Discretionary access control list (DACL) is a mechanism that is utilized by OS in order to allow or restrict access by the users or groups to certain resources such as files and folders. In general, DACL is controlled by the owner of the object. User access to object are is controlled with the help of Access Control Entries (ACE).
Permissions are inherited for the most of the part. For instance, if we create subfolder, this subfolder will inherit permissions set for its parent folder same applies for registry key and other objects.
.NET Framework allows us to use FileSystemRights enumeration to specify file and folder permissions.
|Modify||All folders permissions|
|ReadAndExecute||View files and run applications|
|ListDirectory||Browse a folder|
|Read||View a file or a folder|
|Write||Create files in a directory|
|Other members||Standard permissions|
Security access control list (SACL) is an audit mechanism that tracks what files or folders were accessed and how they were accessed. SACL can do only one thing which is logging access information. This capability is good for intrusion detection for example.
If we want to work with ACL by viewing them or configuring, we need to use System.Security.AccessControl namespace. We can use classes of this name space to access ACL, SACL, and DACL for file, folder, registry key and etc…
Three ACL classes are important to know. They are:
- <Type>Security - used for retrival of collections of DACL and SACL as well as adding and removing ACLs.
- <Type>AccessRule – set of access rights for users or group of users.
- <Type>AuditRule - set of access rights that we want to audited for a user or group.
DirectorySecurity ds = new DirectorySecurity(@"C:\Program Files", AccessControlSections.Access);
AuthorizationRuleCollection arc = ds.GetAccessRules(true, true, typeof(NTAccount));
foreach (FileSystemAccessRule ar in arc)
Console.WriteLine(ar.IdentityReference + ": " + ar.AccessControlType + " " + ar.FileSystemRights);
We can configure ACL like that:
string dir = @"C:\test";
DirectorySecurity ds = Directory.GetAccessControl(dir);
ds.AddAccessRule(new FileSystemAccessRule("Guest", FileSystemRights.Read, AccessControlType.Allow));
To remove an access rule we use AddAccessRule with RemoveAccessRule.
We can also set access rule using SetAccessRuleProtection(true, true) if we need to protect ourselves from inheriting local securyt and setting the one we are coping from.