The Basics of Manipulating File Access Control Lists with C#
Here, the current user's account name, including the possible domain name is read by calling the static GetCurrent method of the WindowsIdentity class. Next, the code creates a new instance of the FileSystemAccessRule class, and specifies the account name, access control type, and the allow/deny indicator. The FileSystemRights enumeration contains all the possible options that can be controlled on files, for example:
Finally, the code reads the existing access control entries of the selected file, and then calls the AddAccessRule method of the returned FileSecurity object to add the new ACE to the access control list. Finally, the file's ACL is updated by calling File.SetAccessControl. If you would omit this last step, the actual ACL of the file would not be updated.
Making sure your applications are secure and safe to use should be a major priority in your application design. Being able to programmatically control access control lists allows you to build safer applications, improve your IT infrastructure, or even improve your application setups by setting secure defaults right from the start.
Of course, you need to have proper rights to set file access control entries. In Windows, the creator of a file is by default the owner of the file, which means that he or she can change the access control lists of that file. However, administrators also can modify access control lists or take ownership of the file. This is true in both domain-based and individual PCs.
In your C# code, if you don't have the permission to change a file's access control list, the File.SetAccessControl method raises a UnauthorizedAccessException. Although the example application manipulates only files, it helps to know that directories also have their access control entries. In .NET, the System.IO.Directory class also has the convenient GetAccessControl and SetAccessControl methods. These methods are identical to their file cousins, but work with objects of different types.
Note that you might also wish to test whether a user has access to a certain file. Although theoretically you could parse the access control list and investigate the ACEs in code, I strongly recommend against that because access control is a complex thing and difficult to develop correctly.
Instead, I recommend letting the operating system do the checking. Although .NET doesn't support a similar feature that the Win32 API function AccessCheck does, you can try simply opening a file, and then checking whether the user was allowed to do that or not. If the opening fails, you know that the user doesn't have access. Of course, using P/Invoke is another option.
In this article, you have learned the basics of access control (as far as files are concerned), and how access control works in Windows-based operating systems using the NTFS file system. You also learned what access control lists (ACLs) and access control entries (ACEs) are.
Most importantly, you learned how to read and write access control lists from your C# applications. By using the static GetAccessControl and SetAccessControl methods of the System.IO.File class, you are able to retrieve the FileSecurity object, which in turn allows you to retrieve a collection of ACEs associated with the file.
Once you master file access control, you can proceed to manipulate access control entries in other operating system objects, such as registry keys and mutexes. The .NET Framework is built so that similar code can be used no matter which object type is in question. But, that's a topic for another article.
Happy security programming!
Download the Code
You can download the code that accompanies this article here.
About the Author
Jani Järvinen is a software development trainer and consultant in Finland. He is a Microsoft C# MVP and has written dozens of magazine articles and published two books about software development. He is a group leader of a Finnish software development expert group at ITpro.fi. His frequently updated blog can be found at http://www.saunalahti.fi/janij/. You can send him mail by clicking on his name at the top of the article.
Page 3 of 3