views:

516

answers:

1

I have a program that's creating a secure directory for user output. This is working correctly, but the files I create in it (or copy to it) are ending up with only administrator access.

 DirectoryInfo outputDirectory =
            baseOutputDirectory.CreateSubdirectory(outputDirectoryName,
            GetDirectorySecurity(searchHits.Request.UserId));

 ...

private DirectorySecurity GetDirectorySecurity(string owner)
{
    const string LOG_SOURCE = "GetDirectorySecurity";
    DirectorySecurity ds = new DirectorySecurity();

    System.Security.Principal.NTAccount ownerAccount = 
        new System.Security.Principal.NTAccount(owner);

    ds.SetOwner(ownerAccount);

    ds.AddAccessRule(
        new FileSystemAccessRule(owner, 
        FileSystemRights.FullControl,
        AccessControlType.Allow));

    //AdminUsers is a List<string> that contains a list from configuration
    //  That represents the admins who should be allowed
    foreach (string adminUser in AdminUsers)
    {
        ds.AddAccessRule(
            new FileSystemAccessRule(adminUser,
            FileSystemRights.FullControl,
            AccessControlType.Allow));
    }
    return ds;
}

/// <summary>
/// This method copies any static supporting files, such as javascripts
/// </summary>
/// <param name="outputDirectory"></param>
private void CopySupportingFiles(DirectoryInfo outputDirectory)
{
    foreach (FileInfo file in SupportingFiles)
    {
        file.CopyTo(
            Path.Combine(outputDirectory.FullName, file.Name));
    }
}

etc, etc, etc.

What am I doing wrong? Why aren't the permissions cascading?

+1  A: 

It looks like you should be setting the InheritanceFlags and PropagationFlags when setting the DirectorySecurity (I believe it overwrite whatever you've manually set).

    private DirectorySecurity GetDirectorySecurity(string owner)
    {
        const string LOG_SOURCE = "GetDirectorySecurity";
        DirectorySecurity ds = new DirectorySecurity();

        System.Security.Principal.NTAccount ownerAccount =
            new System.Security.Principal.NTAccount(owner);

        ds.SetOwner(ownerAccount);

        ds.AddAccessRule(
            new FileSystemAccessRule(owner,
            FileSystemRights.FullControl,
            InheritanceFlags.ObjectInherit, 
            PropagationFlags.InheritOnly,
            AccessControlType.Allow));

        //AdminUsers is a List<string> that contains a list from configuration
        //  That represents the admins who should be allowed
        foreach (string adminUser in AdminUsers)
        {
            ds.AddAccessRule(
                new FileSystemAccessRule(adminUser,
                FileSystemRights.FullControl,
                InheritanceFlags.ObjectInherit,
                PropagationFlags.InheritOnly,
                AccessControlType.Allow));
        }
        return ds;
    }
scottm
That makes sense Scott, let me try it.
C. Ross