Solved

FileSystemRights returns Read & Execute but the actual permission is List folder contents

Posted on 2014-12-17
11
554 Views
Last Modified: 2014-12-31
When I retrieve the permissions on a folder for a given user, FileSystemRights returns "Read & Execute" even though the folder only has "List folder contents" for that user.  What am I doing wrong?

dirACLs = New Security.AccessControl.DirectorySecurity(FolderPath, Security.AccessControl.AccessControlSections.Access)

For Each accessRule As System.Security.AccessControl.FileSystemAccessRule In dirACLs.GetAccessRules(True, True, GetType(System.Security.Principal.NTAccount))

     'accessRule.FileSystemRights.tostring returns "ReadAndExecute, Synchronize"

     'accessRule.FileSystemRights returns "ListDirectory Or ReadExtendedAttributes Or ExecuteFile Or ReadAttributes Or ReadPermissions Or Synchronize {1179817}"

Next

Open in new window


See the attached file for a screenshot of the permission in question.
permissions.jpg
0
Comment
Question by:Kramarich
  • 5
  • 3
11 Comments
 
LVL 69

Expert Comment

by:Qlemo
ID: 40505743
Looks like the object itself returns a DirectorySecurity object (http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity(v=vs.110).aspx), but the ToString() method acts on FileSecurity.
0
 

Author Comment

by:Kramarich
ID: 40506892
The problem is that neither return the correct security setting.  The actual permission on the folder is "List folder contents" but FileSystemRights returns the same information as if the actual permission was "Read & execute".  How can I tell when just "List folder contents" is set as opposed to "Read & execute" (which also includes "List folder contents" and "read")?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40507128
Don't take that display in Explorer literally. Did you look up the real and effective bits in Advanced?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Kramarich
ID: 40507190
Yes.  It's really strange.  The same bits are checked whether the actual permission is "List folder contents" or "Read & execute".  That explains why FileSystemRights returns "Read & execute".  It doesn't explain how I'm supposed to know that the folder is really only "List folder contents".
0
 

Author Comment

by:Kramarich
ID: 40507193
Oops, here's the attachment.
Advanced.png
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40507213
Yes, if only we knew ...
0
 

Author Comment

by:Kramarich
ID: 40522086
There has to be a way to get the correct results.
0
 
LVL 33

Accepted Solution

by:
it_saige earned 500 total points
ID: 40524449
Does something like this meet your requirements Kramarich?
Imports System.IO
Imports System.Security.AccessControl
Imports System.Security.Principal
Imports System.Text

Module Module1
	Public Sub Main(ByVal args As String())
		Dim directory As New DirectoryInfo("C:\!quick\listfolder")
		directory.ListDirectoryACLs()
		Console.WriteLine("{0} is a list content only folder? {1}", directory.FullName, directory.IsListContentOnlyFolder())
		Console.ReadLine()
	End Sub
End Module

Module Extensions
	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal ace As FileSystemAccessRule) As Boolean
		Return (ace.PropagationFlags = PropagationFlags.None AndAlso ace.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso ace.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize))
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Function IsListContentOnlyFolder(ByVal directory As DirectoryInfo) As Boolean
		Dim result = False
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)

			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				If (rule.IsListContentOnlyFolder()) Then
					result = True
				End If
			Next
		End If
		Return result
	End Function

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListDirectoryACLs(ByVal directory As DirectoryInfo)
		If directory.Exists Then
			Dim acls As New DirectorySecurity(directory.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for Directory - {0}", directory.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub

	<System.Runtime.CompilerServices.Extension()> _
	Public Sub ListFileACLs(ByVal file As FileInfo)
		If file.Exists Then
			Dim acls As New FileSecurity(file.FullName, AccessControlSections.Access)
			Dim sb As New StringBuilder()

			sb.AppendFormat("Access Control List for File - {0}", file.FullName).AppendLine()
			For Each rule As FileSystemAccessRule In acls.GetAccessRules(True, True, GetType(NTAccount))
				sb.AppendFormat("Account:     {0}", rule.IdentityReference.Value).AppendLine()
				sb.AppendFormat("Type:        {0}", rule.AccessControlType).AppendLine()
				sb.AppendFormat("Rights:      {0}", rule.FileSystemRights).AppendLine()
				sb.AppendFormat("Inherited:   {0}", rule.IsInherited).AppendLine()
				sb.AppendFormat("Inheritance: {0}", rule.InheritanceFlags).AppendLine()
				sb.AppendFormat("Propagation: {0}", rule.PropagationFlags).AppendLine()
				sb.AppendFormat("IsListContentOnlyFolder: {0}", rule.IsListContentOnlyFolder()).AppendLine()
				sb.AppendLine(New String("-"c, 25))
			Next
			Console.WriteLine(sb.ToString())
		End If
	End Sub
End Module

Open in new window

Produces the following output -Capture.JPGAnd here is a screenshot of the folder in question -Capture.JPGTo explain what is happening, consider the following -Capture.JPGSource

In order for a folder to report that it only contains the List Folder Contents ACL, it must meet the following criteria:
The Access Rule cannot be applied to files.  In other words, the FileSystemAccessRule's InheritanceFlags would be InheritanceFlags.ContainerInherit and the FileSystemAccessRule's PropagationFlags would be PropagationFlags.None (Source)
The FileSystemRights must be set to ReadAndExecute *and* Synchronize

-saige-
0
 

Author Comment

by:Kramarich
ID: 40525447
THAT'S IT!!!  The check I needed to make to determine whether it's a List only folder (hijacked from your example) is as follows:

If accessRule.PropagationFlags = PropagationFlags.None AndAlso accessRule.InheritanceFlags = InheritanceFlags.ContainerInherit AndAlso accessRule.FileSystemRights = (FileSystemRights.ReadAndExecute Or FileSystemRights.Synchronize) Then
     'this is a list only folder
End If

Open in new window


Also learned something about extensions!

Thanks,
Ken
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Modal Popup Extender control 1 18
error load library when execute a Drawing program 2 25
Batch file or script with password 22 42
Problem to file 4 20
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question