different products within the > >same product family. Some of them end up with permissions that allow > >normal users to have access to the folder, others deny them access but > >they all use the exact same Directory.CreateDirectory() call to create > >the folder. The only difference I can think of is that the folders that > >give read/write access have a space in the parent folder name. > > > >Why doesn't my data folder inherit it's permissions from the parent > >folder? Is there something I need to do to make it inherit? Of course, > >I also need all the files in my data folder to inherit the permissions > >of the parent folder. > > > >Steve > > > >
Hi Steve,
If you're using v1.1 or 1.0 of the framework, there is no built in ACL solution, you'll need to find a third party ACL library. (I believe you'll be able to find on on gotdotnet.com to help you out). For v2.0, we'll be adding a new System.Security.AccessControl namespace and exposing methods on the various File, Directory, and Registry classes to allow directly working with ACLs on your file system. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- [quoted text, click to view] >Date: Mon, 23 Aug 2004 15:33:39 -0700 >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com> >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) >X-Accept-Language: en-us, en >MIME-Version: 1.0 >Subject: How can I control folder permissions when creating a folder >Content-Type: text/plain; charset=us-ascii; format=flowed >Content-Transfer-Encoding: 7bit >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146 >Lines: 1 >Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212 >X-Tomcat-NG: microsoft.public.dotnet.security > >I have an application that stores data in the "All Users\Application >Data" folder. Unfortunately it often sets the security of the created >folder such that normal users can't write to the folder. > >I thought All Users was by definition accessible to all users. > >I can see that normal users have read/write access to: >All Users >All Users\Application Data >All Users\Application Data\My Application > >But when I create: >All Users\Application Data\My Application\My Data >it sets up the security so only the owner or other Admins have write >access. Sometimes it denies read access as well. > >The first time you run the application it has to write licensing info to >the "Program Files\My Application" directory so it has to be run by an >administrator. The unfortunate side-effect of that is that the data >folder is always created by an administrator so normal users get locked >out of it. > >This isn't even consistent. I have a few different products within the >same product family. Some of them end up with permissions that allow >normal users to have access to the folder, others deny them access but >they all use the exact same Directory.CreateDirectory() call to create >the folder. The only difference I can think of is that the folders that >give read/write access have a space in the parent folder name. > >Why doesn't my data folder inherit it's permissions from the parent >folder? Is there something I need to do to make it inherit? Of course, >I also need all the files in my data folder to inherit the permissions >of the parent folder. > >Steve >
Hi Steve,
I'm not an ACL expert, but I believe the inheritance flag is set on the child, not the parent. So you need to be able to create your directory with that flag set. Since you can't do anything with ACLs until .NET 2.0, you're stuck pulling in the extra ACL library for now -- there's no current way to instruct the runtime that all children folders should start by inheriting their parents permissions. -Shawn http://blogs.msdn.com/shawnfa -- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- [quoted text, click to view] >From: "Steve Hiner" <newsgroup.me.hates.spam@isiaz.com> >References: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> <#rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl> >Subject: Re: How can I control folder permissions when creating a folder >Date: Tue, 24 Aug 2004 17:12:05 -0700 >Lines: 99 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.2800.1437 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 >Message-ID: <#HN5qgjiEHA.2356@TK2MSFTNGP10.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: w146.z064220215.phx-az.dsl.cnc.net 64.220.215.146 >Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7228 >X-Tomcat-NG: microsoft.public.dotnet.security > >Shawn, > >I started playing with an ACL library but it seemed like massive overkill. > >Can you explain why a new folder under All Users\Application Data wouldn't >give access to all users? I'd also like to know why it only happens >sometimes. I have 4 folders on my system created exactly the same way, two >have the same permissions as the parent folder, the other two limit access >to the creator and administrators. > >I thought folders under All Users would always inherit permissions such that >everyone would have access to them. > >My problem would be solved if I could find an ACL library that would let me >set "inherit from parent" right after I create the folder. > >Steve > >""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message >news:%23rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl... >> Hi Steve, >> >> If you're using v1.1 or 1.0 of the framework, there is no built in ACL >solution, you'll need to find a third party ACL library. (I believe you'll >be >> able to find on on gotdotnet.com to help you out). For v2.0, we'll be >adding a new System.Security.AccessControl namespace and exposing >> methods on the various File, Directory, and Registry classes to allow >directly working with ACLs on your file system. >> >> -Shawn >> http://blogs.msdn.com/shawnfa >> >> -- >> >> This posting is provided "AS IS" with no warranties, and confers no >rights. >> Note: For the benefit of the community-at-large, all responses to this >message are best directed to the newsgroup/thread from which they >> originated. >> -------------------- >> >Date: Mon, 23 Aug 2004 15:33:39 -0700 >> >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com> >> >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) >> >X-Accept-Language: en-us, en >> >MIME-Version: 1.0 >> >Subject: How can I control folder permissions when creating a folder >> >Content-Type: text/plain; charset=us-ascii; format=flowed >> >Content-Transfer-Encoding: 7bit >> >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> >> >Newsgroups: microsoft.public.dotnet.security >> >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146 >> >Lines: 1 >> >Path: >cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12 >.phx.gbl >> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212 >> >X-Tomcat-NG: microsoft.public.dotnet.security >> > >> >I have an application that stores data in the "All Users\Application >> >Data" folder. Unfortunately it often sets the security of the created >> >folder such that normal users can't write to the folder. >> > >> >I thought All Users was by definition accessible to all users. >> > >> >I can see that normal users have read/write access to: >> >All Users >> >All Users\Application Data >> >All Users\Application Data\My Application >> > >> >But when I create: >> >All Users\Application Data\My Application\My Data >> >it sets up the security so only the owner or other Admins have write >> >access. Sometimes it denies read access as well. >> > >> >The first time you run the application it has to write licensing info to >> >the "Program Files\My Application" directory so it has to be run by an >> >administrator. The unfortunate side-effect of that is that the data >> >folder is always created by an administrator so normal users get locked >> >out of it. >> > >> >This isn't even consistent. I have a few different products within the >> >same product family. Some of them end up with permissions that allow >> >normal users to have access to the folder, others deny them access but >> >they all use the exact same Directory.CreateDirectory() call to create >> >the folder. The only difference I can think of is that the folders that >> >give read/write access have a space in the parent folder name. >> > >> >Why doesn't my data folder inherit it's permissions from the parent >> >folder? Is there something I need to do to make it inherit? Of course, >> >I also need all the files in my data folder to inherit the permissions >> >of the parent folder. >> > >> >Steve >> > >> >> > > >
Steve,
The ACL on All Users\Application Data does not grant write access on existing files to the local Users group (unless the user is the file owner). Take a look at the directory security configuration in the "advanced" view in Windows Explorer, and you'll see that the Write permission for users only applies to the folder and its subfolders. This allows for creation of new files, but not editing of existing files. As for the difference between the four folders on your system, were two created under an admin account and two under a non-admin account? Do you see the same results if you create directories via the Windows UI as if you create them via your code? At any rate, how they got that way isn't the real issue here. Rather, you need a way to make the non-owned files writeable by non-admins even if they didn't create the files, which means using ACL functionality that isn't built into the .NET framework, preferably using an alternate library as Shawn suggested. There's one available at http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9. HTH, Nicole [quoted text, click to view] "Steve Hiner" <newsgroup.me.hates.spam@isiaz.com> wrote in message news:%23HN5qgjiEHA.2356@TK2MSFTNGP10.phx.gbl... > Shawn, > > I started playing with an ACL library but it seemed like massive overkill. > > Can you explain why a new folder under All Users\Application Data wouldn't > give access to all users? I'd also like to know why it only happens > sometimes. I have 4 folders on my system created exactly the same way, > two > have the same permissions as the parent folder, the other two limit access > to the creator and administrators. > > I thought folders under All Users would always inherit permissions such > that > everyone would have access to them. > > My problem would be solved if I could find an ACL library that would let > me > set "inherit from parent" right after I create the folder. > > Steve > > ""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message > news:%23rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl... >> Hi Steve, >> >> If you're using v1.1 or 1.0 of the framework, there is no built in ACL > solution, you'll need to find a third party ACL library. (I believe > you'll > be >> able to find on on gotdotnet.com to help you out). For v2.0, we'll be > adding a new System.Security.AccessControl namespace and exposing >> methods on the various File, Directory, and Registry