In the following scenario, if a user specifies "SYSTEM" to have "FullControl" with "ContainerInherit" as the "InheritanceFlags", "None" as the "PropagationFlags" and "Allow" as the "AccessControlType", the resource will create an access rule accordingly and add it to the current ACL. However, when the resource detects a similar ACE, such as "SYSTEM/FullControl/None/None/Allow", it will add this to the "ToBeRemoved" access rules variable. The method that is used to remove the access rule is not absolute, meaning that it will remove any rule that matches the IdentityReference and Access Mask.
Removes access rules that contain the same security identifier and access mask as the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object.https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.commonobjectsecurity.removeaccessrule?view=netframework-4.5.1
The rule in the screenshot outlined in red is the targeted rule to be removed, however, when the "RemoveAccessRule" is called, with the supplied rule, it removes "FullControl" from the "SYSTEM" Principal. The "ContainerInherit/InheritOnly" will grant "SYSTEM" "FullControl" access, through inheritance to any child objects, but not the parent where this ACE/ACL is defined.
I will be submitting a PR to address this by calling RemoveAccessRuleSpecific instead:
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.commonobjectsecurity.removeaccessrulespecific?view=netframework-4.5.1
In the following scenario, if a user specifies "SYSTEM" to have "FullControl" with "ContainerInherit" as the "InheritanceFlags", "None" as the "PropagationFlags" and "Allow" as the "AccessControlType", the resource will create an access rule accordingly and add it to the current ACL. However, when the resource detects a similar ACE, such as "SYSTEM/FullControl/None/None/Allow", it will add this to the "ToBeRemoved" access rules variable. The method that is used to remove the access rule is not absolute, meaning that it will remove any rule that matches the IdentityReference and Access Mask. Removes access rules that contain the same security identifier and access mask as the specified access rule from the Discretionary Access Control List (DACL) associated with this CommonObjectSecurity object. https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.commonobjectsecurity.removeaccessrule?view=netframework-4.5.1 The rule in the screenshot outlined in red is the targeted rule to be removed, however, when the "RemoveAccessRule" is called, with the supplied rule, it removes "FullControl" from the "SYSTEM" Principal. The "ContainerInherit/InheritOnly" will grant "SYSTEM" "FullControl" access, through inheritance to any child objects, but not the parent where this ACE/ACL is defined.
I will be submitting a PR to address this by calling RemoveAccessRuleSpecific instead:
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.commonobjectsecurity.removeaccessrulespecific?view=netframework-4.5.1