Solved

FileSystemRights returns Read & Execute but the actual permission is List folder contents

Posted on 2014-12-17
11
587 Views
Last Modified: 2014-12-31
When I retrieve the permissions on a folder for a given user, FileSystemRights returns "Read & Execute" even though the folder only has "List folder contents" for that user.  What am I doing wrong?

dirACLs = New Security.AccessControl.DirectorySecurity(FolderPath, Security.AccessControl.AccessControlSections.Access)

For Each accessRule As System.Security.AccessControl.FileSystemAccessRule In dirACLs.GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount))

     'accessRule.FileSystemRights.tostring returns "ReadAndExecute, Synchronize"

     'accessRule.FileSystemRights returns "ListDirectory Or ReadExtendedAttributes Or ExecuteFile Or ReadAttributes Or ReadPermissions Or Synchronize {1179817}"

Next

Open in new window


See the attached file for a screenshot of the permission in question.
permissions.jpg
0
Comment
Question by:Kramarich
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
11 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 40505743
Looks like the object itself returns a DirectorySecurity object (http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity(v=vs.110).aspx), but the ToString() method acts on FileSecurity.
0
 

Author Comment

by:Kramarich
ID: 40506892
The problem is that neither return the correct security setting.  The actual permission on the folder is "List folder contents" but FileSystemRights returns the same information as if the actual permission was "Read & execute".  How can I tell when just "List folder contents" is set as opposed to "Read & execute" (which also includes "List folder contents" and "read")?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40507128
Don't take that display in Explorer literally. Did you look up the real and effective bits in Advanced?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:Kramarich
ID: 40507190
Yes.  It's really strange.  The same bits are checked whether the actual permission is "List folder contents" or "Read & execute".  That explains why FileSystemRights returns "Read & execute".  It doesn't explain how I'm supposed to know that the folder is really only "List folder contents".
0
 

Author Comment

by:Kramarich
ID: 40507193
Oops, here's the attachment.
Advanced.png
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40507213
Yes, if only we knew ...
0
 

Author Comment

by:Kramarich
ID: 40522086
There has to be a way to get the correct results.
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40524449
Does something like this meet your requirements Kramarich?
Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Text

Module Module1
	Public Sub Main(ByVal args As String())
		Dim directory As New DirectoryInfo("C:\!quick\listfolder")
		directory.ListDirectoryACLs()
		Console.WriteLine("{0} is a list content only folder? {1}", directory.FullName, directory.IsListContentOnlyFolder())
		Console.ReadLine()
	End Sub
End Module

Module Extensions
	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal ace As FileSystemAccessRule) As Boolean
		Return (ace.PropagationFlags = PropagationFlags.None AndAlso ace.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso ace.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize))
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal directory As DirectoryInfo) As Boolean
		Dim result = False
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)

			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				If (rule.IsListContentOnlyFolder()) Then
					result = True
				End If
			Next
		End If
		Return result
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListDirectoryACLs(ByVal directory As DirectoryInfo)
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for Directory - {0}", directory.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListFileACLs(ByVal file As FileInfo)
		If file.Exists Then
			Dim acls As New FileSecurity(file.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for File - {0}", file.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub
End Module

Open in new window

Produces the following output -Capture.JPGAnd here is a screenshot of the folder in question -Capture.JPGTo explain what is happening, consider the following -Capture.JPGSource

In order for a folder to report that it only contains the List Folder Contents ACL, it must meet the following criteria:
The Access Rule cannot be applied to files.  In other words, the FileSystemAccessRule's InheritanceFlags would be InheritanceFlags.ContainerInherit and the FileSystemAccessRule's PropagationFlags would be PropagationFlags.None (Source)
The FileSystemRights must be set to ReadAndExecute *and* Synchronize

-saige-
0
 

Author Comment

by:Kramarich
ID: 40525447
THAT'S IT!!!  The check I needed to make to determine whether it's a List only folder (hijacked from your example) is as follows:

If accessRule.PropagationFlags = PropagationFlags.None AndAlso accessRule.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso accessRule.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize) Then
     'this is a list only folder
End If

Open in new window


Also learned something about extensions!

Thanks,
Ken
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question