Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 744
  • Last Modified:

FileSystemRights returns Read & Execute but the actual permission is List folder contents

When I retrieve the permissions on a folder for a given user, FileSystemRights returns "Read & Execute" even though the folder only has "List folder contents" for that user.  What am I doing wrong?

dirACLs = New Security.AccessControl.DirectorySecurity(FolderPath, Security.AccessControl.AccessControlSections.Access)

For Each accessRule As System.Security.AccessControl.FileSystemAccessRule In dirACLs.GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount))

     'accessRule.FileSystemRights.tostring returns "ReadAndExecute, Synchronize"

     'accessRule.FileSystemRights returns "ListDirectory Or ReadExtendedAttributes Or ExecuteFile Or ReadAttributes Or ReadPermissions Or Synchronize {1179817}"

Next

Open in new window


See the attached file for a screenshot of the permission in question.
permissions.jpg
0
Kramarich
Asked:
Kramarich
  • 5
  • 3
1 Solution
 
QlemoC++ DeveloperCommented:
Looks like the object itself returns a DirectorySecurity object (http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity(v=vs.110).aspx), but the ToString() method acts on FileSecurity.
0
 
KramarichAuthor Commented:
The problem is that neither return the correct security setting.  The actual permission on the folder is "List folder contents" but FileSystemRights returns the same information as if the actual permission was "Read & execute".  How can I tell when just "List folder contents" is set as opposed to "Read & execute" (which also includes "List folder contents" and "read")?
0
 
QlemoC++ DeveloperCommented:
Don't take that display in Explorer literally. Did you look up the real and effective bits in Advanced?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
KramarichAuthor Commented:
Yes.  It's really strange.  The same bits are checked whether the actual permission is "List folder contents" or "Read & execute".  That explains why FileSystemRights returns "Read & execute".  It doesn't explain how I'm supposed to know that the folder is really only "List folder contents".
0
 
KramarichAuthor Commented:
Oops, here's the attachment.
Advanced.png
0
 
QlemoC++ DeveloperCommented:
Yes, if only we knew ...
0
 
KramarichAuthor Commented:
There has to be a way to get the correct results.
0
 
it_saigeDeveloperCommented:
Does something like this meet your requirements Kramarich?
Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Text

Module Module1
	Public Sub Main(ByVal args As String())
		Dim directory As New DirectoryInfo("C:\!quick\listfolder")
		directory.ListDirectoryACLs()
		Console.WriteLine("{0} is a list content only folder? {1}", directory.FullName, directory.IsListContentOnlyFolder())
		Console.ReadLine()
	End Sub
End Module

Module Extensions
	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal ace As FileSystemAccessRule) As Boolean
		Return (ace.PropagationFlags = PropagationFlags.None AndAlso ace.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso ace.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize))
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal directory As DirectoryInfo) As Boolean
		Dim result = False
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)

			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				If (rule.IsListContentOnlyFolder()) Then
					result = True
				End If
			Next
		End If
		Return result
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListDirectoryACLs(ByVal directory As DirectoryInfo)
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for Directory - {0}", directory.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListFileACLs(ByVal file As FileInfo)
		If file.Exists Then
			Dim acls As New FileSecurity(file.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for File - {0}", file.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub
End Module

Open in new window

Produces the following output -Capture.JPGAnd here is a screenshot of the folder in question -Capture.JPGTo explain what is happening, consider the following -Capture.JPGSource

In order for a folder to report that it only contains the List Folder Contents ACL, it must meet the following criteria:
The Access Rule cannot be applied to files.  In other words, the FileSystemAccessRule's InheritanceFlags would be InheritanceFlags.ContainerInherit and the FileSystemAccessRule's PropagationFlags would be PropagationFlags.None (Source)
The FileSystemRights must be set to ReadAndExecute *and* Synchronize

-saige-
0
 
KramarichAuthor Commented:
THAT'S IT!!!  The check I needed to make to determine whether it's a List only folder (hijacked from your example) is as follows:

If accessRule.PropagationFlags = PropagationFlags.None AndAlso accessRule.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso accessRule.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize) Then
     'this is a list only folder
End If

Open in new window


Also learned something about extensions!

Thanks,
Ken
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now