Solved

System.UnauthorizedAccessException: Attempted to perform an unauthorized operation. Trying to set permissions on a file

Posted on 2009-07-13
2
3,859 Views
Last Modified: 2012-08-13
I have an app that uploads files into a unc directory that everyone has permission to upload to.

 

The interface uses a proxy webservice that call another webservice. (this is done for security purposes and works fine in all otehr instances) he proxy webservice runs as a speciifc useraccoutn that gets verified on the end point webservice);

Once the file is their the application calls the proxy webservice(which calls the webservice that controls this upload direttory) and removes the inherited permissions and applies specific permission to the file so that it can no longer be accessed by a specific usergroup.

This second webservice also runs under a specific system acount that has full control to the directory in question.

The webservice webmethod  uses impersonation initially to verify that the call is coming from the parent webservice but once that occurs it stops impersonating so that it can run as the service accoutn that controls the directory. (app pool is configured to run under this account)

But for some reason I can not figure out despite it being explicityly told to STOP impersonating (which defacto should cause it to run as its app pool account) UNless someone with local admin rights on the web server runs the command from the interface it returns the error

 

System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.

at System.Security.AccessControl.Win32.SetSecurityInfo(ResourceType type, String name, SafeHandle handle, SecurityInfos securityInformation, SecurityIdentifier owner, SecurityIdentifier group, GenericAcl sacl, GenericAcl dacl)

at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, SafeHandle handle, AccessControlSections includeSections, Object exceptionContext)

at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, AccessControlSections includeSections, Object exceptionContext)

at System.Security.AccessControl.NativeObjectSecurity.Persist(String name, AccessControlSections includeSections)

at System.Security.AccessControl.FileSystemSecurity.Persist(String fullPath)

at System.IO.File.SetAccessControl(String path, FileSecurity fileSecurity)

at System.IO.FileInfo.SetAccessControl(FileSecurity fileSecurity)

at omnifrmwk.InternalClasses.FilePermsMethods.RemoveInheritablePermissons(String FileName)

 

 

Add the user to the local admin group and it works fine.

Remove the user from the local admin group and it gives the error...

BUt who the user is shouldnt matter at all by that time it has stopped impersonating the original caller TWO service gone and should be impersonating the username of the app pool. Even stranger...when it works because the original caller has admin rights and applies the permission correctly..the permissions applied are generated by the account that the method is running as..so I can see what account is actually setting the permission (since it set the permissions for itself) and it is the correct service account...so I have NO IDEA why it should matter at all whether the user on teh inetrface end has local admin rights or not on the web server running this third tier web service.

 below is the code I use which you can see expliciltly says to stop impersonating...

WindowsImpersonationContext ctx = WindowsIdentity.Impersonate(IntPtr.Zero);
            
            try
            {
               //get the username of the currently running acount
 
                string ealmsAccount = omnibll.UserAuth. GetUsername ();
                omnifrmwk.InternalClasses.FilePermsMethods.RemoveInheritablePermissons(file);
                omnifrmwk.InternalClasses.FilePermsMethods.addFullAccess(file, ealmsAccount);
                
 
                succ = true;
            }
            finally
            {
                ctx.Undo();
            }
}

Open in new window

0
Comment
Question by:Prysson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 41

Expert Comment

by:graye
ID: 24858951
0
 

Accepted Solution

by:
Prysson earned 0 total points
ID: 25026010
The problem was one of ownership...issue resolved.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question