How to set NTFS permissions from managed code or little confusion about security
Well, after few non-programming postings here is something for a change.
I past two weeks I independently ran twice to same problem. Once I was asked by one friend of mine, who trying write asp.net web app which goal should be to automatize process of creation FTP site, create few subdirs there, copying some files, setting NTFS permissions, and then sends notification that it is done. You know, user fill up forms, press button, thing get done, user got email, and everybody is happy. He realizes how to work with files, how to use System.DirectoryServices to manipulate IIS5, how to send email, how to appropriately set up the .config file, but then he stop on setting file permissions.
Few days later, I found similar question on local Czech/Slovak .NET programming mailing list.
Actual problem was that those people tried to set NTFS permission using classes that are for manipulating with Code Access Permissions (CAS) in CLR (i.e. classes from System.Security, System.Security.*, System.Web.Security namespaces) and this, of course, do not work.
It is do not work for two reasons.
First, because CAS and native Windows security are different things and they work completely independently. Maybe source of this confusion was that some actions, such as accessing a file, are covered by both security infrastructures. First there are CLR's evidence-based (and maybe also role-based) security tests whether managed code is permitted to perform the requested operation. These test are done by CLR infrastructure. Then if these tests passed, Windows OS itself will check whether the account under which the code is running is permitted to perform the requested operation. These tests are done by operating system itself. To successfully complete given operation code must pass both tests.
And second (maybe obvious) classes from System.Security, System.Security.*, System.Web.Security namespaces are in general designed for manipulating with CLR security infrastructure (either with CAS or with role-based security) and can't be used to directly manipulate with native Windows security infrastructure.
However, even after clearing this, original question, how to manipulate NTFS permissions from managed code remain unanswered. So, how to do this?
Well, there are a few options. One is to use Platform Invoke the Win32 API's and deal with variable length SID's and ACE structures. You can probably do anything that is possible with this approach, but it is rather a hard way. Similar approach is to write unmanaged code library and access is by InterOp services from managed code.
Another option is to use WMI via System.Management classes. You can see some code (from Willy Denoyette's posting to one of MS NewsGroups) with regards to this here.
And there is also very nice piece of code called "NT Security Classes for .NET" written by David Hall. Of course there may be also other libraries that one can get and use for this.
btw, this last mentioned code "NT Security Classes for .NET" library is written in Managed C++, which make me rethink (together with Sam Gentile's excellent Managed C++'s article Introduction to Managed C++ or on O'Reilly OnDotNet.com website) again whether I shouldn't give a Managed C++ another chance.