我正在完成一个工具,它将客户端Web应用程序更新为我们代码的最新版本。该实用程序是Windows C#应用程序。归档旧文件并放置新文件后,我需要为多个文件夹设置一些文件夹权限。
下面的代码会将NETWORK服务帐户添加到需要更改的文件夹中,但实际上并未设置权限。换句话说,我可以查看文件夹安全性并添加了NETWORK SERVICE,但是没有添加任何权限。代码如下所示:
public bool SetFolderPermissions(string folderName, out string errorMessage)
{
bool returnVal = false;
string returnMessage = string.Empty;
DirectoryInfo dirInfo = new DirectoryInfo(folderName);
try
{
DirectorySecurity dirSecurity = dirInfo.GetAccessControl(AccessControlSections.Access);
CanonicalizeDacl(dirSecurity);
dirSecurity.AddAccessRule(new FileSystemAccessRule("NETWORK SERVICE", FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
dirInfo.SetAccessControl(dirSecurity);
returnVal = true;
errorMessage = "sucess";
}
catch (Exception e)
{
errorMessage = "Error occured while setting the permissions for" + folderName + ": " + e.Message;
}
return returnVal;
}
static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
{
if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); }
if (objectSecurity.AreAccessRulesCanonical) { return; }
// A canonical ACL must have ACES sorted according to the following order:
// 1. Access-denied on the object
// 2. Access-denied on a child or property
// 3. Access-allowed on the object
// 4. Access-allowed on a child or property
// 5. All inherited ACEs
RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));
List<CommonAce> implicitDenyDacl = new List<CommonAce>();
List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>();
List<CommonAce> inheritedDacl = new List<CommonAce>();
List<CommonAce> implicitAllowDacl = new List<CommonAce>();
List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>();
foreach (CommonAce ace in descriptor.DiscretionaryAcl)
{
if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); }
else
{
switch (ace.AceType)
{
case AceType.AccessAllowed:
implicitAllowDacl.Add(ace);
break;
case AceType.AccessDenied:
implicitDenyDacl.Add(ace);
break;
case AceType.AccessAllowedObject:
implicitAllowObjectDacl.Add(ace);
break;
case AceType.AccessDeniedObject:
implicitDenyObjectDacl.Add(ace);
break;
}
}
}
Int32 aceIndex = 0;
RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
if (aceIndex != descriptor.DiscretionaryAcl.Count)
{
System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information");
return;
}
descriptor.DiscretionaryAcl = newDacl;
objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}
}
有人可以指出我正确的方向或解决我的问题吗?
更新,我意识到代码实际上是设置权限,但它只显示在特殊权限下,这是正常的吗?虽然它确实设置了这些特殊权限,但它不允许我需要的访问权限,即Web应用程序无法将文件上载到指定位置。