classes to allow > directly working with ACLs on your file system. >> >> -Shawn >> http://blogs.msdn.com/shawnfa >> >> -- >> >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> Note: For the benefit of the community-at-large, all responses to this > message are best directed to the newsgroup/thread from which they >> originated. >> -------------------- >> >Date: Mon, 23 Aug 2004 15:33:39 -0700 >> >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com> >> >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) >> >X-Accept-Language: en-us, en >> >MIME-Version: 1.0 >> >Subject: How can I control folder permissions when creating a folder >> >Content-Type: text/plain; charset=us-ascii; format=flowed >> >Content-Transfer-Encoding: 7bit >> >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> >> >Newsgroups: microsoft.public.dotnet.security >> >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146 >> >Lines: 1 >> >Path: > cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12 > .phx.gbl >> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212 >> >X-Tomcat-NG: microsoft.public.dotnet.security >> > >> >I have an application that stores data in the "All Users\Application >> >Data" folder. Unfortunately it often sets the security of the created >> >folder such that normal users can't write to the folder. >> > >> >I thought All Users was by definition accessible to all users. >> > >> >I can see that normal users have read/write access to: >> >All Users >> >All Users\Application Data >> >All Users\Application Data\My Application >> > >> >But when I create: >> >All Users\Application Data\My Application\My Data >> >it sets up the security so only the owner or other Admins have write >> >access. Sometimes it denies read access as well. >> > >> >The first time you run the application it has to write licensing info to >> >the "Program Files\My Application" directory so it has to be run by an >> >administrator. The unfortunate side-effect of that is that the data >> >folder is always created by an administrator so normal users get locked >> >out of it. >> > >> >This isn't even consistent. I have a few different products within the >> >same product family. Some of them end up with permissions that allow >> >normal users to have access to the folder, others deny them access but >> >they all use the exact same Directory.CreateDirectory() call to create >> >the folder. The only difference I can think of is that the folders that >> >give read/write access have a space in the parent folder name. >> > >> >Why doesn't my data folder inherit it's permissions from the parent >> >folder? Is there something I need to do to make it inherit? Of course, >> >I also need all the files in my data folder to inherit the permissions >> >of the parent folder. >> > >> >Steve >> > >> >> > >
Thanks to both of you.
I'll dig into the ACL stuff a bit more. The main reason I didn't want to get into it was the idea of trying to figure out what permissions to add (do I add the local Users, domain Users, etc.). The idea of just setting inherit from parent is a lot more appealing since I know it already has the correct permissions. Hopefully I can find an ACL implementation that lets me set that. To answer your question about the folder creation. On the XP boxes It's possible that some were created by normal User accounts but my Win2k box I'm quite certain they were all created by an Admin account and they still have mixed permission. I'm not going to work on that issue as long as I can figure out how to make it work in the future. The annoying thing about it now is that I have to create an updated version of my app that adjusts the permission on existing folders so my current users won't have trouble with it. Hopefully I don't end up changing something the user's IT department doesn't like. I just really don't like messing with permissions on folders on someone else's system. Thanks again, Steve [quoted text, click to view] "Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
news:O%23gTYN3iEHA.632@TK2MSFTNGP12.phx.gbl... > Steve, > > The ACL on All Users\Application Data does not grant write access on > existing files to the local Users group (unless the user is the file owner). > Take a look at the directory security configuration in the "advanced" view > in Windows Explorer, and you'll see that the Write permission for users only > applies to the folder and its subfolders. This allows for creation of new > files, but not editing of existing files. > > As for the difference between the four folders on your system, were two > created under an admin account and two under a non-admin account? Do you > see the same results if you create directories via the Windows UI as if you > create them via your code? > > At any rate, how they got that way isn't the real issue here. Rather, you > need a way to make the non-owned files writeable by non-admins even if they > didn't create the files, which means using ACL functionality that isn't > built into the .NET framework, preferably using an alternate library as > Shawn suggested. There's one available at > http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9. > > HTH, > Nicole > > > > "Steve Hiner" <newsgroup.me.hates.spam@isiaz.com> wrote in message > news:%23HN5qgjiEHA.2356@TK2MSFTNGP10.phx.gbl... > > Shawn, > > > > I started playing with an ACL library but it seemed like massive overkill. > > > > Can you explain why a new folder under All