.NET 控制Windows文件和目录访问权限研究(FileSystemAccessRule)

时间:2023-03-08 16:01:02

前一段时间学习了.net 控制windows文件和目录权限的相关内容,期间做了一些总结。想把这方面的研究跟大家分享,一起学习。其中不免得有些用词不太标准的地方,希望大家留言指正,我加以修改。

首先,我们利用一个方法作为示例:

        /// <summary>
/// 为指定用户组,授权目录指定完全访问权限
/// </summary>
/// <param name="user">用户组,如Users</param>
/// <param name="folder">实际的目录</param>
/// <returns></returns>
private static bool SetAccess(string user, string folder)
{
//定义为完全控制的权限
const FileSystemRights Rights = FileSystemRights.FullControl; //添加访问规则到实际目录
var AccessRule = new FileSystemAccessRule(user, Rights,InheritanceFlags.None,PropagationFlags.NoPropagateInherit, AccessControlType.Allow);
var Info = new DirectoryInfo(folder);
var Security = Info.GetAccessControl(AccessControlSections.Access);
bool Result;
Security.ModifyAccessRule(AccessControlModification.Set, AccessRule, out Result);
if (!Result) return false; //总是允许再目录上进行对象继承
const InheritanceFlags iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
//为继承关系添加访问规则
AccessRule = new FileSystemAccessRule(user, Rights,iFlags,PropagationFlags.InheritOnly,AccessControlType.Allow);
Security.ModifyAccessRule(AccessControlModification.Add, AccessRule, out Result);
if (!Result)
return false;
Info.SetAccessControl(Security);//将 FileSecurity 对象所描述的访问控制列表 (ACL) 项应用于当前 FileStream 对象所描述的文件。
return true;
}

下面详细的介绍一下比较重要的几个方法,第一个:

一、 public FileSystemAccessRule( string identity, FileSystemRights fileSystemRights, InheritanceFlags inheritanceFlags, PropagationFlags propagationFlags, AccessControlType type)

定义访问规则,参数如下:

identity   
  Type:     System.String
  The name of a user account. (账户名)
fileSystemRights
   Type:     System.Security.AccessControl.FileSystemRights
  One of the FileSystemRights values that specifies the type of operation associated with the access rule. (与访问规则相关联的操作类型)
inheritanceFlags
    Type:     System.Security.AccessControl.InheritanceFlags
  One of the InheritanceFlags values that specifies how access masks are propagated to child objects.
  (****上解释的是“该值指示如何将访问掩码传播到子对象”,我的理解是 该值规定是将继承规则作用在文件夹上还是文件上)
propagationFlags
    Type:     System.Security.AccessControl.PropagationFlags
  One of the PropagationFlags values that specifies how Access Control Entries (ACEs) are propagated to child objects.
  (****上解释的是“该值指定如何将访问控制项 (Ace) 传播到子对象”,propagationFlags能起作用的前提是inheritanceFlags不为None)
type
    Type:     System.Security.AccessControl.AccessControlType
  One of the AccessControlType values that specifies whether to allow or deny the operation.(允许还是拒绝)

第一个参数是账户名,第二个是操作类型,操作类型对应的有以下:

("AppendData", "附加数据");
("ChangePermissions", "更改权限");
("CreateDirectories", "创建文件夹/附加数据");
("CreateFiles", "创建文件/写入数据");
("Delete", "删除");
("DeleteSubdirectoriesAndFiles", "删除子文件夹及文件");
("ExecuteFile", "执行文件");
("FullControl", "完全控制");
("ListDirectory", "列出文件夹/读取数据");
("Modify", "修改");
("Read", "读取");
("ReadAndExecute", "读取和执行");
("ReadAttributes", "读取属性");
("ReadData", "读取数据");
("ReadExtendedAttributes", "读取扩展属性");
("ReadPermissions", "读取权限");
("Synchronize", "同步");
("TakeOwnership", "更改文件(夹)所有者");
("Traverse", "执行程序");
("Write", "写入");
("WriteAttributes", "写入属性");
("WriteData", "写入数据");
("WriteExtendedAttributes", "写入扩展属性");

第三四个参数比较难懂,并且他两个应该组合起来应用。一个是inheritanceFlags(ContainerInherit,None,ObjectInherit),另一个是propagationFlags(InheritOnly,None,NoPropagateInherit),这两枚举都有三个值,都具有允许其成员值的按位组合的 FlagsAttribute 特性,propagationFlags能起作用的前提是inheritanceFlags不为None。

下面是我总结的常用的枚举组合:

.NET 控制Windows文件和目录访问权限研究(FileSystemAccessRule)

对应到windows界面操作上后,如下图所示:

.NET 控制Windows文件和目录访问权限研究(FileSystemAccessRule)

第五个参数规定该访问规则的类型是 允许还是拒绝。

再看一下另一个方法:

二 、public virtual bool ModifyAccessRule( AccessControlModification modification, AccessRule rule, out bool modified)

修改访问规则,参数如下:

modification
    Type:     System.Security.AccessControl.AccessControlModification
  The modification to apply to the DACL.(包括Add、Remove、RemoveAll、RemoveSpecific、Reset、Set)
rule
    Type:     System.Security.AccessControl.AccessRule
  The access rule to modify.(访问规则)
modified
    Type:     System.Boolean
  true
if the DACL is successfully modified; otherwise, false.(指示成功还是失败) 返回值
Type:     System.Boolean
true
if the DACL is successfully modified; otherwise, false.

