我有很多痛苦的程序化创建一个ACL和所有者的文件夹..
税:
创建一个只能由一个用户访问的文件夹(甚至不是管理员)。
(当前)解决方案:
以管理员身份运行
// path is the directory, "target" the parent directory
String path = Path.Combine(target, "Data");
DirectorySecurity ds = Directory.GetAccessControl(target);
// up is the "UserPrincipal"
ds.AddAccessRule(new FileSystemAccessRule(up.Sid, FileSystemRights.CreateDirectories, AccessControlType.Allow));
Directory.SetAccessControl(target, ds);
// safeTokenHandle_SecureUser is the token of the already logged in User stored in "up"
using (WindowsImpersonationContext impersonatedUser = WindowsIdentity.Impersonate(safeTokenHandle_SecureUser.DangerousGetHandle()))
{
ds = new DirectorySecurity();
// Set owner only works impersonated
ds.SetOwner(up.Sid);
// Inherited needs impersonation
ds.AddAccessRule(new FileSystemAccessRule(up.Sid, FileSystemRights.FullControl, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
// Add Backupgroup
ds.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier("S-1-5-32-551"), FileSystemRights.Read, InheritanceFlags.ObjectInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
DirectoryInfo directory = Directory.CreateDirectory(path, ds);
}
问题:
在“C:\ temp \ Sec53”中创建的路径(jea,计算我的尝试..但多次尝试是我在同一目录..)
c:\temp\Sec53>whoami
pc-XXX\YYYuser93
c:\temp\Sec53>dir /q (1)
Datenträger in Laufwerk C: ist Windows
Volumeseriennummer: ...
Verzeichnis von c:\temp\Sec53
13.02.2019 13:13 <DIR> VORDEFINIERT\Administra. (2)
13.02.2019 13:13 <DIR> AAA\BBB ..
13.02.2019 13:13 <DIR> XXX\YYYUser93 Data
(TRIM)
c:\temp\Sec53>cacls *
c:\temp\Sec53\Data VORDEFINIERT\Sicherungs-Operatoren:(OI)(IO)(Beschränkter Zugriff:) (3)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
XXX\YYYUser93:(OI)(IO)F
(TRIM)
c:\temp\Sec53>cd Data
Zugriff verweigert (4)
你可以看到,我已经和这个用户一起登录了CMD。目录存在,所有者是用户。此用户的权限设置为“完全”。但是我仍然无法更改此目录。
怎么了? WTF?我能做什么?
得到它,尝试编号75 ..
需要两个规则,一个用于当前对象,一个用于继承..
ds.AddAccessRule(new FileSystemAccessRule(up.Sid, FileSystemRights.FullControl, AccessControlType.Allow));
ds.AddAccessRule(new FileSystemAccessRule(up.Sid, FileSystemRights.FullControl, InheritanceFlags.ContainerInherit, PropagationFlags.InheritOnly, AccessControlType.Allow));
在问题中我只创建了继承的规则(错误的标志)。