ACL in ASP.NET

Published 22 December 03 10:40 AM | despos

Suppose you need to set programmatically the ACL of a file in a .NET application. For example, ensure that a certain XML file deployed with your new ASP.NET application allows the ASPNET user  (or NetworkService or any other particular user) to edit it. In most cases, the administrator will be more than happy (so to speak...) to take care of it and change the ACL for you.

However, should you have the need to accomplish that task programmatically, be ready to face a bad and a good news. The bad news is that you must necessarily resort to Win32 API calls and in particular to the SetNamedSecurityInfo API function from advapi32.dll. Neither version 1.0 of the Framework, nor 1.1, and probably not even Whidbey, will provide a redesigned managed API for system security.

In the end, either you write a managed wrapper for the API (sample code is available at http://www.gotdotnet.com/team/csharp/code/default.aspx) or resort to an extremely handy tool that ships with the operating system: cacls.exe.

cacls.exe [resource] /E /G: [user_account]:F

The /E switch indicates that you want to edit the security descriptor, not replace it. The /G switch indicates that you want to add a new user to the group with the specified privileges. If the specified user exists in the group, the existing account is modified. The F argument means that you want to give the account full control over the specified resource.

This is exactly what ASP.NET applications need for a smooth setup if they need to deploy writable files. The best way to integrate this code with the setup is by defining a custom action on the Visual Studio .NET setup project and use that command line for it.

PS1: I was told that the setup of ASP.NET itself uses this trick
PS2: cacls.exe is pronounced "cackles"

Cackles is vaguely similar to an Italian word that indicates the delicate art of keeping the nose clean. What do security API and snot have in common? When you're done with both, you definitely feel better :-)

 

 

 

Comments

# G. Andrew Duthie said on December 22, 2003 09:49 AM:

Security and snot...what a *delicate* description. ;-)

Definitely worth a chuckle (not to be confused with a cacls).

# Marcus McConnell said on December 22, 2003 10:24 AM:

Cacls.exe works great when you're deploying to a local machine or one that you've got privilieges to run command line programs on but... What mechanism, other than an administrator, could you use when deploying a site over FTP?

# DinoE said on December 22, 2003 01:11 PM:

>Cacls.exe works great when you're deploying to a local machine or one
>that you've got privilieges to run command line programs on but...
>What mechanism, other than an administrator, could you use when
>deploying a site over FTP?

Good point. I've never personally faced FTP deployment. Sorry...

The only trick that sounds reliable in this case is resorting to the Win32 API, arrange a custom action within the MSI and go. But if you're only allowed to copy files I'm afraid you can't do much more than ask the sysadmin to do that for you.

Again, I'm not the Win32 security API super-expert but I don't think that ACLs got copied from machine to machine and over FTP. But even if they could, what if you need to grant that permission to a folder for the app to create dynamic files?

As far as I know, though, in the real world admins normally allow for a writable folder pre-configured for the running version of ASP.NET. In this case, you just drop any writable files there. Admittedly, this solves the problem only if you need to enable ASP.NET to write/edit a file; not if you need an ACL for certain users.

The more I think, the more I feel confident that asking is the only *safe* way to go.

Am I wrong?



# Rick Strahl said on December 22, 2003 06:23 PM:

Funny you bring this up. I researched this a few weeks ago as well and ended up doing exactly this - adding a call to Cacls from the post setup configurable (which does things like create the virtuals and customize the initial Web.Config).

The only problem with this is always that hte user has to have rights to use the tool in the first place (I think it's admin rights).

I see this more useful for the situation where you distribute an app. You need some way to automate the setup so that the user doesn't have to create virtuals and set permissions. As part of this step you need to set the ACL to allow anonymous access. You also might need to set rights for the Admin directory allowing only special users into that dir.

You definitely want to prompt users before making these changes automatically, but of course you *could* do it automatically which is kind of a scary thought.

# John Lam said on January 8, 2004 03:56 PM:

There's a new API for managing ACL's in Whidbey. Look in System.Security.AccessControl.

# TrackBack said on February 5, 2004 01:59 AM:
# Raul Rojas said on February 9, 2004 11:10 PM:

for existing apps. there is access via WMI. it works; it's not pretty, but it works.

# alex said on February 12, 2004 03:40 PM:

>Cackles is vaguely similar to an Italian word that indicates the delicate art of
> keeping the nose clean.

Adding to this - in Russian it's resemble much more delicate art...

# RichB said on March 24, 2004 05:18 AM:

Google and blogs are fantastic for solving coding issues quickly!

cacls.exe [resource] /E /G: [user_account]:F

should be

cacls.exe [resource] /E /G [user_account]:F

(no colon after the /G)

# Vlastimil Vajnorak said on April 13, 2004 05:28 PM:

Pls look at commercial component BlackBytes Security for .NET that solves complete Win32 security like is ACL, ACE and so on ...

# Scott M said on July 29, 2004 11:46 PM:

I'm not sure if anyone will still read this blog but... how do you add the cacls.exe call to the custom action? What context is the call to cacls in, the web application folder? Or do you include cacls.exe as part of your project and call it? I'm a little lost with "...defining a custom action on the Visual Studio .NET setup project and use that command line for it."

Any hints on this one? Thank anyone in advance for the help!!!

Scott

Leave a Comment

(required) 
(required) 
(optional)
(required)