Discussion:
Check permissions on Folder
(too old to reply)
Fred W.
2006-09-18 20:33:31 UTC
Permalink
When my application starts I need to check folder permissions to ensure they
have "Full Control" before I let them proceed on. How can I check this
permission. Thank you, Fred
Willy Denoyette [MVP]
2006-09-18 21:16:57 UTC
Permalink
"Fred W." <fredwemail-***@yahoo.com> wrote in message news:%***@TK2MSFTNGP05.phx.gbl...
| When my application starts I need to check folder permissions to ensure
they
| have "Full Control" before I let them proceed on. How can I check this
| permission. Thank you, Fred
|
|

While I fail to see why you need full control, the way to test your
privileges is by using the System.Security.AccessControl namespace classes.

Willy.
Fred W.
2006-09-18 21:49:03 UTC
Permalink
I suppose I don't need full control, but just "Read, Write, and Append"
capability (Or perhaps you have another suggestion?).

Which classes specifically? Do I need to call "Directory.GetAccessControl"
and then iterate through the "AccessRules" or is there a function I can call
to check for "Read, Write and Append" access on a directory. Thanks

Fred
Willy Denoyette [MVP]
2006-09-18 23:02:46 UTC
Permalink
"Fred W." <fredwemail-***@yahoo.com> wrote in message news:%***@TK2MSFTNGP05.phx.gbl...
|I suppose I don't need full control, but just "Read, Write, and Append"
| capability (Or perhaps you have another suggestion?).
|
| Which classes specifically? Do I need to call "Directory.GetAccessControl"
| and then iterate through the "AccessRules" or is there a function I can
call
| to check for "Read, Write and Append" access on a directory. Thanks
|
| Fred
|
|
|

Following sample enumerates the ACE collection of a Directory object and
prints the FileSystemRights for the administrators group.


NTAccount acc = new NTAccount("administrators");
SecurityIdentifier secId = acc.Translate(typeof(SecurityIdentifier))
as SecurityIdentifier;
DirectoryInfo dInfo = new DirectoryInfo("c:\\");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = dSecurity.GetAccessRules(
true,
true,
typeof(SecurityIdentifier) );
foreach(FileSystemAccessRule ar in rules)
{
if(secId.CompareTo(ar.IdentityReference as SecurityIdentifier) == 0)
Console.WriteLine(ar.FileSystemRights);
}

Hope it helps.

Willy.
Fred W.
2006-09-19 15:57:58 UTC
Permalink
If I'm understanding this correctly then I will need to walk through the
"FileSystemAccessRules" and accumulate what's allowed and denied. I will
also need to interpret if the user is a member of that group for each rule.
My understanding is that explicit rules take precedence over inherited rules
(can I tell the difference?). Also, denied take precedence over allowed. Do
I just assume owners have full control?

This just seems like a lot of work for something windows does for you when
you try to create, delete, modify files and folders. I can't help but think
there must be a better solution. I basically want the Effective Permissions
tab in Windows Explorer Properties. I've run across references to an
"AccessCheck" function (for Win32), but I have yet find anything
specifically for .NET. I suppose I could wrap the Win32 dlls, but I'm still
holding out for a .NET solution. Another solution I've been considering is
just creating a temporary files and folder in the folders I want to check
and catch exceptions to determine what's allow when I try to manipulate. Of
course I could end up littering files if I can't delete them.

Any additional comments are appreciated. Thank you.

-Fred
Post by Willy Denoyette [MVP]
|I suppose I don't need full control, but just "Read, Write, and Append"
| capability (Or perhaps you have another suggestion?).
|
| Which classes specifically? Do I need to call
"Directory.GetAccessControl"
| and then iterate through the "AccessRules" or is there a function I can
call
| to check for "Read, Write and Append" access on a directory. Thanks
|
| Fred
|
|
|
Following sample enumerates the ACE collection of a Directory object and
prints the FileSystemRights for the administrators group.
NTAccount acc = new NTAccount("administrators");
SecurityIdentifier secId = acc.Translate(typeof(SecurityIdentifier))
as SecurityIdentifier;
DirectoryInfo dInfo = new DirectoryInfo("c:\\");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = dSecurity.GetAccessRules(
true,
true,
typeof(SecurityIdentifier) );
foreach(FileSystemAccessRule ar in rules)
{
if(secId.CompareTo(ar.IdentityReference as SecurityIdentifier) == 0)
Console.WriteLine(ar.FileSystemRights);
}
Hope it helps.
Willy.
Willy Denoyette [MVP]
2006-09-19 18:26:18 UTC
Permalink
"Fred W." <fredwemail-***@yahoo.com> wrote in message news:%***@TK2MSFTNGP03.phx.gbl...
| If I'm understanding this correctly then I will need to walk through the
| "FileSystemAccessRules" and accumulate what's allowed and denied. I will
| also need to interpret if the user is a member of that group for each
rule.

