Solved

FileSystemRights returns Read & Execute but the actual permission is List folder contents

Posted on 2014-12-17
11
488 Views
Last Modified: 2014-12-31
When I retrieve the permissions on a folder for a given user, FileSystemRights returns "Read & Execute" even though the folder only has "List folder contents" for that user.  What am I doing wrong?

dirACLs = New Security.AccessControl.DirectorySecurity(FolderPath, Security.AccessControl.AccessControlSections.Access)

For Each accessRule As System.Security.AccessControl.FileSystemAccessRule In dirACLs.GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount))

     'accessRule.FileSystemRights.tostring returns "ReadAndExecute, Synchronize"

     'accessRule.FileSystemRights returns "ListDirectory Or ReadExtendedAttributes Or ExecuteFile Or ReadAttributes Or ReadPermissions Or Synchronize {1179817}"

Next

Open in new window


See the attached file for a screenshot of the permission in question.
permissions.jpg
0
Comment
Question by:Kramarich
  • 5
  • 3
11 Comments
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Looks like the object itself returns a DirectorySecurity object (http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity(v=vs.110).aspx), but the ToString() method acts on FileSecurity.
0
 

Author Comment

by:Kramarich
Comment Utility
The problem is that neither return the correct security setting.  The actual permission on the folder is "List folder contents" but FileSystemRights returns the same information as if the actual permission was "Read & execute".  How can I tell when just "List folder contents" is set as opposed to "Read & execute" (which also includes "List folder contents" and "read")?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Don't take that display in Explorer literally. Did you look up the real and effective bits in Advanced?
0
 

Author Comment

by:Kramarich
Comment Utility
Yes.  It's really strange.  The same bits are checked whether the actual permission is "List folder contents" or "Read & execute".  That explains why FileSystemRights returns "Read & execute".  It doesn't explain how I'm supposed to know that the folder is really only "List folder contents".
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Kramarich
Comment Utility
Oops, here's the attachment.
Advanced.png
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Yes, if only we knew ...
0
 

Author Comment

by:Kramarich
Comment Utility
There has to be a way to get the correct results.
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
Comment Utility
Does something like this meet your requirements Kramarich?
Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Text

Module Module1
	Public Sub Main(ByVal args As String())
		Dim directory As New DirectoryInfo("C:\!quick\listfolder")
		directory.ListDirectoryACLs()
		Console.WriteLine("{0} is a list content only folder? {1}", directory.FullName, directory.IsListContentOnlyFolder())
		Console.ReadLine()
	End Sub
End Module

Module Extensions
	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal ace As FileSystemAccessRule) As Boolean
		Return (ace.PropagationFlags = PropagationFlags.None AndAlso ace.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso ace.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize))
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal directory As DirectoryInfo) As Boolean
		Dim result = False
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)

			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				If (rule.IsListContentOnlyFolder()) Then
					result = True
				End If
			Next
		End If
		Return result
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListDirectoryACLs(ByVal directory As DirectoryInfo)
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for Directory - {0}", directory.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListFileACLs(ByVal file As FileInfo)
		If file.Exists Then
			Dim acls As New FileSecurity(file.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for File - {0}", file.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub
End Module

Open in new window

Produces the following output -Capture.JPGAnd here is a screenshot of the folder in question -Capture.JPGTo explain what is happening, consider the following -Capture.JPGSource

In order for a folder to report that it only contains the List Folder Contents ACL, it must meet the following criteria:
The Access Rule cannot be applied to files.  In other words, the FileSystemAccessRule's InheritanceFlags would be InheritanceFlags.ContainerInherit and the FileSystemAccessRule's PropagationFlags would be PropagationFlags.None (Source)
The FileSystemRights must be set to ReadAndExecute *and* Synchronize

-saige-
0
 

Author Comment

by:Kramarich
Comment Utility
THAT'S IT!!!  The check I needed to make to determine whether it's a List only folder (hijacked from your example) is as follows:

If accessRule.PropagationFlags = PropagationFlags.None AndAlso accessRule.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso accessRule.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize) Then
     'this is a list only folder
End If

Open in new window


Also learned something about extensions!

Thanks,
Ken
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now