最后利用SetAccessControl将FileSecurity 对象所描述的访问控制列表 (ACL) 项应用于当前 FileStream 对象所描述的文件。

最后贴上我自己写的一个类,可根据自己需要加以修改。

 using System;
using System.Collections.Generic;
using System.Text;
using System.Security.AccessControl;
using System.IO;
using System.Security.Principal; namespace subServer
{
class WinFileAccessHelper
{
private enum MyRights
{
ChangePermissions,
CreateDirectories,
CreateFiles,
Delete,
DeleteSubdirectoriesAndFiles,
ExecuteFile,
FullControl,
ListDirectory,
Modify,
Read,
ReadAndExecute,
ReadAttributes,
ReadData,
ReadExtendedAttributes,
ReadPermissions,
Synchronize,
TakeOwnership,
Traverse,
Write,
WriteAttributes,
WriteData,
WriteExtendedAttributes
}; public enum MyEffectRange//作用范围
{
OnlyThisFolder, // 仅作用于此文件夹 ThisAndAllChildFolder, // 此文件夹和子文件夹(包括子文件夹下的所有文件夹)
OnlyAllChildFolder, // 只有子文件夹(包括子文件夹下的所有文件夹,但不包括此文件夹)
ThisAndOnlyChildFolder, // 此文件夹和子文件夹(不包括子文件夹下的文件夹) ThisAndALLFiles, // 此文件夹和文件(包括子文件夹下的所有文件)
OnlyAllFiles, // 只有文件(包括子文件夹下的所有文件,但不包括此文件夹)
ThisAndOnlyChildFiles, // 此文件夹和此文件夹下的文件(不包括子文件夹和子文件夹下的文件) ThisAndAllFolderFiles, // 此文件夹、子文件夹和文件(包括文件夹下的所有文件夹和文件)
OnlyAllChildFolderFiles, // 子文件夹和文件(包括文件夹下的所有文件夹和文件,不包括此文件夹)
ThisAndOnlyChildFolderFiles // 此文件夹、此文件夹下的文件 和子文件夹(不包括子文件夹下的文件夹和文件)
}; public struct InheritPropPair
{
public InheritPropPair(InheritanceFlags inher, PropagationFlags pro)
{
inherit = inher;
propagation = pro;
}
public InheritanceFlags inherit;
public PropagationFlags propagation;
} /// <summary>
/// 通过作用范围获得InheritPropPair
/// </summary>
/// <param name="range"></param>
/// <param name="pair"></param>
/// <returns></returns>
public static bool getInheritPropPair(MyEffectRange range, out InheritPropPair pair)
{
bool isRight = true;
InheritanceFlags inheritTmp = InheritanceFlags.None;
PropagationFlags propagationTmp = PropagationFlags.None; switch (range)
{
case MyEffectRange.OnlyThisFolder:
inheritTmp = InheritanceFlags.None;
propagationTmp = PropagationFlags.None;
break; case MyEffectRange.ThisAndAllChildFolder:
inheritTmp = InheritanceFlags.ContainerInherit;
propagationTmp = PropagationFlags.None;
break;
case MyEffectRange.OnlyAllChildFolder:
inheritTmp = InheritanceFlags.ContainerInherit;
propagationTmp = PropagationFlags.InheritOnly;
break;
case MyEffectRange.ThisAndOnlyChildFolder:
inheritTmp = InheritanceFlags.ContainerInherit;
propagationTmp = PropagationFlags.NoPropagateInherit;
break; case MyEffectRange.ThisAndALLFiles:
inheritTmp = InheritanceFlags.ObjectInherit;
propagationTmp = PropagationFlags.None;
break;
case MyEffectRange.OnlyAllFiles:
inheritTmp = InheritanceFlags.ObjectInherit;
propagationTmp = PropagationFlags.InheritOnly;
break;
case MyEffectRange.ThisAndOnlyChildFiles:
inheritTmp = InheritanceFlags.ObjectInherit;
propagationTmp = PropagationFlags.NoPropagateInherit;
break; case MyEffectRange.ThisAndAllFolderFiles:
inheritTmp = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
propagationTmp = PropagationFlags.None;
break;
case MyEffectRange.OnlyAllChildFolderFiles:
inheritTmp = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
propagationTmp = PropagationFlags.InheritOnly;
break;
case MyEffectRange.ThisAndOnlyChildFolderFiles:
inheritTmp = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
propagationTmp = PropagationFlags.NoPropagateInherit;
break; default:
Console.WriteLine("输入参数不正确");
isRight = false;
break;
}
pair.inherit = inheritTmp;
pair.propagation = propagationTmp;
return isRight;
} /// <summary>
/// 为指定用户组,授权目录指定访问权限
/// </summary>
/// <param name="user">用户组,如Users/Everyone</param>
/// <param name="folderOrFile">目录或文件路径</param>
/// <param name="rights">FileSystemRights类型的权限,可叠加</param>
/// <param name="pair">由作用范围得到的继承和传播方式pair</param>
/// <param name="accessType">AccessControlType类型的参数,有Allow/Deny</param>
/// <param name="isDelExistingAccess">是否删除该用户已有的权限控制</param>
