Unauthorised operation whilst saving remote configuration file

I encountered an interesting problem whilst trying to save changes to a configuration file that is not on the local machine.

When calling Configuration.Save(), dot net creates a new copy of the configuration file which has the changed information, the original is hived away to a temp location and it’s security permissions are then copied to the new file before the original is deleted and the new file renamed to be the same as the old file.

From MSDN documentation:

When ‘Creator Owner’ is listed in the ACL (Access Control List) of the directory containing the configuration file, the current user of Save becomes the new owner of the file and inherits the permissions granted to ‘Creator Owner’. This results in an elevation of privileges for the current user and a removal of privileges for the previous owner.

Deeper down Configuration.Save() calls

System.Configuration.Internal.WriteFileContext.DuplicateFileAttributes(String source, String destination)

Take a look at the function:

private void DuplicateTemplateAttributes(string source, string destination)
{
   if (this.IsWinNT)
   {
     FileSecurity accessControl = File.GetAccessControl(source, AccessControlSections.Access);
     accessControl.SetAccessRuleProtection(accessControl.AreAccessRulesProtected, true);
     File.SetAccessControl(destination, accessControl);
   }
  else
  {
    FileAttributes FileAttributes fileAttributes = File.GetAttributes(source); File.SetAttributes(destination, fileAttributes );
  }
}

The work around is to use Configuration.SaveAs and then copy this version over the original file which is almost the same as the Save method but doesn’t require taking ownership of the file or copying the permissions to the new file.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s