使用C#设置文件夹权限

时间:2018-04-17 17:36:50

标签: c#

我正在完成一个工具,它将客户端Web应用程序更新为我们代码的最新版本。该实用程序是Windows C#应用程序。归档旧文件并放置新文件后,我需要为多个文件夹设置一些文件夹权限。

下面的代码会将NETWORK服务帐户添加到需要更改的文件夹中,但实际上并未设置权限。换句话说,我可以查看文件夹安全性并添加了NETWORK SERVICE,但是没有添加任何权限。代码如下所示:

public bool SetFolderPermissions(string folderName, out string errorMessage)
{
  bool returnVal = false;
  string returnMessage = string.Empty;
  DirectoryInfo dirInfo = new DirectoryInfo(folderName);
  try
  {
   DirectorySecurity dirSecurity = dirInfo.GetAccessControl(AccessControlSections.Access);
   CanonicalizeDacl(dirSecurity);
   dirSecurity.AddAccessRule(new FileSystemAccessRule("NETWORK SERVICE", FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
   dirInfo.SetAccessControl(dirSecurity);
   returnVal = true;
   errorMessage = "sucess";
  }
  catch (Exception e)
  {
    errorMessage = "Error occured while setting the permissions for" + folderName + ": " + e.Message;
  }
  return returnVal;
}

static void CanonicalizeDacl(NativeObjectSecurity objectSecurity)
{
  if (objectSecurity == null) { throw new ArgumentNullException("objectSecurity"); }
  if (objectSecurity.AreAccessRulesCanonical) { return; }

  // A canonical ACL must have ACES sorted according to the following order:
  //   1. Access-denied on the object
  //   2. Access-denied on a child or property
  //   3. Access-allowed on the object
  //   4. Access-allowed on a child or property
  //   5. All inherited ACEs 
  RawSecurityDescriptor descriptor = new RawSecurityDescriptor(objectSecurity.GetSecurityDescriptorSddlForm(AccessControlSections.Access));

  List<CommonAce> implicitDenyDacl = new List<CommonAce>();
  List<CommonAce> implicitDenyObjectDacl = new List<CommonAce>();
  List<CommonAce> inheritedDacl = new List<CommonAce>();
  List<CommonAce> implicitAllowDacl = new List<CommonAce>();
  List<CommonAce> implicitAllowObjectDacl = new List<CommonAce>();

  foreach (CommonAce ace in descriptor.DiscretionaryAcl)
  {
    if ((ace.AceFlags & AceFlags.Inherited) == AceFlags.Inherited) { inheritedDacl.Add(ace); }
    else
    {
      switch (ace.AceType)
      {
        case AceType.AccessAllowed:
          implicitAllowDacl.Add(ace);
          break;

        case AceType.AccessDenied:
          implicitDenyDacl.Add(ace);
          break;

        case AceType.AccessAllowedObject:
          implicitAllowObjectDacl.Add(ace);
          break;

        case AceType.AccessDeniedObject:
          implicitDenyObjectDacl.Add(ace);
          break;
      }
    }
  }

  Int32 aceIndex = 0;
  RawAcl newDacl = new RawAcl(descriptor.DiscretionaryAcl.Revision, descriptor.DiscretionaryAcl.Count);
  implicitDenyDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
  implicitDenyObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
  implicitAllowDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
  implicitAllowObjectDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));
  inheritedDacl.ForEach(x => newDacl.InsertAce(aceIndex++, x));

  if (aceIndex != descriptor.DiscretionaryAcl.Count)
  {
    System.Diagnostics.Debug.Fail("The DACL cannot be canonicalized since it would potentially result in a loss of information");
    return;
  }

  descriptor.DiscretionaryAcl = newDacl;
  objectSecurity.SetSecurityDescriptorSddlForm(descriptor.GetSddlForm(AccessControlSections.Access), AccessControlSections.Access);
}

}

有人可以指出我正确的方向或解决我的问题吗?

更新,我意识到代码实际上是设置权限,但它只显示在特殊权限下,这是正常的吗?虽然它确实设置了这些特殊权限,但它不允许我需要的访问权限,即Web应用程序无法将文件上载到指定位置。

0 个答案:

没有答案