File Security | Pro Visual C++ 2005 for C# Developers

When the .NET Framework 1.0/1.1 was first introduced, it didn't come with an easy way in which you could easily access and work access control lists (ACLs) for files, directories, and registry keys. To do such at that time, it usually meant some work with COM-interop, thereby also requiring a more advanced programming knowledge of working with ACLs.

This has now considerably changed with the release of the .NET Framework 2.0, because this version makes the process of working with ACLs considerably easier with a new namespace — System.Security.AccessControl. With this new namespace, it is now possible to manipulate security settings for files, registry keys, network shares, Active Directory objects, and more.

Reading ACLs from a File

For an example of working with System.Security.AccessControl, this section takes a look at working with the ACLs for both files and directories. It starts by looking at how you would go about reviewing the ACLs for a particular file. This example is accomplished in a console application and illustrated here:

 using System; using System.Collections.Generic; using System.Text; using System.IO; using System.Security.AccessControl; namespace ConsoleApplication1 { class Program { static string myFilePath; static void Main(string[] args) { Console.Write("Provide full file path: "); myFilePath = Console.ReadLine(); try { using (FileStream myFile = new FileStream(myFilePath, FileMode.Open, FileAccess.Read)) { FileSecurity fileSec = myFile.GetAccessControl(); foreach (FileSystemAccessRule fileRule in fileSec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount))) { Console.WriteLine("{0} {1} {2} access for {3}", myFilePath, fileRule.AccessControlType == AccessControlType.Allow ? "provides" : "denies", fileRule.FileSystemRights, fileRule.IdentityReference.ToString()); } } } catch { Console.WriteLine("Incorrect file path given!"); } Console.ReadLine(); } } }

For this example to work, the first step is to make a reference to the System.Security.AccessControl namespace. This will give you access to the FileSecurity and the FileSystemAccessRule classes later in the program.

After the specified file is retrieved and placed in a FileStream object, the ACLs of the file are grabbed using the GetAccessControl method now found on the File object. This information from the GetAccessControl method is then placed in a FileSecurity class. This class has access rights to the referenced item. Each individual access right is then in turn represented by a FileSystemAccessRule object. That is why a foreach loop is used to iterate through all the access rights found in the created FileSecurity object.

Running this example with a simple text file in the root directory produces something similar to the following results:

Provide full file path: C:\Sample.txt C:\Sample.txt provides FullControl access for BUILTIN\Administrators C:\Sample.txt provides FullControl access for NT AUTHORITY\SYSTEM C:\Sample.txt provides FullControl access for PUSHKIN\Bill C:\Sample.txt provides ReadAndExecute, Synchronize access for BUILTIN\Users

The next section looks at reading ACLs from a directory instead of a file.

Reading ACLs from a Directory

Reading ACL information about a directory instead of an actual file is not much different than the preceding example. The code for this is illustrated in the following sample:

 using System; using System.Collections.Generic; using System.Text; using System.Threading; using System.IO; using System.Security.AccessControl; namespace ConsoleApplication1 { class Program { static string mentionedDir; static void Main(string[] args) { Console.Write("Provide full directory path: "); mentionedDir = Console.ReadLine(); try { DirectoryInfo myDir = new DirectoryInfo(mentionedDir); if (myDir.Exists) { DirectorySecurity myDirSec = myDir.GetAccessControl(); foreach (FileSystemAccessRule fileRule in myDirSec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount))) { Console.WriteLine("{0} {1} {2} access for {3}", mentionedDir, fileRule.AccessControlType == AccessControlType.Allow ? "provides" : "denies", fileRule.FileSystemRights, fileRule.IdentityReference.ToString()); } } } catch { Console.WriteLine("Incorrect directory provided!"); } Console.ReadLine(); } } }

The big difference with this example is that it uses the DirectoryInfo class, which now also includes the GetAccessControl method to pull information about the directory's ACLs. Running this example produces the following results.

Provide full directory path: C:\Test C:\Test provides FullControl access for BUILTIN\Administrators C:\Test provides FullControl access for NT AUTHORITY\SYSTEM C:\Test provides FullControl access for PUSHKIN\Bill C:\Test provides 268435456 access for CREATOR OWNER C:\Test provides ReadAndExecute, Synchronize access for BUILTIN\Users C:\Test provides AppendData access for BUILTIN\Users C:\Test provides CreateFiles access for BUILTIN\Users

The final thing you will look at in working with ACLs is using the new System.Security.AccessControl namespace to add and remove items from a file's ACL.

Adding and Removing ACLs from a File

It is also possible to manipulate the ACLs of a resource using the same objects that were used in the previous examples. The following code example changes a previous code example where a file's ACL information was read. In this example, the ACLs are read for a specified file, changed, and then read again:

try {    using (FileStream myFile = new FileStream(myFilePath,       FileMode.Open, FileAccess.ReadWrite))    { FileSecurity fileSec = myFile.GetAccessControl(); Console.WriteLine("ACL list before modification:");       foreach (FileSystemAccessRule fileRule in          fileSec.GetAccessRules(true, true,           typeof(System.Security.Principal.NTAccount)))       {          Console.WriteLine("{0} {1} {2} access for {3}", myFilePath,             fileRule.AccessControlType == AccessControlType.Allow ?              "provides" : "denies",             fileRule.FileSystemRights,             fileRule.IdentityReference.ToString());       } Console.WriteLine(); Console.WriteLine("ACL list after modification:"); FileSystemAccessRule newRule = new FileSystemAccessRule( new System.Security.Principal.NTAccount(@"PUSHKIN\Tuija"), FileSystemRights.FullControl, AccessControlType.Allow); fileSec.AddAccessRule(newRule); File.SetAccessControl(myFilePath, fileSec); foreach (FileSystemAccessRule fileRule in fileSec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount))) { Console.WriteLine("{0} {1} {2} access for {3}", myFilePath, fileRule.AccessControlType == AccessControlType.Allow ? "provides" : "denies", fileRule.FileSystemRights, fileRule.IdentityReference.ToString());       }    } }

In this case, a new access rule is added to the file's ACL. This is done by using the FileSystemAccessRule object. In creating a new instance of this object, a new NTAccount is created and given Full Control to the file. Then the AddAccessRule method of the FileSecurity class is used to assign the new rule. From there, the FileSecurity object reference is used to set the access control to the file in question using the SetAccessControl method of the File class.

Next, the file's ACL is listed again. The following is an example of what the preceding code could produce:

Provide full file path: C:\Sample.txt ACL list before modification: C:\Sample.txt provides FullControl access for BUILTIN\Administrators C:\Sample.txt provides FullControl access for NT AUTHORITY\SYSTEM C:\Sample.txt provides FullControl access for PUSHKIN\Bill C:\Sample.txt provides ReadAndExecute, Synchronize access for BUILTIN\Users ACL list after modification: C:\Sample.txt provides FullControl access for PUSHKIN\Tuija C:\Sample.txt provides FullControl access for BUILTIN\Administrators C:\Sample.txt provides FullControl access for NT AUTHORITY\SYSTEM C:\Sample.txt provides FullControl access for PUSHKIN\Bill C:\Sample.txt provides ReadAndExecute, Synchronize access for BUILTIN\Users

To remove a rule from the ACL list, there is really not much that needs to be done to the code. From the previous code example, you simply will need to change the following line:

fileSec.AddAccessRule(newRule);

to the following:

 fileSec.RemoveAccessRule(newRule);

This will then remove the rule that was just added.