Using Standard NT Security Features in Windows 7 : WORKING DIRECTLY WITH WINDOWS NT SECURITY (part 4)

4. Checking File and Directory Permissions

When all is said and done, however, the real issue is determining what rights a user has to a resource such as a file or directory. Nevertheless, the principles apply equally well to any resource. Before a user or other entity can access a resource, it's important to have the required rights. The following sections show an example of how to perform this task.

4.1. Configuring the Check Permission Example

This example begins with a Windows Forms application. You add the controls shown in Figure 1. In addition, you need to provide the following using statements:

using System.Security.AccessControl;
using System.IO;
using System.Security.Principal;

4.2. Writing the Check Permission Code

The principle behind this example is relatively simple. If a user has a particular permission, the system sets a flag within the DACL. The .NET Framework encompasses these flags within a structure called a FileSystemAccessRule. Listing 5 provides details on how this flag system works.

Example 5. Checking file or directory permissions

private void btnCheck_Click(object sender, EventArgs e) { // Create a file security object for the target file. FileSecurity FS = new FileSecurity( Application.StartupPath + @"\Temp.TXT", AccessControlSections.Access); // Obtain the access rules for the file. AuthorizationRuleCollection AccessRules = FS.GetAccessRules(true, true, typeof(NTAccount)); // Create a string that contains the rule data. String RuleHeading = ""; // Process the access rules. foreach (FileSystemAccessRule AR in AccessRules) { // Add the principal name to the string. RuleHeading = AR.IdentityReference.Value.ToString(); // Determine whether the permission is inherited. if (AR.IsInherited) RuleHeading += " (Inherited)"; else RuleHeading += " (Not Inherited)"; // Output the rule heading. lstPermissions.Items.Add(RuleHeading); // Obtain a list of permissions. if (AR.FileSystemRights.HasFlag(FileSystemRights.AppendData)) lstPermissions.Items.Add("\tAppend Data"); if (AR.FileSystemRights.HasFlag(FileSystemRights.ChangePermissions)) lstPermissions.Items.Add("\tChange Permissions"); if (AR.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)) lstPermissions.Items.Add("\tCreate Directories"); if (AR.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)) lstPermissions.Items.Add("\tCreate Files"); ... Other Permission Statements Clipped ... } }

The example begins by creating a new FileSecurity object, FS. The FileSecurity object contains information about a particular resource. In this case, it contains the AccessControlSections.Access flags. If you select one of the other values, such as AccessControlSections.Audit, you may have to have administrator privileges, but the access rules are open to anyone with the proper rights. The FileSecurity() constructor requires both the resource you want to use, Temp.TXT in this case, and the level of flags you want to access.

Within the FS are the flags you want to access. In order to access these flags, you create an AuthorizationRuleCollection, AccessRules. It's possible to format the rules in several ways. The example obtains both explicit rights and inherited rights using an NTAccount data type.

Figure 13. Rule structures help you manage both access and audits.

At this point, the example examines each of the rules within the AuthorizationRuleCollection individually using a for loop. Each of the FileSystemAccessRule objects, AR, provides a principal name (the account with access), whether the access is explicit (defined in particular for this object) or inherited, and a list of flags. The HasFlag() method makes it easy to determine whether the user has a particular right. Figure 13 shows typical output for this example.

5. Changing File and Directory Permissions

In general, an administrator is going to set resource permissions on a system, including file and directory permissions. However, there are times when an application needs to set permissions. Fortunately, changing file and directory permissions is another area that Microsoft has added to the .NET Framework to make it easier to manage this resource. The following sections describe the Modify Permission example, which shows the basics of changing a file permission. You can easily extend this example to work with other kinds of resources.

5.1. Configuring the Modify Permission Example

This example begins with a Windows Forms application that has a single button, btnChange. You click the button to add a user to the permission list for the test file, Test.TXT. The example also requires that you add the following using statements to the code:

using System.Security.AccessControl;
using System.Security.Principal;
using System.IO;

5.2. Writing the Modify Permission Code

Modifying a permission involves gaining access to the file and adding a rule to it. The rule provides an account, the kind of access, and whether to allow or deny the access. Listing 6 shows the code required for this example.

Example 6. Modifying file or directory permissions

private void btnChange_Click(object sender, EventArgs e) { // Create a file security object for the target file. FileSecurity FS = File.GetAccessControl( Application.StartupPath + @"\Temp.TXT"); // Create a new rule. FileSystemAccessRule Rule = new FileSystemAccessRule( new NTAccount(@"BUILTIN\Users"), FileSystemRights.Write, AccessControlType.Allow); // Add the rule to the file security object. FS.AddAccessRule(Rule); // Save the rule to the file. File.SetAccessControl( Application.StartupPath + @"\Temp.TXT", FS); // Display a success message. MessageBox.Show("Change Succeeded!"); }

The code begins by creating a FileSecurity object, FS, that provides access to the permissions for Temp.TXT. Remember that this code is actually changing the DACL for Temp.TXT. To provide better control over the process, you could include an AccessControlSections.Access enumeration member as a second argument.

Figure 14. You can see the permissions change by looking at the file's Properties dialog box.

To add a new user to the permissions, the code creates a FileSystemAccessRule, Rule, that includes the Users built-in account, the ability to write to the file, and an Allow permission. Notice that you must provide an account type, which is going to be NTAccount() in most situations. The code calls the AddAccessRule() method to actually add the rule to FS.

At this point, the code calls File.SetAccessControl() to change the DACL of Temp.TXT. This method requires that you provide the filename as the first input and the FileSecurity object as the second input. Because there isn't any notification that the process has succeeded, the code displays a simple success message. Figure 14 shows the modified permissions for Temp.TXT. Notice that the Write right has a dark checkmark, showing that it's explicitly set, while the Read & Execute and Read rights use lighter checkmarks to show that they're inherited.

Never attempt to change file permissions while the file is open using a file object in Windows 7. You'll receive an "Attempted to perform an unauthorized operation" error message from the application. Absolutely nothing you can do will change the message or tell you the message source. Your code will look correct and you'll even find examples of it online (see http://msdn.microsoft.com/magazine/cc163885.aspx), but it won't work. Always change permissions with the file closed and using the File.SetAccessControl() static method directly.