2005-12-20

MSMQ permissions needs a "touch"

Recently I was working with a project where I needed to set up some MSMQ queues at the install phase. I realized I needed to change the security attributes when converting the c# application to a windows service. After scraping the web I found a way to set attributes.

The install went fine but when trying to access that queue I still received errors about permissions. I looked in the MSMQ attributes for that queue in Administrive tools. All was set right. After unchecking and then rechecking a box followed by Apply it worked again. A bug! This workaround/step would not be accepted by the end customer so I had to find a work around. After some testing I found that I could use the function SetPermissions on a queue after setting the permissions in the install. The result looks like this:

// local system account
Trustee t1 = new Trustee();
t1.Name = "SYSTEM";
t1.TrusteeType = TrusteeType.User;
t1.SystemName = ".";
AccessControlEntry ace1 = new AccessControlEntry();
ace1.EntryType = AccessControlEntryType.Allow;
ace1.GenericAccessRights = GenericAccessRights.All;
ace1.StandardAccessRights = StandardAccessRights.All;
ace1.Trustee = t1;

// any other computer
Trustee t2 = new Trustee();
t2.Name = "Everyone";
t2.TrusteeType = TrusteeType.Group;
t2.SystemName = ".";
AccessControlEntry ace2 = new AccessControlEntry();
ace2.EntryType = AccessControlEntryType.Allow;
ace2.GenericAccessRights = GenericAccessRights.All;
ace2.StandardAccessRights = StandardAccessRights.All;
ace2.Trustee = t2;

AccessControlList acl = new AccessControlList();
acl.Add(ace1);
acl.Add(ace2);
MSMQInstaller.Permissions = acl;

// This corrects a bug when previous settings are not correctly applied
// Using the SetPermissions after adding the accesscontrollist applies previous settings
// Remember to use Allow below to keep existing settings
MessageQueue m = new MessageQueue(MSMQInstaller.Path);
m.SetPermissions("SYSTEM", MessageQueueAccessRights.FullControl, AccessControlEntryType.Allow);

1 comment:

PRADEEP said...

Nice one.