C# File/Directory Permissions
Question
I am writing an application to manage user access to files. The short version of a very long story is that I have to use directory and file priveleges to do it. No document management system for our cheap CEO...
Anyway... I have everything working except the case where the user can view which files are in the directory but not actually see the contents of the file. (There may be sensitive HR data in the files.)
I tried FileSystemRights.ListDirectory, but that seems to (dispite MS documentation) set ReadData to true as well. I turn off ReadData (the ability to read the files) and I suddenly have no access to the directory again. The two appear linked.
Any ideas for which permission(s) to set to achieve this?
My current code is:
SetSecurity(pth, usr, FileSystemRights.ListDirectory, AccessControlType.Allow);
...
public void SetSecurity(string dirName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the
// current security settings.
DirectorySecurity dSecurity = Directory.GetAccessControl(dirName);
dSecurity.AddAccessRule(new FileSystemAccessRule(account, rights, controlType));
// Set the new access settings.
Directory.SetAccessControl(dirName, dSecurity);
}
Thanks.
--Jerry
4 answers
solution1
7 ACCPTED 2009-01-09 21:58:11
The FileSystemRights enum maps both ReadData and ListDirectory to the value 1, so the two are 100% equivalent as far as .NET is concerned.
Have you tried Traverse as opposed to ListDirectory?
Edit: Based on this KB article it appears that Windows XP considers them to be the same too, just one applies only to files, and one applies only to directories.
Edit 2: As long as you set the ReadData/ListDirectory access rule to NOT be inherited by child objects, you should be able to apply it to the directory without applying it to the files in the directory. The FileSystemAccessRule class does support changing inheritance flags.
solution2
3 2009-01-09 22:04:00
The files are probably inheriting the security properties from parent.
You may try calling DirectorySecurity.SetAccessRuleProtection(true, false) to prevent the files from inheriting, before calling Directory.SetAccessControl();
solution3
1 2009-01-09 22:04:17
Yep. Traverse (I think it's mis-named) allows me to execute a program within a folder, but NOT view the contents of a folder. Not sure why this is useful, to be honest.
I'm about to tell the CEO that it can't be done and watch the sparks fly again. :P
solution4
0 2010-03-01 05:55:41
它是在实例化FileSystemAccessRule时未设置的继承和传播值。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.