授予NTFS权限时丢失的继承权限

Question

我试图为特定用户的UNC路径授予NTFS权限,但我看到不同的行为取决于UNC路径.下面是我用来赋予权限的代码(来自MSDN)以及每个场景中的结果,

static void GiveNTFSPermissions(string folderPath, 
                                string ntAccountName, 
                                FileSystemRights accessRights)
{
    DirectorySecurity dirSecurity = Directory.GetAccessControl(folderPath);

    FileSystemAccessRule newAccessRule =
         new FileSystemAccessRule(
               ntAccountName,
               accessRights,
               AccessControlType.Allow);

    dirSecurity.AddAccessRule(newAccessRule);

    Directory.SetAccessControl(folderPath, dirSecurity);
}

假设我的本地计算机上有一个名为" RootShare " 的共享,并且其中有另一个文件夹" InsideRootShare ".

场景1: 当我打电话时,

GiveNTFSPermissions(@"\\sri-devpc\RootShare",
                    @"domain\username",
                    FileSystemRights.Write);

共享路径上丢失了继承的权限,

场景2: 当我打电话时

GiveNTFSPermissions(@"\\sri-devpc\RootShare\InsideRootShare", 
                    @"domain\username", 
                    FileSystemRights.Write);

继承的权限完好无损.

我试过不同的构造者,FileSystemAccessRule但没有运气.

这种行为背后的原因是什么,以及针对此的任何解决方法？

Answer 1

在使用Dropkick的安全模块时,我们遇到了处理文件系统权限的类似问题.我们提出的解决方案如下.这将成功设置任何文件夹的权限,而无需更改文件夹上的继承规则.

    public void SetFileSystemRights(string target, string group, FileSystemRights permission)
    {
        if (!IsDirectory(target) && !IsFile(target))
            return;

        var oldSecurity = Directory.GetAccessControl(target);
        var newSecurity = new DirectorySecurity();

        newSecurity.SetSecurityDescriptorBinaryForm(oldSecurity.GetSecurityDescriptorBinaryForm());

        var accessRule = new FileSystemAccessRule(group,
                                                  permission,
                                                  InheritanceFlags.None,
                                                  PropagationFlags.NoPropagateInherit,
                                                  AccessControlType.Allow);
        bool result;
        newSecurity.ModifyAccessRule(AccessControlModification.Set, accessRule, out result);

        if (!result) Log.AddError("Something wrong happened");

        accessRule = new FileSystemAccessRule(group,
                                              permission,
                                              InheritanceFlags.ContainerInherit |
                                              InheritanceFlags.ObjectInherit,
                                              PropagationFlags.InheritOnly,
                                              AccessControlType.Allow);

        result = false;
        newSecurity.ModifyAccessRule(AccessControlModification.Add, accessRule, out result);
        if (!result) Log.AddError("Something wrong happened");

        Directory.SetAccessControl(target, newSecurity);

        if (result) Log.AddGood("Permissions set for '{0}' on folder '{1}'", group, target);

        if (!result) Log.AddError("Something wrong happened");
    }

找到了我最初用来解决这个问题的链接.