RE: Using WMI to grant permissions to new users on folder..
From: scsharma (sharmasu_at_noemail.nospam)
Date: 09/28/05
- Next message: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Previous message: Dennis Vroegop: "Re: ASP.Net 1.1 cookieless session security issue?"
- In reply to: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Next in thread: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Reply: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Sep 2005 10:55:07 -0700
One more thing, Dominick. Did this code work for you? I wrote a very simple
code where i added and removed couple of trustees and then set the DACL back
to security descriptor. I am surprise to see that the changes are not
reflected on actual file.
Here is the sample code
string filename = ROOT_DIR+nameDirectory;
SecurityDescriptor secDesc =
SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
Dacl dAcl = secDesc.Dacl;
dAcl.AddAce(new AceAccessAllowed(new Sid("ftpuser"),AccessType.GENERIC_READ));
dAcl.RemoveAces(new Sid(@"BatchFTP"));
foreach(Ace ace in dAcl) -- I am attaching output of following print
statements at this end of this post.
{
Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
Console.Write("ACE Type: {0} ", ace.Type);
Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
(EventAccessType)ace.AccessType);
}
secDesc.SetDacl(dAcl);
---Output of print statements----------------------
ACE SID: BUILTIN\Administrators ACE Type:
ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
ACE SID: NT AUTHORITY\SYSTEM ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE AccessType: 2032127 (0x001F01FF)
ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: 2032127 (0x001F01FF)
ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: GENERIC_ALL (0x10000000)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: 1179817 (0x001200A9)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: 4 (0x00000004)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: EVENT_MODIFY_STATE (0x00000002)
ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: GENERIC_READ (0x80000000)
--------End of print
Am i missing something? The output has all the trustees that i had added
but when i check the permission on file using file properties->Security Tab,
I still see "BatchFTP" group though i have removed that in above code. Also,
user "ssharma\f4" is not there.
Thanks
SCS
"Dominick Baier [DevelopMentor]" wrote:
> Hello [MSFT],
>
> have you tried that?
>
> http://www.leastprivilege.com/ACLSupportForNET.aspx
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hello,
> >
> > I also suspect this issue a bug. The key line may be:
> >
> > Descriptor.Properties["Dacl"].Value = DaclObject;
> >
> > and
> >
> > ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
> > inParams, null);
> >
> > The old values is not replaced but appended.
> >
> > I will record this and hope it can be fixed in later version.
> >
> > Luke
> >
>
>
>
- Next message: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Previous message: Dennis Vroegop: "Re: ASP.Net 1.1 cookieless session security issue?"
- In reply to: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Next in thread: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Reply: Dominick Baier [DevelopMentor]: "RE: Using WMI to grant permissions to new users on folder.."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
