Check permissions on Folder

7016 views
Skip to first unread message

Fred W.

unread,
Sep 18, 2006, 4:33:31 PM9/18/06
to
When my application starts I need to check folder permissions to ensure they
have "Full Control" before I let them proceed on. How can I check this
permission. Thank you, Fred


Willy Denoyette [MVP]

unread,
Sep 18, 2006, 5:16:57 PM9/18/06
to

"Fred W." <fredwem...@yahoo.com> wrote in message
news:%23FLy1G2...@TK2MSFTNGP05.phx.gbl...

While I fail to see why you need full control, the way to test your
privileges is by using the System.Security.AccessControl namespace classes.

Willy.

Fred W.

unread,
Sep 18, 2006, 5:49:03 PM9/18/06
to
I suppose I don't need full control, but just "Read, Write, and Append"
capability (Or perhaps you have another suggestion?).

Which classes specifically? Do I need to call "Directory.GetAccessControl"
and then iterate through the "AccessRules" or is there a function I can call
to check for "Read, Write and Append" access on a directory. Thanks

Fred

Willy Denoyette [MVP]

unread,
Sep 18, 2006, 7:02:46 PM9/18/06
to

"Fred W." <fredwem...@yahoo.com> wrote in message
news:%23UtzDx2...@TK2MSFTNGP05.phx.gbl...

Following sample enumerates the ACE collection of a Directory object and
prints the FileSystemRights for the administrators group.


NTAccount acc = new NTAccount("administrators");
SecurityIdentifier secId = acc.Translate(typeof(SecurityIdentifier))
as SecurityIdentifier;
DirectoryInfo dInfo = new DirectoryInfo("c:\\");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = dSecurity.GetAccessRules(
true,
true,
typeof(SecurityIdentifier) );
foreach(FileSystemAccessRule ar in rules)
{
if(secId.CompareTo(ar.IdentityReference as SecurityIdentifier) == 0)
Console.WriteLine(ar.FileSystemRights);
}

Hope it helps.

Willy.


Fred W.

unread,
Sep 19, 2006, 11:57:58 AM9/19/06
to
If I'm understanding this correctly then I will need to walk through the
"FileSystemAccessRules" and accumulate what's allowed and denied. I will
also need to interpret if the user is a member of that group for each rule.
My understanding is that explicit rules take precedence over inherited rules
(can I tell the difference?). Also, denied take precedence over allowed. Do
I just assume owners have full control?

This just seems like a lot of work for something windows does for you when
you try to create, delete, modify files and folders. I can't help but think
there must be a better solution. I basically want the Effective Permissions
tab in Windows Explorer Properties. I've run across references to an
"AccessCheck" function (for Win32), but I have yet find anything
specifically for .NET. I suppose I could wrap the Win32 dlls, but I'm still
holding out for a .NET solution. Another solution I've been considering is
just creating a temporary files and folder in the folders I want to check
and catch exceptions to determine what's allow when I try to manipulate. Of
course I could end up littering files if I can't delete them.

Any additional comments are appreciated. Thank you.

-Fred

"Willy Denoyette [MVP]" <willy.d...@telenet.be> wrote in message
news:eKAaQa32...@TK2MSFTNGP02.phx.gbl...

Willy Denoyette [MVP]

unread,
Sep 19, 2006, 2:26:18 PM9/19/06
to

"Fred W." <fredwem...@yahoo.com> wrote in message
news:%23tPFjRA...@TK2MSFTNGP03.phx.gbl...

| If I'm understanding this correctly then I will need to walk through the
| "FileSystemAccessRules" and accumulate what's allowed and denied. I will
| also need to interpret if the user is a member of that group for each
rule.

That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.

| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).

Yes, they do.
Sure, take a look at the IsInherited propery.

Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|

Denied take precedence.
Owners have it by default, but this can be changed.

| This just seems like a lot of work for something windows does for you when
| you try to create, delete, modify files and folders.

Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.


I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.

What exactly do you mean by this? Do you want to display the same dialog as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything simpler,
really.


I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.

AccessCheck is a complex function, before you can call it you need to fetch
a security descriptor, an access token, you need to construct a generic mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).


I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering is
| just creating a temporary files and folder in the folders I want to check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.


You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.

Willy.


Fred W.

unread,
Sep 19, 2006, 4:43:02 PM9/19/06
to
I agree with your point about just letting the OS perform the required
Access check, and I will start to adjust my application with that philosophy
in mind. However, my intent here is only to give my users an "upstream"
warning that they may encounter issue if the folder permissions are not
configured properly. My deployment project will configure the appropriate
permissions for them upon installation, but the application administrator
can change paths in the application for the data output (such as the log).
These alternate paths are typically accessible to the administrator, but
once the restricted user logs in, I have my issues (i.e. the administrator
has NOT done his job).

I will probably proceed with the 'Access Rules Walk' approach, unless anyone
is aware of any 3rd party code that performs this for .Net 2.0 already. I
will avoid the dll wrapper of 'AccessCheck".

