The .NET Framework provides a set of classes in the System.IO namespace to allow synchronous and asynchronous reading from and writing to data streams and files which are very much required in our real life applications to read, write, or manipulate files and directories.  .NET Framework 2.0 has introduced a new set of classes in the Framework Class Library (FCL) that allow us to work with the NTFS Access Control Lists.  We can get object owners, security descriptors, create security descriptors, and much more.  All of this resides under the System.Security.AccessControl namespace.  The sample code snippets in this article have been written in C#.

Files and Directories share certain properties that we can use to determine the created date of a file or directory, size, last modified date, attributes, the extension of file, etc.  These properties can be viewed by opening the file’s Properties dialog.  We can open this dialog from windows explorer by either right clicking on the file and selecting Properties from the context menu or selecting Properties from file menu.  Using both FileInfo and DirectoryInfo classes we can access the properties and modify them.  In Listing 1 the properties of a file have been accessed programmatically.

Listing 1

private void show()
{
  FileInfo file = new FileInfo("C:/Documents and Settings/SanjitSil/Test.txt");
  Response.Write("Location :" + file.FullName + "<BR>" + "Size :" + file.Length
    + "<BR>" + "Created :" + file.CreationTime + "<BR>" +
    "Modified :    file.LastWriteTime + "<BR>" + "Accessed :
    " + file.LastAccessTime + "<BR>" + "Attributes :" + file.Attributes + "<BR>
    " + "Extension :" + file.Extension + "<BR>");
 
}

In the above specified code a text file has been taken.  Each time we edit the file, the value of the properties of the file will be getting changed.  For more information on File, Directory, FileInfo and DirectoryInfo classes, readers may read my earlier article entitled “Working with Files and Directories.”

ACLs are the way to make secure resources like file and directories in the NTFS file system (It is the file system used by Windows XP, NT4.0, Windows 2000 and Windows 2003). Through access control lists we can actually change the access control on file or directories.  We can view the access control lists by selecting the security tab from the file’s properties dialog.  Using the new System.AccessControl namespace in the .NET Framework, we can query the file system for the ACL information and display the same in web page.

Listing 2

private void ShowACLInfo()
{
  System.Security.AccessControl.FileSecurity fSec = File.GetAccessControl(
    "C:/Documents and Settings/Sanjit Sil/Test.txt");
  this.lblOwner.Text = fSec.GetOwner(typeof(System.Security.Principal.NTAccount)
    ).Value;
  AuthorizationRuleCollection author = fSec.GetAccessRules(true, true, typeof
    (System.Security.Principal.NTAccount));
  TableCell tc;
  TableHeaderCell thc;
  TableRow trr = new TableRow();
  thc = new TableHeaderCell();
  thc.Text = "Control Type";
  trr.Cells.Add(thc);
  thc = new TableHeaderCell();
  thc.Text = "Identity";
  trr.Cells.Add(thc);
  thc = new TableHeaderCell();
  thc.Text = "Inheritance Flags";
  trr.Cells.Add(thc);
  tblAccessControlList.Rows.Add(trr);
  thc = new TableHeaderCell();
  thc.Text = "Is Inherited";
  trr.Cells.Add(thc);
  thc = new TableHeaderCell();
  thc.Text = "Propagation Flags";
  trr.Cells.Add(thc);
  thc = new TableHeaderCell();
  thc.Text = "File System Right";
  trr.Cells.Add(thc);
  tblAccessControlList.Rows.Add(trr);
  tblAccessControlList.Rows.Add(trr);
  tblAccessControlList.Rows.Add(trr);
  foreach (FileSystemAccessRule rule in author)
  {
    TableRow tr = new TableRow();
    tc = new TableCell();
    tc.Text = rule.AccessControlType.ToString();
    tr.Cells.Add(tc);
    tc = new TableCell();
    tc.Text = rule.IdentityReference.Value;
    tr.Cells.Add(tc);
    tc = new TableCell();
    tc.Text = rule.InheritanceFlags.ToString();
    tr.Cells.Add(tc);
    tc = new TableCell();
    tc.Text = rule.IsInherited.ToString();
    tr.Cells.Add(tc);
    tc = new TableCell();
    tc.Text = rule.PropagationFlags.ToString();
    tr.Cells.Add(tc);
    tc = new TableCell();
    tc.Text = rule.FileSystemRights.ToString();
    tr.Cells.Add(tc);
    tblAccessControlList.Rows.Add(tr);
  }
}

In the code specified in Listing 2, a file security object has been used to get full information of ACL on a specific file named Test.txt.  In the label using GetOwner method of filesecurity object, the owner associated with the specified primary group (here NTAccount) has been displayed.

