c# - 文件权限不继承目录权限

Question

我有一个程序可以为用户输出创建一个安全目录。这工作正常，但我在其中创建(或复制到其中)的文件最终只有管理员访问权限。

 DirectoryInfo outputDirectory =
            baseOutputDirectory.CreateSubdirectory(outputDirectoryName,
            GetDirectorySecurity(searchHits.Request.UserId));

 ...

private DirectorySecurity GetDirectorySecurity(string owner)
{
    const string LOG_SOURCE = "GetDirectorySecurity";
    DirectorySecurity ds = new DirectorySecurity();

    System.Security.Principal.NTAccount ownerAccount = 
        new System.Security.Principal.NTAccount(owner);

    ds.SetOwner(ownerAccount);

    ds.AddAccessRule(
        new FileSystemAccessRule(owner, 
        FileSystemRights.FullControl,
        AccessControlType.Allow));

    //AdminUsers is a List<string> that contains a list from configuration
    //  That represents the admins who should be allowed
    foreach (string adminUser in AdminUsers)
    {
        ds.AddAccessRule(
            new FileSystemAccessRule(adminUser,
            FileSystemRights.FullControl,
            AccessControlType.Allow));
    }
    return ds;
}

/// <summary>
/// This method copies any static supporting files, such as javascripts
/// </summary>
/// <param name="outputDirectory"></param>
private void CopySupportingFiles(DirectoryInfo outputDirectory)
{
    foreach (FileInfo file in SupportingFiles)
    {
        file.CopyTo(
            Path.Combine(outputDirectory.FullName, file.Name));
    }
}

等等等等

我做错了什么？为什么权限不级联？

Answer 1

看起来你应该在设置 DirectorySecurity 时设置 InheritanceFlags 和 PropagationFlags(我相信它会覆盖你手动设置的任何内容).

private DirectorySecurity GetDirectorySecurity(string owner)
{
    const string LOG_SOURCE = "GetDirectorySecurity";
    DirectorySecurity ds = new DirectorySecurity();

    System.Security.Principal.NTAccount ownerAccount =
        new System.Security.Principal.NTAccount(owner);

    ds.SetOwner(ownerAccount);

    ds.AddAccessRule(
        new FileSystemAccessRule(owner,
        FileSystemRights.FullControl,
        InheritanceFlags.ObjectInherit, 
        PropagationFlags.InheritOnly,
        AccessControlType.Allow));

    //AdminUsers is a List<string> that contains a list from configuration
    //  That represents the admins who should be allowed
    foreach (string adminUser in AdminUsers)
    {
        ds.AddAccessRule(
            new FileSystemAccessRule(adminUser,
            FileSystemRights.FullControl,
            InheritanceFlags.ObjectInherit,
            PropagationFlags.InheritOnly,
            AccessControlType.Allow));
    }
    return ds;
}