Thanks again for your help.

- Fred

"Willy Denoyette [MVP]" <willy.d...@telenet.be> wrote in message

news:eUcQXkB3...@TK2MSFTNGP05.phx.gbl...

cga.g...@gmail.com

unread,
May 12, 2017, 8:20:35 AM5/12/17
to
Hi all,

Playing around with different solution I cam in with this solution that looks to be working for all cases :



string path = "\\server\path";

// ***** check windows user *****
WindowsIdentity wid = WindowsIdentity.GetCurrent();

// ***** check directory *****
DirectoryInfo di = new DirectoryInfo(path);

bool denied = false;
bool allowed = false;

// ***** check write access *****
try
{
DirectorySecurity acl = di.GetAccessControl();
AuthorizationRuleCollection arc = acl.GetAccessRules(true, true, typeof(SecurityIdentifier));
IList<FileSystemAccessRule> ars = new List<FileSystemAccessRule>(arc.OfType<FileSystemAccessRule>());

IList<IdentityReference> widgs = wid.Groups.Where(g => ((SecurityIdentifier)g).IsAccountSid()).ToList();

// ***** user, not inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => r.IdentityReference.Equals(wid.User) && !r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}

// ***** user, inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => r.IdentityReference.Equals(wid.User) && r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}

// ***** groups, not inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => widgs.Contains(r.IdentityReference) && !r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}

// ***** groups, inherited rules *****
foreach (FileSystemAccessRule rule in ars.Where(r => widgs.Contains(r.IdentityReference) && r.IsInherited))
{
denied |= this.DeniesWriteAccess(rule);
allowed |= this.AllowsWriteAccess(rule);
}
}
catch (UnauthorizedAccessException)
{
}

if (!denied && allowed)
{
StreamWriter sr = new StreamWriter(new FileStream(string.Format("{0}/test.txt", path), FileMode.Create));
sr.WriteLine("HELLO !");
sr.Flush();
sr.Close();
}

}

private bool AllowsWriteAccess(FileSystemAccessRule rule)
{
if (
rule.AccessControlType == AccessControlType.Allow
&& (
rule.FileSystemRights.HasFlag(FileSystemRights.Write)
|| rule.FileSystemRights.HasFlag(FileSystemRights.WriteData)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)
)
)
{
return true;
}

return false;
}

private bool DeniesWriteAccess(FileSystemAccessRule rule)
{
if (
rule.AccessControlType == AccessControlType.Deny
&& (
rule.FileSystemRights.HasFlag(FileSystemRights.Write)
|| rule.FileSystemRights.HasFlag(FileSystemRights.WriteData)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateDirectories)
|| rule.FileSystemRights.HasFlag(FileSystemRights.CreateFiles)
)
)
{
return true;
}

return false;
}


Arne Vajhøj

unread,
May 12, 2017, 8:58:20 PM5/12/17
to
On 5/12/2017 8:20 AM, cga.g...@gmail.com wrote:
> Playing around with different solution I cam in with this solution that looks to be working for all cases :

Are you aware that the thread is 11 years old?

Arne


zante...@gmail.com

unread,
Aug 29, 2017, 3:57:51 AM8/29/17
to
On Saturday, May 13, 2017 at 3:58:20 AM UTC+3, Arne Vajhøj wrote:
> Are you aware that the thread is 11 years old?
>
> Arne

Yes

cart...@gmail.com

unread,
Jun 20, 2018, 8:44:53 AM6/20/18
to
Thank you very much for this solution.... it may by an 11 yr post but it will still help people in the future :)

Luuk

unread,
Jun 30, 2018, 4:17:41 AM6/30/18
to
On 20-6-2018 14:44, cart...@gmail.com wrote:
> On Friday, 12 May 2017 08:20:35 UTC-4, cga.g...@gmail.com wrote:
>> Hi all,
>>
>> Playing around with different solution I cam in with this solution that looks to be working for all cases :
>>
>>
>>
>> string path = "\\server\path";
>>
>> // ***** check windows user *****
>> WindowsIdentity wid = WindowsIdentity.GetCurrent();
>>
>> // ***** check directory *****
>> DirectoryInfo di = new DirectoryInfo(path);
>>
>> bool denied = false;

This line should read:
bool denied = true;

>> bool allowed = false;
>>
>> // ***** check write access *****
>> try
>> {
...
>> }
>> catch (UnauthorizedAccessException)
>> {
>> }
>>
>> if (!denied && allowed)
>> {
>> StreamWriter sr = new StreamWriter(new FileStream(string.Format("{0}/test.txt", path), FileMode.Create));
>> sr.WriteLine("HELLO !");
>> sr.Flush();
>> sr.Close();
>> }
>>
>> }
>>
> Thank you very much for this solution.... it may by an 11 yr post but it will still help people in the future :)
>

If 'anything' in the try/catch fails, access should be denied...
Reply all
Reply to author
Forward
0 new messages