文件系统权限 [英] FileSystem Permissions
本文介绍了文件系统权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在使用.Net 2.0,使用
My.Computer.FileSystem.CreateDirectory在网络共享上编写目录。只要USERS在该目录上具有完全共享权限,就可以正常工作。我的管理员无法确定要授予哪个帐户权限,以便我们可以锁定
的安全性并且不允许所有人访问。你能告诉我哪个
账户.net用于My.Computer.FileSystem创建目录并编写
文件?
谢谢。
I am using .Net 2.0, writing a directory on a network share using
My.Computer.FileSystem.CreateDirectory. This works fine as long a USERS have
full share permissions on that directory. My administrator has been unable
to figure out which account to grant permissions to so that we can lock down
the security and not allow everyone access. Can you please tell me which
account .net uses for My.Computer.FileSystem Create Directory and writing
files?
Thanks.
推荐答案
共享文件夹的权限由Windows LAN管理员管理而不是
.Net,因此访问检查由Windows内核而不是.Net执行。
用于访问共享文件夹的帐户
My.Computer.FileSystem.CreateDirectory是当前
应用程序运行的Windows帐户。因此,您应该授予您的逻辑想要授予访问权限的
Windows帐户组的写入权限。
此外,还有2种权限设置在分享期间:分享
权限和本地NTFS权限。只有一个远程Windows帐户已经通过这两项检查,才能成功访问共享目录。
但是,.Net没有公开类来设置共享权限
以编程方式,我们必须调用Win32 NetShare * API来配置它:
如何使用.NET框架创建文件共享
http://www.codeproject.com/dotnet/pinvokeaddshare.asp
.Net确实公开了类来配置NTFS DACL权限,
" DirectorySecurity Class"下面包含有关如何设置DirectorySecurity对象的示例代码:
http://msdn2.microsoft.com/en-us/lib...scontrol.direc
torysecurity。 aspx
http://pluralsight.com /wiki/default....ProgramACLs.ht
ml
此外,虽然远程Windows帐户可能没有权限
传递权限设置,Windows LAN管理器仍提供另一种
方式,用另一个
凭证(用户名/密码)传递权限设置。请参阅下面的原始回复
此方法的详细信息/示例代码:
http://groups.google.com/group/micro...curity/msg/063
d7b08b29e5642?hl = zh-CN&
希望这会有所帮助。
祝你好运,
Jeffrey Tan
Microsoft在线社区支持
============================== ====================
通过电子邮件收到我的帖子通知?请参阅
http://msdn.microsoft .com / subscripti ... ult.aspx#notif
ications。
注意:MSDN托管新闻组支持服务是针对非紧急问题
如果社区或微软支持人员在1个工作日内做出初步回复是可以接受的。请注意,每个跟随
的响应可能需要大约2个工作日作为支持
专业人士与您合作可能需要进一步调查才能达到
最有效的分辨率。该产品不适用于需要紧急,实时或基于电话的交互或复杂的b $ b项目分析和转储分析问题的情况。这种性质的问题最好通过联系
Microsoft客户支持服务(CSS)处理
href =http://msdn.microsoft.com/subscriptions/support/default.aspx\"target =_ blank> http://msdn.microsoft.com/subscripti...t/default.aspx 。
======================================== ==========
此帖子按原样提供。没有保证,也没有授予任何权利。
Hi,
The share folder''s permission is managed by Windows LAN manager instead of
.Net, so the access check is performed by Windows kernel instead of .Net.
The account used to access the share folder with
My.Computer.FileSystem.CreateDirectory is the Windows account the current
application runs under. So you should grant the write permission to the
group of Windows accounts that your logic wanted to grant access.
Furthermore, there are 2 type of permissions setting during share: share
permission and local NTFS permission. Only a remote Windows account has
passed these 2 checks, can he access the share directory successfully.
However, .Net did not expose classes to set the share permission
programmatically, we have to p/invoke Win32 NetShare* APIs to configure it:
"How to create a file share using .NET framework"
http://www.codeproject.com/dotnet/pinvokeaddshare.asp
.Net did expose classes to configure the NTFS DACL permission, the
"DirectorySecurity Class" below contains the sample code regarding how to
setup the DirectorySecurity object:
http://msdn2.microsoft.com/en-us/lib...scontrol.direc
torysecurity.aspx
http://pluralsight.com/wiki/default....ProgramACLs.ht
ml
Additionally, although the remote Windows account may not have permission
to pass the permissions setting, Windows LAN manager still provided another
way of passing the permissions setting with another
credentials(username/password). Please refer to my original reply below for
details/sample code of this approach:
http://groups.google.com/group/micro...curity/msg/063
d7b08b29e5642?hl=zh-CN&
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
谢谢。
这非常有用。
我确实有一个问题,根据任务管理器,.net应用程序
在用户网络服务下运行。我的管理员已经给出了用户共享权限和完整NTFS权限的
,但我们仍然收到了
访问被拒绝错误。你能说清楚吗?
谢谢。
Bob
"" ; Jeffrey Tan [MSFT]""写道:
Thank you.
This is very helpful.
I do have a question though, according to Task Manager, the .net application
is running under the user "Network Services". My administrator has given
that user share permissions and full NTFS permissions, yet we still get an
access denied error. Can you shed any light on that?
Thanks.