/// <returns></returns>
public static bool SetAccess(string user, string folderOrFile, FileSystemRights rights, InheritPropPair pair,AccessControlType accessType)
{
try
{
if (!Directory.Exists(folderOrFile) && !File.Exists(folderOrFile))
return false; var Info = new DirectoryInfo(folderOrFile);
var Security = Info.GetAccessControl(AccessControlSections.Access);
bool Result;
var AccessRule = new FileSystemAccessRule(user, rights, pair.inherit, pair.propagation, accessType); Security.ModifyAccessRule(AccessControlModification.Set, AccessRule, out Result);
if (!Result)
return false; Info.SetAccessControl(Security);
return true;
}
catch(Exception ex)
{
System.Windows.Forms.MessageBox.Show(ex.ToString(), "设置权限错误");
return false;
}
} /// <summary>
/// 删除权限
/// </summary>
/// <param name="user"></param>
/// <param name="folderOrFile"></param>
/// <param name="rights"></param>
/// <param name="pair"></param>
/// <param name="accessType"></param>
/// <returns></returns>
public static bool RemoveAccess(string user, string folderOrFile, FileSystemRights rights, InheritPropPair pair, AccessControlType accessType)
{
try
{
if (!Directory.Exists(folderOrFile) && !File.Exists(folderOrFile))
return false; var Info = new DirectoryInfo(folderOrFile);
var Security = Info.GetAccessControl(AccessControlSections.Access);
bool Result;
var AccessRule = new FileSystemAccessRule(user, rights, pair.inherit, pair.propagation, accessType); Security.ModifyAccessRule(AccessControlModification.Remove, AccessRule, out Result);
if (!Result)
return false; Info.SetAccessControl(Security);
return true;
}
catch (Exception ex)
{
System.Windows.Forms.MessageBox.Show(ex.ToString(), "删除权限错误");
return false;
}
} /// <summary>
/// 删除所有“拒绝”权限,只能删除自身设置的访问控制权限,不能删除继承得来的权限。如果想删除继承的权限,请先调用DenyInheritAccess()
/// </summary>
/// <param name="folderOrFile">文件夹或文件</param>
/// <returns></returns>
public static bool RemoveAllDenyAccess(string folderOrFile)
{
try
{
if (!Directory.Exists(folderOrFile) && !File.Exists(folderOrFile))
return false; var Info = new DirectoryInfo(folderOrFile);
var Security = Info.GetAccessControl(AccessControlSections.Access);
bool Result; foreach (FileSystemAccessRule rule in Security.GetAccessRules(true, true, typeof(NTAccount)))
//foreach (FileSystemAccessRule rule in Security.GetAccessRules(true, true, typeof(SecurityIdentifier)))
{
//NTAccount时输出:允许 BUILTIN\Administrators---- FullControl
//SecurityIdentifier时输出:允许 S-1-5-32-544---- FullControl
//Console.WriteLine("{0} {1}---- {2}",
// rule.AccessControlType == AccessControlType.Allow ? "允许" : "拒绝",
// rule.IdentityReference.ToString(),
// rule.FileSystemRights
// );
if (rule.AccessControlType == AccessControlType.Deny)
{
Security.ModifyAccessRule(AccessControlModification.Remove, rule, out Result);
if (!Result)
return false;
Info.SetAccessControl(Security);
// System.Windows.Forms.MessageBox.Show(folderOrFile+"Deny result"+Result);
}
} return true;
}
catch (Exception ex)
{
System.Windows.Forms.MessageBox.Show(ex.ToString(), "删除权限错误");
return false;
}
} /// <summary>
/// 删除继承得来的访问权限
/// </summary>
/// <param name="folderOrFile">文件夹或文件</param>
/// <param name="preserveInheritance">是否保留继承得来的访问权限</param>
/// <returns></returns>
public static bool DenyInheritAccess(string folderOrFile, bool preserveInheritance)
{
try
{
if (!Directory.Exists(folderOrFile) && !File.Exists(folderOrFile))
return false;
var Info = new DirectoryInfo(folderOrFile);
var Security = Info.GetAccessControl(AccessControlSections.Access);
Security.SetAccessRuleProtection(true, preserveInheritance);
Info.SetAccessControl(Security);
return true;
}
catch (Exception ex)
{
System.Windows.Forms.MessageBox.Show(ex.ToString(), "禁用继承权限错误");
return false;
}
}
}
}

目录访问控制类

如果想进一步了解关于访问控制的详细介绍,可以参考http://www.cnblogs.com/xuanhun/archive/2012/06/23/2559576.html