设置目录和子文件夹的权限
[英]Set permissions for directory and also child folders
问题描述
My c# code creates a user, creates shared folder and set the user permision on this folder, 
我的C#代码创建了一个用户,创建了共享文件夹,并在此文件夹上设置了用户权限,
for now if I have folders like: 现在,如果我有以下文件夹:
A
|_B
|_C
|_D
Then If I create share for folder A, then it shares only A without sharing B,C,D. 然后,如果我为文件夹A创建共享,则它仅共享A,而不共享B,C,D。
My quetion: how to enable inheritance? 我的疑问:如何启用继承? I mean to make B,C,D be shared also. 我的意思是也要共享B,C,D。
I have found this peace of code but it do nothing. 我发现这种代码和平无事,但它无能为力。
here is my full code: 这是我的完整代码:
string uName = "myusername";
string pass = "Rr1234567#";
string path = @"C:\Users\danielf\Desktop\A";
string shareName = "MyShare";
string description = "some description";
PrincipalContext ctx = new PrincipalContext(ContextType.Machine);
UserPrincipal user = new UserPrincipal(ctx ,uName ,pass , true);
user.PasswordNeverExpires = true;
user.Save();
DirectoryInfo dInfo = new DirectoryInfo(path);
WindowsIdentity id = WindowsIdentity.GetCurrent();
DirectorySecurity dSecurity = dInfo.GetAccessControl();
dSecurity.AddAccessRule(new FileSystemAccessRule(uName , FileSystemRights.FullControl , InheritanceFlags.ContainerInherit , PropagationFlags.InheritOnly , AccessControlType.Allow));
dInfo.SetAccessControl(dSecurity);
//Gets User SID for share permissions **NotSecurty**
NTAccount account = new NTAccount(System.Environment.MachineName , uName);
SecurityIdentifier sid = (SecurityIdentifier)account.Translate(typeof(SecurityIdentifier));
byte[] sidArray = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidArray , 0);
ManagementObject Trustee = new ManagementClass("root\\CIMV2" , "Win32_Trustee" , null);
Trustee["Domain"] = ".";
Trustee["Name"] = uName;
Trustee["SID"] = sidArray;
ManagementBaseObject AdminACE = new ManagementClass(new ManagementPath("Win32_Ace") , null);
// Add the input parameters.
AdminACE["AccessMask"] = 2032127;
AdminACE["AceFlags"] = 3;
AdminACE["AceType"] = 0;
AdminACE["Trustee"] = Trustee;
//Security Descriptor For Share creation Parameter
ManagementObject secDescriptor = new ManagementClass(new ManagementPath("Win32_SecurityDescriptor") , null);
secDescriptor["ControlFlags"] = 4;
secDescriptor["DACL"] = new object[] { AdminACE };
ManagementClass classInstance = new ManagementClass("root\\CIMV2" , "Win32_Share" , null);
// Obtain in-parameters for the method
ManagementBaseObject inParams = classInstance.GetMethodParameters("Create");
// Add the input parameters.
inParams["Name"] = shareName;
inParams["Path"] = path;
inParams["Type"] = 0;
inParams["Description"] = description;
inParams["Access"] = secDescriptor;
inParams["MaximumAllowed"] = null;
// Execute the method and obtain the return values.
ManagementBaseObject outParams = classInstance.InvokeMethod("Create" , inParams , null);
2 个解决方案
解决方案1
0 已采纳 2018-07-02 07:25:29
Shares are of the whole directory tree, if the parent is shared so are all the descendant folders. 共享是整个目录树的共享,如果父目录是共享的,则所有后代文件夹也是共享的。
But share and folder ACLs still apply. 但是共享和文件夹ACL仍然适用。
If you cannot see the children of A via the share then check both the share and the folder permissions. 如果您无法通过共享看到A的子代,则检查共享和文件夹权限。 In particular the identity used to access the share needs read access to both the share and to A to see the content of A . 特别是用于访问共享需要身份读取访问这两个份额, A看内容A 。
解决方案2
0 2018-07-06 17:54:37
Richard's comment to the question is correct and the most important information. 理查德对这个问题的评论是正确的,也是最重要的信息。 Usually you don't need separate shares to the subfolders (only in very special circumstances). 通常,您不需要单独共享子文件夹(仅在非常特殊的情况下)。
In addition, also his answer is ok for the "check both share and folder permission" 此外,对于“同时检查共享和文件夹权限”,他的答案也可以
There is a problem in the code. 代码中有问题。 The NTFS-ACL of the share's entry point is probably set incorrectly or at least non-standard and probably not what RTException wanted. 共享入口点的NTFS-ACL可能设置错误或至少是非标准的,并且可能不是RTException想要的。
Using InheritanceFlags.ContainerInherit , PropagationFlags.InheritOnly (as in the original code) leads to: 使用InheritanceFlags.ContainerInherit , PropagationFlags.InheritOnly (与原始代码一样)将导致:
- NO access for the user to the entry folder (since the ACL is inherit only) 用户无权访问条目文件夹(因为ACL仅继承)
- only subdirectories inherit this ACE, not files 仅子目录继承此ACE,不继承文件
If the usual "User" / "Authenticated User" permission is removed, the new user gets an access denied error since he cannot access even the entry directory. 如果删除了通常的“用户” /“授权用户”权限,则新用户将获得拒绝访问错误,因为他甚至无法访问条目目录。
using 使用
InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None
leads to the "default" permission. 导致“默认”权限。
And this it exactly the same as mentioned in the link in the question. 这与问题链接中提到的完全相同。
Windows ACLs / inheritance is a very complex topic and also very error-prone. Windows ACL /继承是一个非常复杂的主题,而且也很容易出错。 There are some subtleties which can lead to unexpected results. 有一些细微之处可能会导致意想不到的结果。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.