Get ACL

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I use this code to set writepermissions on a folder/file with Win32Security.DLL

SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)
Dacl dacl = secDesc.Dacl
dacl.AddAce (new AceAccessAllowed (new Sid (user), AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE, AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE))
secDesc.SetDacl(dacl)
secDesc.SetFileSecurity(@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)

But how do I get the ACL for a user? I need to know if a user has the permissions as stated in the code above on a file/folder.
 
You shouldn't use "unsupported" stuff like Win32Security.dll, use the
System.DirectoryServices (XP and higher) or System.Management namespace
instead.
Next is a complete example illustrating how to dump the ACE's from a File
object DACL using System.Management classes.

using System;
using System.Management;
using System.Collections;
// Access mask (see AccessMask property)
[Flags]
enum Mask : uint
{
FileReadData = 0x00000001,
FileWriteData = 0x00000002,
FileAppendData = 0x00000004,
FileReadEA = 0x00000008,
FileWriteEA = 0x00000010,
FileExecute = 0x00000020,
FileDeleteChild = 0x00000040,
FileReadAttributes = 0x00000080,
FileWriteAttributes= 0x00000100,

Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,

AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,

GenericAll = 0x10000000,
GenericExecute= 0x20000000,
GenericWrite = 0x40000000,
GenericRead = 0x80000000
}
[Flags]
enum AceFlags : int
{
ObjectInheritAce = 1,
ContainerInheritAce = 2,
NoPropagateInheritAce = 4,
InheritOnlyAce = 8,
InheritedAce = 16
}

[Flags]
enum AceType : int
{
AccessAllowed = 0,
AccessDenied = 1,
Audit = 2
}
class Tester {
public static void Main() {
string fileObject = @"c:\\pipo\\t.txt"; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySetting.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if
success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
DumpACEs(dacl);

}
}
}

static void DumpACEs(ManagementBaseObject[] dacl)
{
foreach(ManagementBaseObject mbo in dacl){
Console.WriteLine("\n---------\nMask: {0:X} - Flags: {1} - Type: {2}",
mbo["AccessMask"], mbo["AceFlags"], mbo["AceType"]);
// Access allowed/denied ACE
if(Convert.ToInt32(mbo["AceType"]) == (int)AceType.AccessDenied)
Console.WriteLine("DENIED ACE TYPE");
else
Console.WriteLine("ALLOWED ACE TYPE");
// Dump trustees
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
Console.WriteLine("Name: {0} - Domain: {1} - SID {2}\n",
Trustee.Properties["Name"].Value,
Trustee.Properties["Domain"].Value,
Trustee.Properties["SIDString"].Value);
// Dump ACE mask in readable form
UInt32 mask = (UInt32)mbo["AccessMask"];
Console.WriteLine(Enum.Format(typeof(Mask), mask, "g"));
}
}
}




Willy.
 
Hi!

Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySetting.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);

}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize")
return 0;
else
return -1;
}

It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx).
What we're trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions.

And how can we set "modify" permissions on a file?
 
Hi Anders,

I will send some time to do some research on this issue, I will reply to
you ASAP.

Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
This stuff isn't made to be run from applications other than "Filesystem
security editing" management applications!
You should never ever check access rights on NTFS file objects in a 'normal'
user application, as you have noticed this is slow, the reason for this is
that for each trustee the underlying code has to access the local and/or the
domain security sustem (SAM data base) to map the SID from the ACE entree to
a user account name and Domain name.
If your really really need to do this, you should cache the ACE/trustee
mappings when the applcation starts and use the cached data, another approch
would be to persist the data in a DB and read the mappings from there.
Another option is to get the SID from the callers account/domain name (this
can be tricky) and only use the SID instead of doing the lookup for each
ACE.

Willy.
 
Hi anders,

Sorry for letting you wait for so long time.

To set the NTFS permission of certain file or folder, you may just use WMI
to invoke Win32_LogicalFileSecuritySetting.SetSecurityDescriptor method to
get this done. There is a sample at:
http://groups.google.com/groups?hl=zh-CN&lr=&ie=UTF-8&oe=UTF-8&selm=#kHUtC
fcCHA.2004%40tkmsftngp12&rnum=2

Also, you may COM interop ADsSecurity.dll, then use SetSecurityDescriptor
method to achieve this. Please refer to:
"HOW TO: Programmatically Set NTFS File System Folder Permissions by Using
Microsoft Visual Basic .NET"
http://support.microsoft.com/default.aspx?scid=kb;en-us;818362

Yes, WMI may be somewhat slow of retrieving NTFS permissions. You may try
to COM interop ADsSecurity.dll to see if it improves your performance. I
think the article above provides you enough information to get this done.
Also, you may have a try of P/invoke GetSecurityInfo API.

===========================
Please apply my suggestion above and let me know if it helps resolve your
problem.

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Hi anders,

Does our reply makes sense to you? Do you still have any concern?

Please feel free to let me know, I will help you. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
 
Back
Top