C# + AddDirectorySecurity(pathofprog, addeduser, FileSystemRights.FullControl, AccessControlType.Deny) - Still able to execute exe's within

Kalpana 286 Reputation points
2021-01-17T01:10:04.713+00:00

Hi

I have managed to get the code running and it is working fine, I see that the user is added into the acl and the permission is set to deny,

however, I noticed that at times, for certain programs, I am still able to execute the exe's within the subfolders, I am not able to open the subfolders though as the permission is denied...

public partial class UserManage : UserControl
    {
        //static method
        public static void AddDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
        {
            // Create a new DirectoryInfo object.
            DirectoryInfo dInfo = new DirectoryInfo(FileName);

            // Get a DirectorySecurity object that represents the
            // current security settings.
            DirectorySecurity dSecurity = dInfo.GetAccessControl();

            // Add the FileSystemAccessRule to the security settings.
            dSecurity.AddAccessRule(new FileSystemAccessRule(Account, Rights, InheritanceFlags.ContainerInherit, PropagationFlags.None, ControlType));

            // Set the new access settings.
            dInfo.SetAccessControl(dSecurity);




        }

        public static void RemoveDirectorySecurity(string FileName, string Account, FileSystemRights Rights, AccessControlType ControlType)
        {
            // Create a new DirectoryInfo object.
            DirectoryInfo dInfo = new DirectoryInfo(FileName);

            // Get a DirectorySecurity object that represents the
            // current security settings.
            DirectorySecurity dSecurity = dInfo.GetAccessControl();

            // Add the FileSystemAccessRule to the security settings.
            dSecurity.RemoveAccessRule(new FileSystemAccessRule(Account, Rights, InheritanceFlags.ContainerInherit, PropagationFlags.None, ControlType));

            // Set the new access settings.
            dInfo.SetAccessControl(dSecurity);
        }
    }


//this is how I call the method
AddDirectorySecurity(pathofprog, addeduser, FileSystemRights.FullControl, AccessControlType.Deny);

Am I missing something?

Windows Presentation Foundation
Windows Presentation Foundation
A part of the .NET Framework that provides a unified programming model for building line-of-business desktop applications on Windows.
2,687 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
10,395 questions
XAML
XAML
A language based on Extensible Markup Language (XML) that enables developers to specify a hierarchy of objects with a set of properties and logic.
772 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. RLWA32 41,046 Reputation points
    2021-01-17T12:22:59.84+00:00

    By default Windows grants user accounts the bypass-traverse-checking privilege. The posted code changes the security of folders but does not affect the security of files contained within those folders. Consequently, even with a Deny ace in a folder's ACL it is possible for a user to access the contained files.

    0 comments No comments