C# - Set Directory Permissions for All Users in Windows 7
You also need to call SetAccessControl
to apply the changes.
ds = di.GetAccessControl();
ds.AddAccessRule(fsar);
di.SetAccessControl(ds); // nothing happens until you do this
It seems that the examples on MSDN are sorely lacking in detail, as discussed here. I hacked the code from this article to get the following which behaves well:
static bool SetAcl()
{
FileSystemRights Rights = (FileSystemRights)0;
Rights = FileSystemRights.FullControl;
// *** Add Access Rule to the actual directory itself
FileSystemAccessRule AccessRule = new FileSystemAccessRule("Users", Rights,
InheritanceFlags.None,
PropagationFlags.NoPropagateInherit,
AccessControlType.Allow);
DirectoryInfo Info = new DirectoryInfo(destinationDirectory);
DirectorySecurity Security = Info.GetAccessControl(AccessControlSections.Access);
bool Result = false;
Security.ModifyAccessRule(AccessControlModification.Set, AccessRule, out Result);
if (!Result)
return false;
// *** Always allow objects to inherit on a directory
InheritanceFlags iFlags = InheritanceFlags.ObjectInherit;
iFlags = InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit;
// *** Add Access rule for the inheritance
AccessRule = new FileSystemAccessRule("Users", Rights,
iFlags,
PropagationFlags.InheritOnly,
AccessControlType.Allow);
Result = false;
Security.ModifyAccessRule(AccessControlModification.Add, AccessRule, out Result);
if (!Result)
return false;
Info.SetAccessControl(Security);
return true;
}
folder permissions: Full control granted to all users
A good solution is to grant full control to Everyone using xcacls.exe or any other ACL tool. This tool can be added as a custom action in your setup project.
Granting privileges to each user is not recommended because future accounts will not be covered. Also, doing this through custom code doesn't always work. Windows permissions are a bit tricky when it comes to controlling them through code.
Set write permissions for all users for my program folder
Perhaps the best answer isn't what you've asked for. There's a good reason for not writing to the program files directory. Log data in particular is transient and shouldn't be written here.
It's a much better idea to write log data to the directory specified by the TEMP environment variable. If you do this you'll save your users a few troubles and prevent them cursing your software in the future. Please check out this answer which covers the same topic:
Allow access permission to write in Program Files of Windows 7
Add Everyone privilege to folder using C#.NET
First thing I want to tell you is how I found this solution. This is probably more important than the answer because file permissions are hard to get correct.
First thing I did was set the permissions I wanted using the Windows dialogs and checkboxes. I added a rule for "Everyone" and ticked all boxes except "Full Control".
Then I wrote this C# code to tell me exactly what parameters I need to duplicate the Windows settings:
string path = @"C:\Users\you\Desktop\perms"; // path to directory whose settings you have already correctly configured
DirectorySecurity sec = Directory.GetAccessControl(path);
foreach (FileSystemAccessRule acr in sec.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount))) {
Console.WriteLine("{0} | {1} | {2} | {3} | {4}", acr.IdentityReference.Value, acr.FileSystemRights, acr.InheritanceFlags, acr.PropagationFlags, acr.AccessControlType);
}
This gave me this line of output:
Everyone | Modify, Synchronize | ContainerInherit, ObjectInherit | None | Allow
So the solution is simple (yet hard to get right if you don't know what to look for!):
DirectorySecurity sec = Directory.GetAccessControl(path);
// Using this instead of the "Everyone" string means we work on non-English systems.
SecurityIdentifier everyone = new SecurityIdentifier(WellKnownSidType.WorldSid, null);
sec.AddAccessRule(new FileSystemAccessRule(everyone, FileSystemRights.Modify | FileSystemRights.Synchronize, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow));
Directory.SetAccessControl(path, sec);
This will make the checkboxes on the Windows security dialog match what you have already set for your test directory.
Allow access permission to write in Program Files of Windows 7
Your program should not write temporary files (or anything else for that matter) to the program directory. Any program should use %TEMP% for temporary files and %APPDATA% for user specific application data. This has been true since Windows 2000/XP so you should change your aplication.
The problem is not Windows 7.
You can ask for appdata folder path:
string dir = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
or for TEMP path
string dir = Path.GetTempPath()
How to grant full permission to a file created by my application for ALL users?
Note to people using this.
When using literal strings for the FileSystemAccessRule
, it should be WellKnownSidType.WorldSid
instead of "everyone"
.
The reason is because there are multiple Window languages and Everyone only applies to EN ones, so for Spanish, it might be "Todos" (or something else).
using System.Security.AccessControl;
using System.Security.Principal;
using System.IO;
private void GrantAccess(string fullPath)
{
DirectoryInfo dInfo = new DirectoryInfo(fullPath);
DirectorySecurity dSecurity = dInfo.GetAccessControl();
dSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit, AccessControlType.Allow));
dInfo.SetAccessControl(dSecurity);
}
Providing Directory's Full Control for Non-admin Users under Windows 7
you should change the application so that it stores its INI file at a location which normal users can write - see http://social.msdn.microsoft.com/Forums/en-US/csharpgeneral/thread/77aaf6e1-8de5-4529-9b26-fa89b55fcc49
EDIT:
IF that is absolutley not possible then:
create a "custom action" in the setup project and change the permissions... a good starting point is
http://www.redmondpie.com/applying-permissions-on-any-windows-folder-using-c/
and
http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemsecurity.addaccessrule.aspx
How to create a directory in which only Administrator has full control?
Yup, it's possible. First, you have to create the directory then set it's access rules.
var directory = Directory.CreateDirectory("SomeFolder");
var directorySecurity = directory.GetAccessControl();
var administratorRule = new FileSystemAccessRule("Administrators", FileSystemRights.FullControl, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow);
var usersRole = new FileSystemAccessRule("Users", FileSystemRights.CreateDirectories | FileSystemRights.CreateFiles, AccessControlType.Allow);
directorySecurity.AddAccessRule(administratorRule);
directorySecurity.AddAccessRule(usersRole);
directory.SetAccessControl(directorySecurity);
Related Topics
Internal VS. Private Access Modifiers
Converting Xml to a Dynamic C# Object
How to Store/Retrieve Rsa Public/Private Key
How Does Task<Int> Become an Int
Why Is Try {...} Finally {...} Good; Try {...} Catch{} Bad
Can You Explain Liskov Substitution Principle with a Good C# Example
How to Store Data Locally in .Net (C#)
Spawn Multiple Threads for Work Then Wait Until All Finished
How to Do a Bulk Insert -- Linq to Entities
Units of Measure in C# - Almost
Get Number of Listeners, Clients Connected to Signalr Hub