Solved

FileSystemRights returns Read & Execute but the actual permission is List folder contents

Posted on 2014-12-17
11
573 Views
Last Modified: 2014-12-31
When I retrieve the permissions on a folder for a given user, FileSystemRights returns "Read & Execute" even though the folder only has "List folder contents" for that user.  What am I doing wrong?

dirACLs = New Security.AccessControl.DirectorySecurity(FolderPath, Security.AccessControl.AccessControlSections.Access)

For Each accessRule As System.Security.AccessControl.FileSystemAccessRule In dirACLs.GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount))

     'accessRule.FileSystemRights.tostring returns "ReadAndExecute, Synchronize"

     'accessRule.FileSystemRights returns "ListDirectory Or ReadExtendedAttributes Or ExecuteFile Or ReadAttributes Or ReadPermissions Or Synchronize {1179817}"

Next

Open in new window


See the attached file for a screenshot of the permission in question.
permissions.jpg
0
Comment
Question by:Kramarich
  • 5
  • 3
11 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 40505743
Looks like the object itself returns a DirectorySecurity object (http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity(v=vs.110).aspx), but the ToString() method acts on FileSecurity.
0
 

Author Comment

by:Kramarich
ID: 40506892
The problem is that neither return the correct security setting.  The actual permission on the folder is "List folder contents" but FileSystemRights returns the same information as if the actual permission was "Read & execute".  How can I tell when just "List folder contents" is set as opposed to "Read & execute" (which also includes "List folder contents" and "read")?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40507128
Don't take that display in Explorer literally. Did you look up the real and effective bits in Advanced?
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:Kramarich
ID: 40507190
Yes.  It's really strange.  The same bits are checked whether the actual permission is "List folder contents" or "Read & execute".  That explains why FileSystemRights returns "Read & execute".  It doesn't explain how I'm supposed to know that the folder is really only "List folder contents".
0
 

Author Comment

by:Kramarich
ID: 40507193
Oops, here's the attachment.
Advanced.png
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40507213
Yes, if only we knew ...
0
 

Author Comment

by:Kramarich
ID: 40522086
There has to be a way to get the correct results.
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40524449
Does something like this meet your requirements Kramarich?
Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Text

Module Module1
	Public Sub Main(ByVal args As String())
		Dim directory As New DirectoryInfo("C:\!quick\listfolder")
		directory.ListDirectoryACLs()
		Console.WriteLine("{0} is a list content only folder? {1}", directory.FullName, directory.IsListContentOnlyFolder())
		Console.ReadLine()
	End Sub
End Module

Module Extensions
	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal ace As FileSystemAccessRule) As Boolean
		Return (ace.PropagationFlags = PropagationFlags.None AndAlso ace.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso ace.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize))
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal directory As DirectoryInfo) As Boolean
		Dim result = False
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)

			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				If (rule.IsListContentOnlyFolder()) Then
					result = True
				End If
			Next
		End If
		Return result
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListDirectoryACLs(ByVal directory As DirectoryInfo)
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for Directory - {0}", directory.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListFileACLs(ByVal file As FileInfo)
		If file.Exists Then
			Dim acls As New FileSecurity(file.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for File - {0}", file.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub
End Module

Open in new window

Produces the following output -Capture.JPGAnd here is a screenshot of the folder in question -Capture.JPGTo explain what is happening, consider the following -Capture.JPGSource

In order for a folder to report that it only contains the List Folder Contents ACL, it must meet the following criteria:
The Access Rule cannot be applied to files.  In other words, the FileSystemAccessRule's InheritanceFlags would be InheritanceFlags.ContainerInherit and the FileSystemAccessRule's PropagationFlags would be PropagationFlags.None (Source)
The FileSystemRights must be set to ReadAndExecute *and* Synchronize

-saige-
0
 

Author Comment

by:Kramarich
ID: 40525447
THAT'S IT!!!  The check I needed to make to determine whether it's a List only folder (hijacked from your example) is as follows:

If accessRule.PropagationFlags = PropagationFlags.None AndAlso accessRule.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso accessRule.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize) Then
     'this is a list only folder
End If

Open in new window


Also learned something about extensions!

Thanks,
Ken
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question