Setting directory security to allow user and deny all

Question

I have winforms app, in which I need to access a secured directory. I'm using impersonation and create WindowsIdentity to access the folder.

My problem is writing unit tests to test the directory security; I'd like to a write a code that creates a directory secured to only ONE user, which isn't the current user running the UT (or else the test would be worthless).

I know how to add permissions to a certain user, but how can I deny the rest, including admins? (in case the user running the UT is an admin) (will this be a wise thing to do?)

DirectoryInfo directoryInfo = new DirectoryInfo(path);
DirectorySecurity directorySecurity = directoryInfo.GetAccessControl();

directorySecurity.AddAccessRule(new FileSystemAccessRule("Domain\SecuredUser",
                    FileSystemRights.FullControl, 
                    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                    PropagationFlags.InheritOnly,                         
                    AccessControlType.Allow));

directorySecurity.RemoveAccessRule(new FileSystemAccessRule("??",   
                    FileSystemRights.FullControl, 
                    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
                    PropagationFlags.InheritOnly,  
                    AccessControlType.Deny));

directoryInfo.SetAccessControl(directorySecurity);

This isn't working. I don't know who am I supposed to deny. Domain\Admins, Domain\Administrators, me... No one is being denied, and when I check folder's security - The SecuredUser has access to the folder, but the permissions are not checked, even though I specified FullControl.

Basically I want to code this:

<authorization>
 <allow users ="Domain\User" />
 <deny users="*" /> 
</authorization>

I was thinking about impersonating UT run with a weak user with no permissions, but this would result in: Impersonate -> Run UT -> Impersonate -> Access folder, and I'm not sure if this is the right design.

Help would be greatly appreciated, thank you.

Answer 1

Hi Rita, I just tested out msdn sample code from http://msdn.microsoft.com/en-us/library/system.io.directoryinfo.setaccesscontrol%28v=VS.100%29.aspx and I'm getting the same problem. When I debug the sample program step-by-step, the access permissions added are only "special permissions" instead of "readdata" as specified in the program.
Update : In windows 7, under File -> Properties -> Security -> Advanced ->Effective Permissions, the permissions are shown as advertised. The tick on "special permissions" is actually misleading.
Update2 : If you use the five-argument constructor and set the flags to "InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit" and "PropagationFlags.InheritOnly", then the access is shown in the security tab exactly as was added . It seems that the long list of accesses in the security tab is ticked, only if the rights are inheriteed and propogated under each subdirectory.

Answer 2

I am not sure about this, but i think that deny takes precedence over allow. So if you try to deny permissions to everybody(using the group "Everyone"), it will probably override permissions to the special user to whom you tried to grant access.
What should work is to remove all existing access rights and then add the single rule allowing the special user access.