Users\Application Data wouldn't > > give access to all users? I'd also like to know why it only happens > > sometimes. I have 4 folders on my system created exactly the same way, > > two > > have the same permissions as the parent folder, the other two limit access > > to the creator and administrators. > > > > I thought folders under All Users would always inherit permissions such > > that > > everyone would have access to them. > > > > My problem would be solved if I could find an ACL library that would let > > me > > set "inherit from parent" right after I create the folder. > > > > Steve > > > > ""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message > > news:%23rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl... > >> Hi Steve, > >> > >> If you're using v1.1 or 1.0 of the framework, there is no built in ACL > > solution, you'll need to find a third party ACL library. (I believe > > you'll > > be > >> able to find on on gotdotnet.com to help you out). For v2.0, we'll be > > adding a new System.Security.AccessControl namespace and exposing > >> methods on the various File, Directory, and Registry classes to allow > > directly working with ACLs on your file system. > >> > >> -Shawn > >> http://blogs.msdn.com/shawnfa > >> > >> -- > >> > >> This posting is provided "AS IS" with no warranties, and confers no > > rights. > >> Note: For the benefit of the community-at-large, all responses to this > > message are best directed to the newsgroup/thread from which they > >> originated. > >> -------------------- > >> >Date: Mon, 23 Aug 2004 15:33:39 -0700 > >> >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com> > >> >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) > >> >X-Accept-Language: en-us, en > >> >MIME-Version: 1.0 > >> >Subject: How can I control folder permissions when creating a folder > >> >Content-Type: text/plain; charset=us-ascii; format=flowed > >> >Content-Transfer-Encoding: 7bit > >> >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> > >> >Newsgroups: microsoft.public.dotnet.security > >> >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146 > >> >Lines: 1 > >> >Path: > > cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12 > > .phx.gbl > >> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212 > >> >X-Tomcat-NG: microsoft.public.dotnet.security > >> > > >> >I have an application that stores data in the "All Users\Application > >> >Data" folder. Unfortunately it often sets the security of the created > >> >folder such that normal users can't write to the folder. > >> > > >> >I thought All Users was by definition accessible to all users. > >> > > >> >I can see that normal users have read/write access to: > >> >All Users > >> >All Users\Application Data > >> >All Users\Application Data\My Application > >> > > >> >But when I create: > >> >All Users\Application Data\My Application\My Data > >> >it sets up the security so only the owner or other Admins have write > >> >access. Sometimes it denies read access as well. > >> > > >> >The first time you run the application it has to write licensing info to > >> >the "Program Files\My Application" directory so it has to be run by an > >> >administrator. The unfortunate side-effect of that is that the data > >> >folder is always created by an administrator so normal users get locked > >> >out of it. > >> > > >> >This isn't even consistent. I have a few different products within the > >> >same product family. Some of them end up with permissions that allow > >> >normal users to have access to the folder, others deny them access but > >> >they all use the exact same Directory.CreateDirectory() call to create > >> >the folder. The only difference I can think of is that the folders that > >> >give read/write access have a space in the parent folder name. > >> > > >> >Why doesn't my data folder inherit it's permissions from the parent > >> >folder? Is there something I need to do to make it inherit? Of course, > >> >I also need all the files in my data folder to inherit the permissions > >> >of the parent folder. > >> > > >> >Steve > >> > > >> > >>
[quoted text, click to view] "Steve Hiner" <newsgroup.me.hates.spam@isiaz.com> wrote in message news:OyfFPL5iEHA.3016@tk2msftngp13.phx.gbl... > Thanks to both of you. > > I'll dig into the ACL stuff a bit more. The main reason I didn't want to > get into it was the idea of trying to figure out what permissions to add > (do > I add the local Users, domain Users, etc.). The Domain Users group is usually a member of the local Users group, so the latter is probably more relevant for an application that is run locally unless the application user also requires permissions to network resources in order for the application to run correctly. [quoted text, click to view] > The idea of just setting > inherit from parent is a lot more appealing since I know it already has > the > correct permissions. As per my previous post, I have some serious doubts that the parent is actually granting the permissions that you think it is. [quoted text, click to view] > Hopefully I can find an ACL implementation that lets > me set that. > > To answer your question about the folder creation. On the XP boxes It's > possible that some were created by normal User accounts but my Win2k box > I'm > quite certain they were all created by an Admin account and they still > have > mixed permission. Are you sure that the permissions granted to the All Users\Application Data folder are