Re: How can I control folder permissions when creating a folder

From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 08/25/04

  • Next message: OG: "ASP.Net pages randomly require authentication (but show OK anyway)" 
    Date: Wed, 25 Aug 2004 21:16:27 GMT

    Hi Steve,

    I'm not an ACL expert, but I believe the inheritance flag is set on the child, not the parent. So you need to be able to create your directory with that
    flag set. Since you can't do anything with ACLs until .NET 2.0, you're stuck pulling in the extra ACL library for now -- there's no current way to instruct
    the runtime that all children folders should start by inheriting their parents permissions.

    -Shawn
    http://blogs.msdn.com/shawnfa 

    -- 
This posting is provided "AS IS" with no warranties, and confers no rights.
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.  
--------------------
>From: "Steve Hiner" <newsgroup.me.hates.spam@isiaz.com>
>References: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl> <#rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl>
>Subject: Re: How can I control folder permissions when creating a folder
>Date: Tue, 24 Aug 2004 17:12:05 -0700
>Lines: 99
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
>Message-ID: <#HN5qgjiEHA.2356@TK2MSFTNGP10.phx.gbl>
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: w146.z064220215.phx-az.dsl.cnc.net 64.220.215.146
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7228
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Shawn,
>
>I started playing with an ACL library but it seemed like massive overkill.
>
>Can you explain why a new folder under All Users\Application Data wouldn't
>give access to all users?  I'd also like to know why it only happens
>sometimes.  I have 4 folders on my system created exactly the same way, two
>have the same permissions as the parent folder, the other two limit access
>to the creator and administrators.
>
>I thought folders under All Users would always inherit permissions such that
>everyone would have access to them.
>
>My problem would be solved if I could find an ACL library that would let me
>set "inherit from parent" right after I create the folder.
>
>Steve
>
>""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message
>news:%23rtfIeiiEHA.2200@cpmsftngxa10.phx.gbl...
>> Hi Steve,
>>
>> If you're using v1.1 or 1.0 of the framework, there is no built in ACL
>solution, you'll need to find a third party ACL library.  (I believe you'll
>be
>> able to find on on gotdotnet.com to help you out).  For v2.0, we'll be
>adding a new System.Security.AccessControl namespace and exposing
>> methods on the various File, Directory, and Registry classes to allow
>directly working with ACLs on your file system.
>>
>> -Shawn
>> http://blogs.msdn.com/shawnfa
>>
>> -- 
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>> Note:  For the benefit of the community-at-large, all responses to this
>message are best directed to the newsgroup/thread from which they
>> originated.
>> --------------------
>> >Date: Mon, 23 Aug 2004 15:33:39 -0700
>> >From: "Steve Hiner (331841)" <developerhatesspam@isiaz.com>
>> >User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502)
>> >X-Accept-Language: en-us, en
>> >MIME-Version: 1.0
>> >Subject: How can I control folder permissions when creating a folder
>> >Content-Type: text/plain; charset=us-ascii; format=flowed
>> >Content-Transfer-Encoding: 7bit
>> >Message-ID: <u9kOCFWiEHA.3876@TK2MSFTNGP12.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.security
>> >NNTP-Posting-Host: w146.z064220215.den-co.dsl.cnc.net 64.220.215.146
>> >Lines: 1
>> >Path:
>cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12
>.phx.gbl
>> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7212
>> >X-Tomcat-NG: microsoft.public.dotnet.security
>> >
>> >I have an application that stores data in the "All Users\Application
>> >Data" folder.  Unfortunately it often sets the security of the created
>> >folder such that normal users can't write to the folder.
>> >
>> >I thought All Users was by definition accessible to all users.
>> >
>> >I can see that normal users have read/write access to:
>> >All Users
>> >All Users\Application Data
>> >All Users\Application Data\My Application
>> >
>> >But when I create:
>> >All Users\Application Data\My Application\My Data
>> >it sets up the security so only the owner or other Admins have write
>> >access.  Sometimes it denies read access as well.
>> >
>> >The first time you run the application it has to write licensing info to
>> >the "Program Files\My Application" directory so it has to be run by an
>> >administrator.  The unfortunate side-effect of that is that the data
>> >folder is always created by an administrator so normal users get locked
>> >out of it.
>> >
>> >This isn't even consistent.  I have a few different products within the
>> >same product family.  Some of them end up with permissions that allow
>> >normal users to have access to the folder, others deny them access but
>> >they all use the exact same Directory.CreateDirectory() call to create
>> >the folder.  The only difference I can think of is that the folders that
>> >give read/write access have a space in the parent folder name.
>> >
>> >Why doesn't my data folder inherit it's permissions from the parent
>> >folder?  Is there something I need to do to make it inherit?  Of course,
>> >I also need all the files in my data folder to inherit the permissions
>> >of the parent folder.
>> >
>> >Steve
>> >
>>
>>
>
>
>
  • Next message: OG: "ASP.Net pages randomly require authentication (but show OK anyway)"

    Relevant Pages

    • Re: Enum only files/folders where explicit NTFS rights have been s
      ... You are right when you say "ACL had been touched by earlier generations ... AccessEnum "differ from parent" feature is not so much evolved, ... only comparing effectives rights listing to the parent rights listing, ... not what SHOULD inherit OR NOT (like for folders rights where "Apply onto: ...
      (microsoft.public.security)
    • Re: Inherit Permissions problems on a Windows 2003 cluster
      ... When you check the box on a folder to inherit permissions from its parent, ... there is no such thing as inherit from parent on a root folder. ...
      (microsoft.public.windows.file_system)
    • Re: Folder permissions - deny users, allow administrator
      ... and nothing else and nothing inherited from parent of Completed. ... With those permissions there will be no explict permissions on ... then an Administrator moves it to "completed", the folder retains the full ... the parent of Working and Completed does not inherit from ...
      (microsoft.public.security)
    • Re: API to change "Allow inheritable permissions...
      ... You don't want this ACL to inherit any ... ACEs from the parent, aka. a Protected ACL. ... > What I'm doing at present is constructing a new DACL, with one allowed ACE ...
      (microsoft.public.win2000.security)
    • inherit NTFS permissions
      ... I have an issue with NTFS permissions on a W2K box. ... I unchecked the box "Allow inheritable permissions from parent to ... propagate to this object" for the Folder "Folder 1" since I want this ... folder to not inherit the permission settings from root. ...
      (comp.os.ms-windows.nt.admin.security)