PowerShell Remoting Project Home

Tuesday, January 03, 2006

Play with ACL in MSH (continued)

/\/\o\/\/ kindly replied my blog entry “Play with ACL in MSH”. In his blog entry “Adding a Simple AccesRule to a file ACL in MSH”, he found a shortcut to create an instance of “System.Security.AccessControl.FileSystemAccessRule”. Great job! But things can get even better!

1. You want to change a accessrule but not overwrite it, so AddAccessRule() method is better than SetAccessRule() method. If you want to grant a FullControl privilege to exact same user, they are the same. What if you want to apply a more complex privilege? For example: Read + Write nut not Delete.

2. get-acl cmdlet return different object:
For a file, it will return “System.Security.AccessControl.FileSecurity”;
For a directory, it will return “System.Security.AccessControl.DirectorySecurity”.
Luckily enough, both object have AddAccessRule() and RemoveAccessRule() methods. And Even better, both methods take a “System.Security.AccessControl.FileSystemAccessRule” as parameter. So we can set Access control of a file or directory in one simple script.



# AddRemove-AccessRule.MSH
# Add or remove simple access rule to a file/directory
# using text parameters
#
# original writen by /\/\o\/\/ 2006
# http://mow001.blogspot.com
#
# modified by tony 2006
# http://mshforfun.blogspot.com
#
#Usage AddRemove-Acl FileOrDirectory (Action) user Rights (Access)
# Action: Add / Remove
# Rights: ListDirectory / ReadData / WriteData / CreateFiles /
# CreateDirectories / AppendData / ReadExtendedAttributes /
# WriteExtendedAttributes / Traverse / ExecuteFile /
# DeleteSubdirectoriesAndFiles / ReadAttributes / WriteAttributes/ Write /
# Delete / ReadPermissions / Read / ReadAndExecute / Modify /
# ChangePermissions / TakeOwnership / Synchronize / FullControl
# Access: Allow / Deny

Param (
$FileDir,
$User,
$Action = "Add",
[System.Security.AccessControl.FileSystemRights] $Rights,
[System.Security.AccessControl.AccessControlType] $Access = "Allow"
)


trap{Break}

$AccessControl = get-acl $FileDir

$AccessRule = new-object System.Security.AccessControl.FileSystemAccessRule($User,$Rights,$Access)

# check if given user is Valid, this will break function if not so.
$Sid = $AccessRule.IdentityReference.Translate([System.Security.Principal.securityidentifier])

resolve-path $FileDir

"=============================================================="
"Before changes"
$AccessControl.AccessToString

if ($Action.ToUpper() -eq "ADD") {$AccessControl.AddAccessRule($AccessRule)}
elseif ($Action.ToUpper() -eq "REMOVE") {$AccessControl.RemoveAccessRule($AccessRule)}

set-acl -aclobject $AccessControl -path $FileDir

"=============================================================="
"After " + $Action + " access rule: " + "User-"+ $User + " Rights-" + $Rights + " Access-" + $Access
(get-acl $FileDir).AccessToString



[Edit: Monad has now been renamed to Windows PowerShell. This script or discussion may require slight adjustments before it applies directly to newer builds.]

Tags:       


Comments:

Post a Comment





<< Home