Open Yannik opened 3 months ago
Yes, I would like to pass multiple groups into win_acl to apply the same permission at the same time to multiple groups
https://g.co/gemini/share/db9cc6d8a8d0
// Replace 'path' with the actual file or directory path
string path = "your/file/path";
// Define permissions (replace with your desired rights)
FileSystemRights rights = FileSystemRights.Read | FileSystemRights.Write;
// Define group names (replace with your groups)
string[] groupNames = { "Group1", "Group2" };
// Get SIDs for each group name
IdentityReference[] groupSIDs = new IdentityReference[groupNames.Length];
for (int i = 0; i < groupNames.Length; i++)
{
groupSIDs[i] = new SecurityIdentifier(groupNames[i]); // Assuming local groups
// For domain groups, use GetActiveDirectoryGroup method
}
// Create a single rule for multiple groups (using SIDs)
FileSystemAccessRule rule = new FileSystemAccessRule(groupSIDs, rights, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow);
// Get the existing ACL (optional, but recommended)
FileSystemSecurity acl = File.GetAccessControl(path);
// Add the rule to the ACL
acl.AddAccessRule(rule);
// Set the modified ACL back to the file system object
File.SetAccessControl(path, acl);
The current
win_acl
module is quite simple: you can add/delete a single ACE at the time.Unfortunately, this is not really suitable for most more advanced use-cases.
I would like to gather some ideas for an improved acl module:
Managing multiple ACEs at once
Managing a single ACE at the time naturally makes managing large ACLs quite slow. Being able to provide a list of ACEs to add/remove would be great.
Set/Replace mode
It would be really great to have a "set/replace/exclusive" functionality to ensure that only the ACEs that you want are set on an object, and reliably getting rid of old/unwanted ACEs.
Recursive mode
From a security POV, ensuring that only the ACEs you want and have configured in your IaC is quite important. To solve this, having some kind of recursive mode to remove all non-inherited/non-managed ACEs recursively would be really nice. I am not quite sure how to design this in a way that we can set ACLs on different depths of the filesystem tree, but remove non-inherited ACEs from all other nodes. Options I can see:
recursive_ignore
option which takes a regex (or a list of regexes) with files/directories to ignore.I Hope this was atleast somewhat understandable. :D