.NET Security in C#

[admin]

Since my company does a lot of .NET consultancy, one of ourrecent projects required that file i/o access be denied if the user runningthe application did not have administrator privileges. A lot has been written aboutthe command line utility caspol.exe, however, this can seem a little overthe top and quite complex when considering code groups, policy levels andzone management.

I basically wanted to programmatically check whether the user had the relevant permissions by accessing their windows account. Fortunately, .NETprovides this through the System.Security.Principal namespace. I also wantedto deny access to particular drives – this is done through the namespaceSystem.Security.Permissions.

Below is shown a skeleton example, where if the user is not an administratorthe contents of a text file cannot be read and displayed in a list box:

Code Select Expand

try
{

//By default deny access to the C Drive.....
CodeAccessPermission UserPermission = new FileIOPermission(FileIOPermissionAccess.AllAccess,@"c:\");

//Check whether the user is part of the administrator group
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal principal = (WindowsPrincipal)Thread.CurrentPrincipal;
WindowsIdentity identity = (WindowsIdentity)principal.Identity;

bIsAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);

//Its not, so deny access to the file
if(!bIsAdmin)
{
UserPermission.Deny();
}
else
{
//Do the read
din = ReadTheFile.DoTheRead();
}

if(!bIsAdmin)
{
//Reset deny permissions in current stack frame
CodeAccessPermission.RevertDeny();
}

//If we got this far .... we read in the file
String str;

while ((str=din.ReadLine()) != null)
{
listBox1.Items.Add(str);
}
}
catch (SecurityException exception)
{
//Failed to pass the security checks – so flag up error to user
listBox1.Items.Add("Permission denied accessing file");
}