Recipe17.14.GrantingRevoking Access to a File or Registry Key

Recipe 17.14. Granting/Revoking Access to a File or Registry Key

Problem

You need to change the security privileges of either a file or registry key programmatically.

Solution

The code shown in Example 17-17 grants and then revokes the ability to perform write actions on a registry key.

Example 17-17. Granting and revoking the right to perform write actions on a registry key

 public static void GrantRevokeRegKeyRights() {     NTAccount user = new NTAccount(@"WRKSTN\ST");     using (RegistryKey regKey = Registry.LocalMachine.OpenSubKey(                             @"SOFTWARE\MyCompany\MyApp"))     {         GrantRegKeyRights(regKey, user, RegistryRights.WriteKey,            InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow);         RevokeRegKeyRights(regKey, user, RegistryRights.WriteKey,                        InheritanceFlags.None, PropagationFlags.None,                        AccessControlType.Allow)     } } public static void GrantRegKeyRights(RegistryKey regKey,                                      NTAccount user,                                      RegistryRights rightsFlags,                                      InheritanceFlags inherFlags,                                      PropagationFlags propFlags,                                      AccessControlType actFlags) {     RegistrySecurity regSecurity = regKey.GetAccessControl();     RegistryAccessRule rule = new RegistryAccessRule(user, rightsFlags, inherFlags,                                                      propFlags, actFlags);     regSecurity.AddAccessRule(rule);     regKey.SetAccessControl(regSecurity); } public static void RevokeRegKeyRights(RegistryKey regKey,                                       NTAccount user,                                       RegistryRights rightsFlags,                                       InheritanceFlags inherFlags,                                       PropagationFlags propFlags,                                       AccessControlType actFlags) {     RegistrySecurity regSecurity = regKey.GetAccessControl();     RegistryAccessRule rule = new RegistryAccessRule(user, rightsFlags, inherFlags,                                                      propFlags, actFlags);     regSecurity.RemoveAccessRuleSpecific(rule);     regKey.SetAccessControl(regSecurity); }

The code shown in Example 17-18 grants and then revokes the ability to delete a file.

Example 17-18. Granting and revoking the right to delete a file

 public static void GrantRevokeFileRights() {     NTAccount user = new NTAccount(@"WRKSTN\ST");     string file = @"c:\FOO.TXT";     GrantFileRights(file, user, FileSystemRights.Delete, InheritanceFlags.None,                     PropagationFlags.None, AccessControlType.Allow);     RevokeFileRights(file, user, FileSystemRights.Delete, InheritanceFlags.None,                      PropagationFlags.None, AccessControlType.Allow); } public static void GrantFileRights(string file,                                    NTAccount user,                                    FileSystemRights rightsFlags,                                    InheritanceFlags inherFlags,                                    PropagationFlags propFlags,                                    AccessControlType actFlags) {     FileSecurity fileSecurity = File.GetAccessControl(file);     FileSystemAccessRule rule = new FileSystemAccessRule(user, rightsFlags,                                                          inherFlags, propFlags,                                                          actFlags);     fileSecurity.AddAccessRule(rule);     File.SetAccessControl(file, fileSecurity); } public static void RevokeFileRights(string file,                                     NTAccount user,                                     FileSystemRights rightsFlags,                                     InheritanceFlags inherFlags,                                     PropagationFlags propFlags,                                     AccessControlType actFlags) {     FileSecurity fileSecurity = File.GetAccessControl(file);     FileSystemAccessRule rule = new FileSystemAccessRule(user, rightsFlags,                                                          inherFlags, propFlags,                                                          actFlags);     fileSecurity.RemoveAccessRuleSpecific(rule);     File.SetAccessControl(file, fileSecurity); }

Discussion

When granting or revoking access rights on a file or registry key, you need two things. The first is a valid NTAccount object. This object essentially encapsulates a user or group account. A valid NTAccount object is required in order to create either a new RegistryAccessRule or a new FileSystemAccessRule. The NTAccount identifies the user or group this access rule will apply to. Note that the string passed in to the NTAccount constructor must be changed to a valid user or group name that exists on your machine. If you pass in the name of an existing user or group account that has been disabled, an IdentityNotMappedException will be thrown with the message "Some or all identity references could not be translated."

The second item that is needed is either a valid RegistryKey object, if you are modifying security access to a registry key or a string containing a valid path and filename to an existing file. These objects will have security permissions either granted to them or revoked from them.

Once these two items have been obtained, you can use the second item to obtain a security object, which contains the list of access-rule objects. For example, the following code obtains the security object for the registry key HKEY-LOCAL_ MACHINE\SOFTWARE\MyCompany\MyApp:

 RegistryKey regKey = Registry.LocalMachine.OpenSubKey(                             @"SOFTWARE\MyCompany\MyApp"); RegistrySecurity regSecurity = regKey.GetAccessControl();

The following code obtains the security object for the FOO.TXT file:

 string file = @"c:\FOO.TXT"; FileSecurity fileSecurity = File.GetAccessControl(file);

Now that you have your particular security object, you can create an access-rule object that will be added to this security object. To do this, you need to create a new access rule. For a registry key, you have to create a new RegistryAccessRule object, and for a file, you have to create a new FileSystemAccessRule object. To add this access rule to the correct security object, you call the SetAccessControl method on the security object. Note that RegistryAccessRule objects can be added only to RegistrySecurity objects and FileSystemAccessRule objects can be added only to FileSecurity objects.

To remove an access-rule object from a system object, you follow the same set of steps, except that you call the RemoveAccessRuleSpecific method instead of AddAccessRule. RemoveAccessRuleSpecific accepts an access-rule object and attempts to remove the rule that exactly matches this rule object from the security object. As always, you must remember to call the SetAccessControl method to apply any changes to the actual system object.

For a list of other classes that allow security permissions to be modified programmatically, see Recipe 17.13.