question

Kalpana-3650 avatar image
0 Votes"
Kalpana-3650 asked ·

C# + AddDirectorySecurity(pathofprog, addeduser, FileSystemRights.FullControl, AccessControlType.Deny) - Still able to execute exe's within

Hi

I have managed to get the code running and it is working fine, I see that the user is added into the acl and the permission is set to deny,

however, I noticed that at times, for certain programs, I am still able to execute the exe's within the subfolders, I am not able to open the subfolders though as the permission is denied...

 public partial class UserManage : UserControl
     {
         //static method
         public static void AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
         {
             // Create a new DirectoryInfo object.
             DirectoryInfo dInfo = new DirectoryInfo(FileName);
    
             // Get a DirectorySecurity object that represents the
             // current security settings.
             DirectorySecurity dSecurity = dInfo.GetAccessControl();
    
             // Add the FileSystemAccessRule to the security settings.
             dSecurity.AddAccessRule(new FileSystemAccessRule(Account, Rights, InheritanceFlags.ContainerInherit, PropagationFlags.None, ControlType));
    
             // Set the new access settings.
             dInfo.SetAccessControl(dSecurity);
    
                
    
                
         }
    
         public static void RemoveDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
         {
             // Create a new DirectoryInfo object.
             DirectoryInfo dInfo = new DirectoryInfo(FileName);
    
             // Get a DirectorySecurity object that represents the
             // current security settings.
             DirectorySecurity dSecurity = dInfo.GetAccessControl();
    
             // Add the FileSystemAccessRule to the security settings.
             dSecurity.RemoveAccessRule(new FileSystemAccessRule(Account, Rights, InheritanceFlags.ContainerInherit, PropagationFlags.None, ControlType));
    
             // Set the new access settings.
             dInfo.SetAccessControl(dSecurity);
         }
     }
    
    
 //this is how I call the method
 AddDirectorySecurity(pathofprog, addeduser, FileSystemRights.FullControl, AccessControlType.Deny);

Am I missing something?

windows-wpfdotnet-csharpdotnet-wpf-xaml
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

RLWA32-6355 avatar image
0 Votes"
RLWA32-6355 answered ·

By default Windows grants user accounts the bypass-traverse-checking privilege. The posted code changes the security of folders but does not affect the security of files contained within those folders. Consequently, even with a Deny ace in a folder's ACL it is possible for a user to access the contained files.


· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.