the same on Win2K and WinXP? I don't have an installed copy of Win2K Workstation to verify this against, but it wouldn't surprise me at all if the default ACL were tightened somewhere between the initial release of Win2K and the release of WinXP SP2. You might even find some differences between service packs for Win2K. [quoted text, click to view] > I'm not going to work on that issue as long as I can > figure out how to make it work in the future. > > The annoying thing about it now is that I have to create an updated > version > of my app that adjusts the permission on existing folders so my current > users won't have trouble with it. I hope that means your application's folders, not the All Users\Application Data folder. <g> [quoted text, click to view] > Hopefully I don't end up changing > something the user's IT department doesn't like. I just really don't like > messing with permissions on folders on someone else's system. One way to get around this is to create a new local or domain group for users of your application. Another would be to create a security configuration utility for your application folder(s) so that the domain admins can specify which users and/or groups will have the necessary permissions on the target folders and files. If this can be run from the command line, they could add it to users' logon scripts in order to facilitate deployment. [quoted text, click to view] >
> Thanks again, > Steve > > "Nicole Calinoiu" <nicolec@somewhere.net> wrote in message > news:O%23gTYN3iEHA.632@TK2MSFTNGP12.phx.gbl... >> Steve, >> >> The ACL on All Users\Application Data does not grant write access on >> existing files to the local Users group (unless the user is the file > owner). >> Take a look at the directory security configuration in the "advanced" >> view >> in Windows Explorer, and you'll see that the Write permission for users > only >> applies to the folder and its subfolders. This allows for creation of >> new >> files, but not editing of existing files. >> >> As for the difference between the four folders on your system, were two >> created under an admin account and two under a non-admin account? Do you >> see the same results if you create directories via the Windows UI as if > you >> create them via your code? >> >> At any rate, how they got that way isn't the real issue here. Rather, >> you >> need a way to make the non-owned files writeable by non-admins even if > they >> didn't create the files, which means using ACL functionality that isn't >> built into the .NET framework, preferably using an alternate library as >> Shawn suggested. There's one available at >> > http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9. >> >> HTH, >> Nicole >> >> >> >> "Steve Hiner" <newsgroup.me.hates.spam@isiaz.com> wrote in message >> news:%23HN5qgjiEHA.2356@TK2MSFTNGP10.phx.gbl... >> > Shawn, >> > >> > I started playing with an ACL library but it seemed like massive > overkill. >> > >> > Can you explain why a new folder under All Users\Application Data > wouldn't >> > give access to all users? I'd also like to know why it only happens >> > sometimes. I have 4 folders on my system created exactly the same way, >> > two >> > have the same permissions as the parent folder, the other two limit > access >> > to the creator and administrators. >> > >> > I thought folders under All Users would always inherit permissions such >> > that >> > everyone would have access to them. >> > >> > My problem would be solved if I could find an ACL library that would >> > let >> > me >> > set "inherit from parent" right after I create the folder. >> > >> > Steve >> > >> > ""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message >> > news:%23rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl... >> >> Hi Steve, >> >> >> >> If you're using v1.1 or 1.0 of the framework, there is no built in ACL >> > solution, you'll need to find a third party ACL library. (I believe >> > you'll >> > be >> >> able to find on on gotdotnet.com to help you out). For v2.0, we'll be >> > adding a new System.Security.AccessControl namespace and exposing >> >> methods on the various File, Directory, and Registry classes to allow >> > directly working with ACLs on your file system. >> >> >> >> -Shawn >> >> http://blogs.msdn.com/shawnfa >> >> >> >> -- >> >> >> >> This posting is provided "AS IS" with no warranties, and confers no >> > rights. >> >> Note: For the benefit of the community-at-large, all responses to >> >> this >> > message are best directed to the newsgroup/thread from which they >> >> originated. >> >> -------------------- >> >> >Date: Mon, 23 Aug 2004 15:33:39 -0700 >> >> >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com> >> >> >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) >> >> >X-Accept-Language: en-us, en >> >> >MIME-Version: 1.0 >> >> >Subject: How can I control folder permissions when creating a folder >> >> >Content-Type: text/plain; charset=us-ascii; format=flowed >> >> >Content-Transfer-Encoding: 7bit >> >> >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> >> >> >Newsgroups: microsoft.public.dotnet.security >> >> >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146 >> >> >Lines: 1 >> >> >Path: >> > > cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12 >> > .phx.gbl >> >> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212 >> >> >X-Tomcat-NG: microsoft.public.dotnet.security >> >> >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |