Creating Security Descriptors for MOSS 2007 Managed Protocol Handlers
Long ago (July 2006) I posted an article entitled Creating Security Descriptors for SPS 2003 Managed Protocol Handlers which was supplemental to my original version of the SPS 2003 Managed Protocol explaining how to build a Win32 security descriptor using a GotDotNet library called “Microsoft.Win32.Security”. The bad news is this library is no longer available, the good news is that you don’t need it because support for building security descriptors has been built into the .NET Framework since v2.0. Unfortunately v2.0 was released in January of 2006, which was after all the work I had done building the sample.
Since then several of you have reached out to me and I’ve guided you individually to the System.Security.AccessControl namespace where goodies such as the CommonSecurityDescriptor class can be found, leaving the exercise of figuring out the precise classes, methods and properties to substitute up to the curious and motivated (sorry). In October of 2008 Chris Givens of Architecting Connected Systems was nice enough to send me his adaptation of my original SecurityDescriptor.cs file using the new managed classes (thanks Chris). Here is a peek at the important snippets from that code:
Class members:
CommonSecurityDescriptor csd;
DiscretionaryAcl dacl;
GetBuffer:
byte[] buffer = new byte[csd.BinaryLength];
csd.GetBinaryForm(buffer, 0);
return buffer;
LoadSecurity:
SecurityIdentifier LocalAdminGroup = new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null);
csd = new CommonSecurityDescriptor(false, false, ControlFlags.DiscretionaryAclPresent, LocalAdminGroup, null, null, dacl);
SetOwner(owner);
AddUsers(users);
SetOwner:
NTAccount acct = new NTAccount(sOwnerLoginName);
sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier));
csd.Owner = sid;
Add Users:
dacl = new DiscretionaryAcl(false,false,100);
foreach (string user in users)
{
NTAccount acct = new NTAccount(user);
SecurityIdentifier sid = (SecurityIdentifier)acct.Translate(typeof(SecurityIdentifier));
dacl.AddAccess(AccessControlType.Allow, sid, (int)(FileSystemRights.ReadData | FileSystemRights.ReadAttributes), InheritanceFlags.None, PropagationFlags.None);
}
UPDATE: I have revised my sample to include the code necessary to create and return a security descriptor based on the new .NET Framework 2.0 classes. Check it out here and download the code: http://mossph.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=24456
-John