That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.

| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).

Yes, they do.
Sure, take a look at the IsInherited propery.

Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|
Denied take precedence.
Owners have it by default, but this can be changed.

| This just seems like a lot of work for something windows does for you when
| you try to create, delete, modify files and folders.

Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.


I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.

What exactly do you mean by this? Do you want to display the same dialog as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything simpler,
really.


I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.

AccessCheck is a complex function, before you can call it you need to fetch
a security descriptor, an access token, you need to construct a generic mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).


I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering is
| just creating a temporary files and folder in the folders I want to check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.


You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.

Willy.
Fred W.
2006-09-19 20:43:02 UTC
Permalink
I agree with your point about just letting the OS perform the required
Access check, and I will start to adjust my application with that philosophy
in mind. However, my intent here is only to give my users an "upstream"
warning that they may encounter issue if the folder permissions are not
configured properly. My deployment project will configure the appropriate
permissions for them upon installation, but the application administrator
can change paths in the application for the data output (such as the log).
These alternate paths are typically accessible to the administrator, but
once the restricted user logs in, I have my issues (i.e. the administrator
has NOT done his job).

I will probably proceed with the 'Access Rules Walk' approach, unless anyone
is aware of any 3rd party code that performs this for .Net 2.0 already. I
will avoid the dll wrapper of 'AccessCheck".

Thanks again for your help.

- Fred
Post by Willy Denoyette [MVP]
| If I'm understanding this correctly then I will need to walk through the
| "FileSystemAccessRules" and accumulate what's allowed and denied. I will
| also need to interpret if the user is a member of that group for each
rule.
That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.
| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).
Yes, they do.
Sure, take a look at the IsInherited propery.
Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|
Denied take precedence.
Owners have it by default, but this can be changed.
| This just seems like a lot of work for something windows does for you when
| you try to create, delete, modify files and folders.
Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.
I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.
What exactly do you mean by this? Do you want to display the same dialog as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything simpler,
really.
I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.
AccessCheck is a complex function, before you can call it you need to fetch
a security descriptor, an access token, you need to construct a generic mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The
lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).
I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering is
| just creating a temporary files and folder in the folders I want to check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.
You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.
Willy.
c***@gmail.com
2017-05-12 12:20:23 UTC
Permalink
Hi all,

Playing around with different solution I cam in with this solution that looks to be working for all cases :



string path = "\\server\path";

// ***** check windows user *****
WindowsIdentity wid = WindowsIdentity.GetCurrent();

// ***** check directory *****
DirectoryInfo di = new DirectoryInfo(path);

bool denied = false;
bool allowed = false;

// ***** check write access *****
try
{
DirectorySecurity acl = di.GetAccessControl();
AuthorizationRuleCollection arc = acl.GetAccessRules(true, true, typeof(SecurityIdentifier));
IList<FileSystemAccessRule> ars = new List<FileSystemAccessRule>(arc.OfType<FileSystemAccessRule>());

IList<IdentityReference> widgs = wid.Groups.Where(g => ((SecurityIdentifier)g).IsAccountSid()).ToList();

// ***** user, not inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => r.IdentityReference.Equals(wid.User) && !r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}

// ***** user, inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => r.IdentityReference.Equals(wid.User) && r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}

// ***** groups, not inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => widgs.Contains(r.IdentityReference) && !r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}

// ***** groups, inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => widgs.Contains(r.IdentityReference) && r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}
}
catch (UnauthorizedAccessException)
{
}

if (!denied && allowed)
{
StreamWriter sr = new StreamWriter(new FileStream(string.Format("{0}/test.txt", path), FileMode.Create));
sr.WriteLine("HELLO !");
sr.Flush();
sr.Close();
}