Here, AuthorizationRuleCollection has stored the collection data returned from FileSecurity.  GetAccessRules () method then uses loop and, with the help of FileSystemAccessRule object desire, displays information in a table.  The output has been displayed in the following figure.

Figure 1

In the following listing we will see how to add an access rule to the Test.txt file.

Listing 3

protected void btnAdd_Click(object sender, EventArgs e)
{
  System.Security.AccessControl.FileSecurity fSec = File.GetAccessControl(
    "C:/Documents and Settings/SanjitSil/Test.txt");
  fSec.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(@
    "Sanjit\Test", System.Security.AccessControl.FileSystemRights.FullControl,
    System.Security.AccessControl.AccessControlType.Allow));
  File.SetAccessControl("C:/Documents and Settings/SanjitSil/Test.txt", fSec);
}

There are several things to notice in the code specified in listing 3.  First, notice that there are three parameters that have been passed to the FileSystemAccessRule constructor.  

The first parameter is the user whom we want to give right; remember that the value of the 1st parameter will change on the basis of a specific system.  Also remember that we must specify the full DOMAIN\USERNAME for the user.  In the code FileSystemRight, enumeration has been used to specify the exact right given to a user.  After running the above code, you can take a look in the file’s properties dialog and you will see that the user has been added to the Access Control List and allowed full control.

We can specify multiple rights by using a bitwise and an operator, which is shown in the following listing.

Listing 4

fSec.AddAccessRule(new     
System.Security.AccessControl.FileSystemAccessRule(@"Sanjit\Test", 
System.Security.AccessControl.FileSystemRights.Read &
System.Security.AccessControl.FileSystemRights.Write, 
System.Security.AccessControl.AccessControlType.Allow));

Removing the rule from Access Control List

Using RemoveAccessRule instead of AddAccessRule we can remove the ACL which has been added when you use the code specified in Listing 4.

The code to remove ACL has been specified in the following listing.

Listing 5

protected void btnRemove_Click(object sender, EventArgs e)
{
  System.Security.AccessControl.FileSecurity fSec = File.GetAccessControl(
    "C:/Documents and Settings/SanjitSil/Test.txt");
  fSec.RemoveAccessRule(new System.Security.AccessControl.FileSystemAccessRule
    (@"Sanjit\Test", System.Security.AccessControl.FileSystemRights.FullControl,
    System.Security.AccessControl.AccessControlType.Allow));
  File.SetAccessControl("C:/Documents and Settings/SanjitSil/Test.txt", fSec);
 
}

After running the code specified in Listing 5, we can see that the user has been removed from the Access Control List.

In a similar way, we can apply Access Control List (ACL) entries specified by a DirectorySecurity object to the specified directory which has specified in the Listing 6.

Listing 6

System.Security.AccessControl.DirectorySecurity dSec =
  Directory.GetAccessControl("C:/TestDirectory");
dSec.AddAccessRule(new System.Security.AccessControl.FileSystemAccessRule(@
  "Sanjit \Test", System.Security.AccessControl.FileSystemRights.FullControl,
  System.Security.AccessControl.AccessControlType.Allow));
Directory.SetAccessControl("C:/TestDirectory", dSec);

We can use RemoveAccessRule for the directory in same way also.

I would like to describe different types of permissions on files or folders.  There are two types of permissions: explicit permissions and inherited permissions.  Explicit permissions are those that are set by default when the object is created by user action.  Inherited permissions are those that are propagated to an object from a parent object.  Inherited permissions ease the task of managing permissions and ensure consistency of permissions among all objects within a given container.  By default, objects within a container inherit the permissions from that container when the objects are created.  For example, when we create a folder called TestFolder, all subfolders and files created within TestFolder automatically inherit the permissions from that folder. Therefore, TestFolder has explicit permissions, while all subfolders and files within it have inherited permissions.  It should be noted that inherited Deny permissions do not prevent access to an object if the object has an explicit allow permission entry.  Explicit permissions take precedence over inherited permissions.  We use Deny generally to exclude one or two special permissions when we have already granted full control to a user or group.

MSDN

In order to secure a computer and its resources, we must take into consideration what rights users will have.  We can secure a computer or multiple computers by granting users or groups specific user rights.  We can secure an object, such as a file or folder, through assigning permissions to allow users or groups to perform specific actions on that object.  We often need to set ACLs on files or even folders.  In our real life when we deploy any application we may need to set proper permission in respect of a file or folder.  It is true that admin can set any type of permission in respect of a file or folder in an application.  But in the deployment server we may not have the permission to set ACLs manually.  In that scenario we can set required permission in respect of a file or folder in application using new features of ACLs in .NET Framework 2.0.