Set permissions to system users to the log path

Fixes #14
awaescher · May 18, 2020 · c4a99cd · c4a99cd · chucklu · May 19, 2020
1 parent 5dff502
commit c4a99cd
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/Fusion++.Engine/Fusion++.Engine.csproj b/Fusion++.Engine/Fusion++.Engine.csproj
@@ -7,6 +7,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Win32.Registry" Version="4.6.0" />
+    <PackageReference Include="System.IO.FileSystem.AccessControl" Version="4.7.0" />
   </ItemGroup>
 
 </Project>
diff --git a/Fusion++.Engine/IO/TemporaryLogStore.cs b/Fusion++.Engine/IO/TemporaryLogStore.cs
@@ -2,6 +2,8 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Security.AccessControl;
+using System.Security.Principal;
 
 namespace FusionPlusPlus.Engine.IO
 {
@@ -22,7 +24,63 @@ public TemporaryLogStore()
 		public void Prepare()
 		{
 			if (!Directory.Exists(Path))
+			{
 				Directory.CreateDirectory(Path);
+
+				try
+				{
+					SetFullControlPermissions(Path, WellKnownSidType.BuiltinUsersSid, WellKnownSidType.LocalSystemSid);
+				}
+				catch
+				{
+					// setting full control permissions is what we want to have for IIS logging, however we can 
+					// live without it: https://github.com/awaescher/Fusion/issues/14
+				}
+			}
+		}
+
+		static void SetFullControlPermissions(string path, params WellKnownSidType[] sids)
+		{
+			const FileSystemRights rights = FileSystemRights.FullControl;
+
+			foreach (var sid in sids)
+			{
+				bool result;
+				bool inheritedResult;
+
+				var securityIdentifier = new SecurityIdentifier(sid, null);
+
+				// Add Access Rule to the actual directory itself
+				var accessRule = new FileSystemAccessRule(
+					securityIdentifier,
+					rights,
+					InheritanceFlags.None,
+					PropagationFlags.NoPropagateInherit,
+					AccessControlType.Allow);
+
+				var info = new DirectoryInfo(path);
+				var security = info.GetAccessControl(AccessControlSections.Access);
+
+				security.ModifyAccessRule(AccessControlModification.Set, accessRule, out result);
+
+				if (!result)
+					throw new InvalidOperationException("Failed to give full-control permission to all users for path " + path);
+
+				// add inheritance
+				var inheritedAccessRule = new FileSystemAccessRule(
+					securityIdentifier,
+					rights,
+					InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
+					PropagationFlags.InheritOnly,
+					AccessControlType.Allow);
+
+				security.ModifyAccessRule(AccessControlModification.Add, inheritedAccessRule, out inheritedResult);
+
+				if (!inheritedResult)
+					throw new InvalidOperationException("Failed to give full-control permission inheritance to all users for " + path);
+
+				info.SetAccessControl(security);
+			}
 		}
 
 		public string GetLogName(string path)