}

private bool AllowsWriteAccess(FileSystemAccessRule rule)
{
if (
rule.AccessControlType == AccessControlType.Allow
&& (
rule.FileSystemRights.HasFlag(FileSystemRights.Write)
|| rule.FileSystemRights.HasFlag(FileSystemRights.WriteData)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)
)
)
{
return true;
}

return false;
}

private bool DeniesWriteAccess(FileSystemAccessRule rule)
{
if (
rule.AccessControlType == AccessControlType.Deny
&& (
rule.FileSystemRights.HasFlag(FileSystemRights.Write)
|| rule.FileSystemRights.HasFlag(FileSystemRights.WriteData)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)
)
)
{
return true;
}

return false;
}
Arne Vajhøj
2017-05-13 00:58:14 UTC
Permalink
Are you aware that the thread is 11 years old?

Arne
z***@gmail.com
2017-08-29 07:57:41 UTC
Permalink
Post by Arne Vajhøj
Are you aware that the thread is 11 years old?
Arne
Yes
c***@gmail.com
2018-06-20 12:44:45 UTC
Permalink
Post by c***@gmail.com
Hi all,
string path = "\\server\path";
// ***** check windows user *****
WindowsIdentity wid = WindowsIdentity.GetCurrent();
// ***** check directory *****
DirectoryInfo di = new DirectoryInfo(path);
bool denied = false;
bool allowed = false;
// ***** check write access *****
try
{
DirectorySecurity acl = di.GetAccessControl();
AuthorizationRuleCollection arc = acl.GetAccessRules(true, true, typeof(SecurityIdentifier));
IList<FileSystemAccessRule> ars = new List<FileSystemAccessRule>(arc.OfType<FileSystemAccessRule>());
IList<IdentityReference> widgs = wid.Groups.Where(g => ((SecurityIdentifier)g).IsAccountSid()).ToList();
// ***** user, not inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => r.IdentityReference.Equals(wid.User) && !r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}
// ***** user, inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => r.IdentityReference.Equals(wid.User) && r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}
// ***** groups, not inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => widgs.Contains(r.IdentityReference) && !r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}
// ***** groups, inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => widgs.Contains(r.IdentityReference) && r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}
}
catch (UnauthorizedAccessException)
{
}
if (!denied && allowed)
{
StreamWriter sr = new StreamWriter(new FileStream(string.Format("{0}/test.txt", path), FileMode.Create));
sr.WriteLine("HELLO !");
sr.Flush();
sr.Close();
}
}
private bool AllowsWriteAccess(FileSystemAccessRule rule)
{
if (
rule.AccessControlType == AccessControlType.Allow
&& (
rule.FileSystemRights.HasFlag(FileSystemRights.Write)
|| rule.FileSystemRights.HasFlag(FileSystemRights.WriteData)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)
)
)
{
return true;
}
return false;
}
private bool DeniesWriteAccess(FileSystemAccessRule rule)
{
if (
rule.AccessControlType == AccessControlType.Deny
&& (
rule.FileSystemRights.HasFlag(FileSystemRights.Write)
|| rule.FileSystemRights.HasFlag(FileSystemRights.WriteData)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)
)
)
{
return true;
}
return false;
}
Thank you very much for this solution.... it may by an 11 yr post but it will still help people in the future :)
Luuk
2018-06-30 08:17:38 UTC
Permalink
Post by c***@gmail.com
Post by c***@gmail.com
Hi all,
string path = "\\server\path";
// ***** check windows user *****
WindowsIdentity wid = WindowsIdentity.GetCurrent();
// ***** check directory *****
DirectoryInfo di = new DirectoryInfo(path);
bool denied = false;
This line should read:
bool denied = true;
Post by c***@gmail.com
Post by c***@gmail.com
bool allowed = false;
// ***** check write access *****
try
{
...
Post by c***@gmail.com
Post by c***@gmail.com
}
catch (UnauthorizedAccessException)
{
}
if (!denied && allowed)
{
StreamWriter sr = new StreamWriter(new FileStream(string.Format("{0}/test.txt", path), FileMode.Create));
sr.WriteLine("HELLO !");
sr.Flush();
sr.Close();
}
}
Thank you very much for this solution.... it may by an 11 yr post but it will still help people in the future :)
If 'anything' in the try/catch fails, access should be denied...

Continue reading on narkive:
Loading...