从上传的文件夹和文件中删除执行权限
Remove execute permission from uploaded folders and files
我正在开发文件和文件夹上传系统,我想为其增加一些安全性。
我已经关注了这个Article,上面的安全点6号说:
6. Keep tight control of permissions
Any uploaded file will be owned by the web server. But it only needs
read/write permission, not execute permissions. After the file is
downloaded, you could apply additional restrictions if this is
appropriate. Sometimes it can be helpful to remove the execute
permission from directories to prevent the server from enumerating
files.
如何使用 C# 应用它
如果我没理解错的话,您想将文件上传到远程服务器,然后将文件更改为只读。这是一种选择。首先获取一个文件对象。之后您可以设置访问控制,然后提供您想要提供的访问权限。
可能是这样的:
using System.IO;
using System.Security.AccessControl;
private void SetFileAccess(string path)
{
var fileSecurity = new FileSecurity();
var readRule = new FileSystemAccessRule("identityOfUser", FileSystemRights.ReadData, AccessControlType.Allow);
var writeRule = new FileSystemAccessRule("identityOfUser", FileSystemRights.WriteData, AccessControlType.Allow);
var noExecRule = new FileSystemAccessRule("identityOfUser", FileSystemRights.ExecuteFile, AccessControlType.Deny);
fileSecurity.AddAccessRule(readRule);
fileSecurity.AddAccessRule(writeRule);
fileSecurity.AddAccessRule(noExecRule);
File.SetAccessControl(path, fileSecurity);
}
我正在开发文件和文件夹上传系统,我想为其增加一些安全性。
我已经关注了这个Article,上面的安全点6号说:
6. Keep tight control of permissions
Any uploaded file will be owned by the web server. But it only needs read/write permission, not execute permissions. After the file is downloaded, you could apply additional restrictions if this is appropriate. Sometimes it can be helpful to remove the execute permission from directories to prevent the server from enumerating files.
如何使用 C# 应用它
如果我没理解错的话,您想将文件上传到远程服务器,然后将文件更改为只读。这是一种选择。首先获取一个文件对象。之后您可以设置访问控制,然后提供您想要提供的访问权限。
可能是这样的:
using System.IO;
using System.Security.AccessControl;
private void SetFileAccess(string path)
{
var fileSecurity = new FileSecurity();
var readRule = new FileSystemAccessRule("identityOfUser", FileSystemRights.ReadData, AccessControlType.Allow);
var writeRule = new FileSystemAccessRule("identityOfUser", FileSystemRights.WriteData, AccessControlType.Allow);
var noExecRule = new FileSystemAccessRule("identityOfUser", FileSystemRights.ExecuteFile, AccessControlType.Deny);
fileSecurity.AddAccessRule(readRule);
fileSecurity.AddAccessRule(writeRule);
fileSecurity.AddAccessRule(noExecRule);
File.SetAccessControl(path, fileSecurity);
}