Bob
""Jeffrey Tan[MSFT]"" wrote:
共享文件夹的权限由Windows LAN管理员而不是
.Net,因此访问检查由Windows内核而不是.Net执行。
用于访问共享文件夹的帐户
My.Computer .FileSystem.CreateDirectory是当前运行的当前
应用程序的Windows帐户。因此,您应该授予您的逻辑想要授予访问权限的
Windows帐户组的写入权限。
此外,还有2种权限设置在分享期间:分享
权限和本地NTFS权限。只有一个远程Windows帐户已经通过这两项检查,才能成功访问共享目录。
但是,.Net没有公开类来设置共享权限
以编程方式,我们必须调用Win32 NetShare * API来配置它:
如何使用.NET框架创建文件共享
http://www.codeproject.com/dotnet/pinvokeaddshare.asp
.Net确实公开了类来配置NTFS DACL权限,
" DirectorySecurity Class"下面包含有关如何设置DirectorySecurity对象的示例代码:
http://msdn2.microsoft.com/en-us/lib...scontrol.direc
torysecurity。 aspx
http://pluralsight.com /wiki/default....ProgramACLs.ht
ml
此外,虽然远程Windows帐户可能没有权限
传递权限设置,Windows LAN管理器仍提供另一种
方式,用另一个
凭证(用户名/密码)传递权限设置。请参阅下面的原始回复
此方法的详细信息/示例代码:
http://groups.google.com/group/micro...curity/msg/063
d7b08b29e5642?hl = zh-CN&
希望这会有所帮助。
祝你好运,
Jeffrey Tan
Microsoft在线社区支持
============================== ====================
通过电子邮件收到我的帖子通知?请参阅
http://msdn.microsoft .com / subscripti ... ult.aspx#notif
ications。
注意:MSDN托管新闻组支持服务是针对非紧急问题
如果社区或微软支持人员在1个工作日内做出初步回复是可以接受的。请注意,每个跟随
的响应可能需要大约2个工作日作为支持
专业人士与您合作可能需要进一步调查才能达到
最有效的分辨率。该产品不适用于需要紧急,实时或基于电话的交互或复杂的b $ b项目分析和转储分析问题的情况。这种性质的问题最好通过联系
Microsoft客户支持服务(CSS)处理
href =http://msdn.microsoft.com/subscriptions/support/default.aspx\"target =_ blank> http://msdn.microsoft.com/subscripti...t/default.aspx 。
======================================== ==========
此帖子按原样提供。没有保证,也没有授予任何权利。
Hi,
The share folder''s permission is managed by Windows LAN manager instead of
.Net, so the access check is performed by Windows kernel instead of .Net.
The account used to access the share folder with
My.Computer.FileSystem.CreateDirectory is the Windows account the current
application runs under. So you should grant the write permission to the
group of Windows accounts that your logic wanted to grant access.
Furthermore, there are 2 type of permissions setting during share: share
permission and local NTFS permission. Only a remote Windows account has
passed these 2 checks, can he access the share directory successfully.
However, .Net did not expose classes to set the share permission
programmatically, we have to p/invoke Win32 NetShare* APIs to configure it:
"How to create a file share using .NET framework"
http://www.codeproject.com/dotnet/pinvokeaddshare.asp
.Net did expose classes to configure the NTFS DACL permission, the
"DirectorySecurity Class" below contains the sample code regarding how to
setup the DirectorySecurity object:
http://msdn2.microsoft.com/en-us/lib...scontrol.direc
torysecurity.aspx
http://pluralsight.com/wiki/default....ProgramACLs.ht
ml
Additionally, although the remote Windows account may not have permission
to pass the permissions setting, Windows LAN manager still provided another
way of passing the permissions setting with another
credentials(username/password). Please refer to my original reply below for
details/sample code of this approach:
http://groups.google.com/group/micro...curity/msg/063
d7b08b29e5642?hl=zh-CN&
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
嗨Bob,
谢谢你反馈。
你能告诉我为什么你的.Net应用程序在网络服务
帐户而不是交互式登录用户帐户下运行?我假设您的.Net
应用程序是Asp.net应用程序,是吗?那么,你的共享文件夹是用你的Asp.net应用程序在
远程机器上,还是它们在同一台机器上?我怀疑他们不在同一台机器上。
网络服务是本地计算机上的预定义帐户,因此每台
计算机都有自己的网络服务。帐户。当一台机器的网络
服务时正在尝试访问远程资源(例如文件),它不能被确定为网络服务。远程机器上的帐户。
被识别为机器帐户。它自己的机器。因此,如果这是您的
方案,则应在共享权限和NTFS DACL权限中授予Asp.net应用程序计算机帐户写入
权限。
要在ACL编辑器对话框中选择机器帐户,首先应该点击对象类型...。按钮打开对话框,然后你应该检查
" Computers"对话框中的复选框。点击确定后点击按钮,您可以
输入" [机器名称]
Hi Bob,
Thanks for your feedback.
Can you tell me why your .Net application runs under the "Network Service"
account instead of the interactive logon user account? I assume your .Net
application is Asp.net application, yes? Then, is your share folder on
remote machine with your Asp.net application, or are they in the same
machine? I suspect they are not in the same machine.
"Network Service" is a predefined account on the local machine, so every
machine has its own "Network Service" account. When one machine''s "Network
Service" is trying to access remote resource(such as files), it can not be
identified as the "Network Service" account on remote machine. It is
identified as the "machine account" of its own machine. So if this is your
scenario, you should grant the Asp.net application machine account write
permission in both the share permission and NTFS DACL permission.
To select the machine account in the ACL editor dialog, you should first
click "Object Types..." button to open the dialog, then you should check
"Computers" checkbox in the dialog. After clicking "Ok" button, you may
input "[machine name]
这篇关于文件系统权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
