通过LogonUser API,先切换登入账户,再设置文件的ACL
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.AccessControl;
using System.IO;
using System.Diagnostics;
using System.Security.Principal;
using System.Runtime.InteropServices;
namespace ConsoleApplication4
{
internal class NativeMethods
{
// Methods
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
internal static extern bool CloseHandle(IntPtr handle);
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle);
[DllImport("advapi32.dll", SetLastError = true)]
internal static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken);
}
class Program
{
static void Main(string[] args)
{
string filePath = "ClientFile_0.txt";
string userAccount = string.Format(@"{0}\{1}", Environment.UserDomainName, Environment.UserName);
ImpersonateUser(Environment.GetEnvironmentVariable("COMPUTERNAME"), "Co9999CMLUser_0", "password(123");
File.WriteAllText(filePath, string.Format("{0}", "Hello World ආයූෝබවන්"));
FileSecurity fileSecurity = new FileSecurity();
AddFileSecurity(filePath, userAccount,
FileSystemRights.Read, AccessControlType.Deny);
//RemoveFileSecurity(filePath, userAccount, FileSystemRights.Read, AccessControlType.Deny);
//File.Delete(filePath);
OutputFileAccess(filePath);
//create windows user account
//CreateUserAccount(Environment.GetEnvironmentVariable("COMPUTERNAME"), "Co9999CMLUser_0", "password(123");
Console.WriteLine("Done!");
Console.ReadLine();
}
private static bool LogonUser(string MachineName, string UserName, string Password, ref IntPtr tokenHandle)
{
tokenHandle = new IntPtr(0);
tokenHandle = IntPtr.Zero;
bool flag = NativeMethods.LogonUser(UserName, MachineName, Password, 2, 0, ref tokenHandle);
if (!flag)
{
int num = Marshal.GetLastWin32Error();
Console.WriteLine(" Failed with error code : {0}", num);
//Console.WriteLine("\nError: [{0}] {1}\n", num, GetErrorMessage(num));
}
return flag;
}
public static WindowsImpersonationContext ImpersonateUser(string MachineName, string UserName, string Password)
{
IntPtr tokenHandle = new IntPtr(0);
IntPtr duplicateTokenHandle = new IntPtr(0);
if (!LogonUser(MachineName, UserName, Password, ref tokenHandle))
{
Console.WriteLine(MachineName);
Console.WriteLine("Info_3047gs! CommonImpersonationUtilities::ImpersonateUser cannot test with local user");
return null;
}
if (!NativeMethods.DuplicateToken(tokenHandle, 2, ref duplicateTokenHandle))
{
Console.WriteLine("Err_23efad! CommonImpersonationUtilities::ImpersonateUser cannot get token for the local user");
NativeMethods.CloseHandle(tokenHandle);
return null;
}
WindowsIdentity identity = new WindowsIdentity(duplicateTokenHandle);
return identity.Impersonate();
}
public static void OutputFileAccess(string filePath)
{
FileSecurity fileSecurity = File.GetAccessControl(filePath);
foreach (AuthorizationRule rule in fileSecurity.GetAccessRules(true, true, typeof(NTAccount)))
{
var fileRule = rule as FileSystemAccessRule;
Console.WriteLine("Access type: {0}", fileRule.AccessControlType);
Console.WriteLine("Rights: {0}", fileRule.FileSystemRights);
Console.WriteLine("Identity: {0}",
fileRule.IdentityReference.Value);
Console.WriteLine();
}
}
public static void AddFileSecurity(string fileName, string account, FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the
// current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Add the FileSystemAccessRule to the security settings.
fSecurity.AddAccessRule(new FileSystemAccessRule(account, rights, controlType));
//fSecurity.AddAccessRule(new FileSystemAccessRule(account, FileSystemRights.Delete, AccessControlType.Deny));
// Set the new access settings.
File.SetAccessControl(fileName, fSecurity);
}
// Removes an ACL entry on the specified file for the specified account.
public static void RemoveFileSecurity(string fileName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the
// current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Add the FileSystemAccessRule to the security settings.
fSecurity.RemoveAccessRule(new FileSystemAccessRule(account,
rights, controlType));
// Set the new access settings.
File.SetAccessControl(fileName, fSecurity);
}
public static void CreateUserAccount(string strMachineName, string strUserName, string strPassword)
{
Process process = new Process();
process.StartInfo = new ProcessStartInfo("net.exe", string.Format("user {0} {1} /add", strUserName, strPassword))
{
UseShellExecute = false
};
process.Start();
process.WaitForExit();
}
}
}
注意:要设置的文件必须在切换登入用户之后再建立,也就是在ImpersonateUser()之后,才生成文件,否则在之后的File.SetAccessControl时候会出现没有授权的异常。
