473,322 Members | 1,398 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

Get ACL

I use this code to set writepermissions on a folder/file with Win32Security.DLL

SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)
Dacl dacl = secDesc.Dacl
dacl.AddAce (new AceAccessAllowed (new Sid (user), AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE, AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE))
secDesc.SetDacl(dacl)
secDesc.SetFileSecurity(@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)

But how do I get the ACL for a user? I need to know if a user has the permissions as stated in the code above on a file/folder.
Nov 16 '05 #1
10 15312
You shouldn't use "unsupported" stuff like Win32Security.dll, use the
System.DirectoryServices (XP and higher) or System.Management namespace
instead.
Next is a complete example illustrating how to dump the ACE's from a File
object DACL using System.Management classes.

using System;
using System.Management;
using System.Collections;
// Access mask (see AccessMask property)
[Flags]
enum Mask : uint
{
FileReadData = 0x00000001,
FileWriteData = 0x00000002,
FileAppendData = 0x00000004,
FileReadEA = 0x00000008,
FileWriteEA = 0x00000010,
FileExecute = 0x00000020,
FileDeleteChild = 0x00000040,
FileReadAttributes = 0x00000080,
FileWriteAttributes= 0x00000100,

Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,

AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,

GenericAll = 0x10000000,
GenericExecute= 0x20000000,
GenericWrite = 0x40000000,
GenericRead = 0x80000000
}
[Flags]
enum AceFlags : int
{
ObjectInheritAce = 1,
ContainerInheritAce = 2,
NoPropagateInheritAce = 4,
InheritOnlyAce = 8,
InheritedAce = 16
}

[Flags]
enum AceType : int
{
AccessAllowed = 0,
AccessDenied = 1,
Audit = 2
}
class Tester {
public static void Main() {
string fileObject = @"c:\\pipo\\t.txt"; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if
success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
DumpACEs(dacl);

}
}
}

static void DumpACEs(ManagementBaseObject[] dacl)
{
foreach(ManagementBaseObject mbo in dacl){
Console.WriteLine("\n---------\nMask: {0:X} - Flags: {1} - Type: {2}",
mbo["AccessMask"], mbo["AceFlags"], mbo["AceType"]);
// Access allowed/denied ACE
if(Convert.ToInt32(mbo["AceType"]) == (int)AceType.AccessDenied)
Console.WriteLine("DENIED ACE TYPE");
else
Console.WriteLine("ALLOWED ACE TYPE");
// Dump trustees
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
Console.WriteLine("Name: {0} - Domain: {1} - SID {2}\n",
Trustee.Properties["Name"].Value,
Trustee.Properties["Domain"].Value,
Trustee.Properties["SIDString"].Value);
// Dump ACE mask in readable form
UInt32 mask = (UInt32)mbo["AccessMask"];
Console.WriteLine(Enum.Format(typeof(Mask), mask, "g"));
}
}
}


Willy.

"Aleborg" <an****@aleborg.se> wrote in message
news:D5**********************************@microsof t.com...
I use this code to set writepermissions on a folder/file with
Win32Security.DLL:

SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
Dacl dacl = secDesc.Dacl;
dacl.AddAce (new AceAccessAllowed (new Sid (user),
AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ |
AccessType.GENERIC_WRITE | AccessType.DELETE,
AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE));
secDesc.SetDacl(dacl);
secDesc.SetFileSecurity(@strFile,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);

But how do I get the ACL for a user? I need to know if a user has the
permissions as stated in the code above on a file/folder.

Nov 16 '05 #2
Hi!

Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);

}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize")
return 0;
else
return -1;
}

It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx).
What we're trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions.

And how can we set "modify" permissions on a file?
Nov 16 '05 #3
Hi!

Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);

}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize")
return 0;
else
return -1;
}

It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx).
What we're trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions.

And how can we set "modify" permissions on a file?
Nov 16 '05 #4
Hi Anders,

I will send some time to do some research on this issue, I will reply to
you ASAP.

Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 16 '05 #5
This stuff isn't made to be run from applications other than "Filesystem
security editing" management applications!
You should never ever check access rights on NTFS file objects in a 'normal'
user application, as you have noticed this is slow, the reason for this is
that for each trustee the underlying code has to access the local and/or the
domain security sustem (SAM data base) to map the SID from the ACE entree to
a user account name and Domain name.
If your really really need to do this, you should cache the ACE/trustee
mappings when the applcation starts and use the cached data, another approch
would be to persist the data in a DB and read the mappings from there.
Another option is to get the SID from the callers account/domain name (this
can be tricky) and only use the SID instead of doing the lookup for each
ACE.

Willy.
"Aleborg" <an****@aleborg.se> wrote in message
news:36**********************************@microsof t.com...
Hi!

Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);

}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA,
FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete,
ReadControl, Synchronize")
return 0;
else
return -1;
}

It works but we use it to get permissions for a list of files(if a
specific user has the correct permissions on the files/folders) but its
VERY slow, with 25 files we almost get a time out on the page(aspx).
What we're trying to do is to list files for a user that has logged in and
check a checkbox if the file has modify permissions.

And how can we set "modify" permissions on a file?

Nov 16 '05 #6
Hi anders,

Sorry for letting you wait for so long time.

To set the NTFS permission of certain file or folder, you may just use WMI
to invoke Win32_LogicalFileSecuritySetting.SetSecurityDescri ptor method to
get this done. There is a sample at:
http://groups.google.com/groups?hl=z...&selm=%23kHUtC
fcCHA.2004%40tkmsftngp12&rnum=2

Also, you may COM interop ADsSecurity.dll, then use SetSecurityDescriptor
method to achieve this. Please refer to:
"HOW TO: Programmatically Set NTFS File System Folder Permissions by Using
Microsoft Visual Basic .NET"
http://support.microsoft.com/default...b;en-us;818362

Yes, WMI may be somewhat slow of retrieving NTFS permissions. You may try
to COM interop ADsSecurity.dll to see if it improves your performance. I
think the article above provides you enough information to get this done.
Also, you may have a try of P/invoke GetSecurityInfo API.

===========================
Please apply my suggestion above and let me know if it helps resolve your
problem.

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 16 '05 #7
Hi Anders,

I will send some time to do some research on this issue, I will reply to
you ASAP.

Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 16 '05 #8
This stuff isn't made to be run from applications other than "Filesystem
security editing" management applications!
You should never ever check access rights on NTFS file objects in a 'normal'
user application, as you have noticed this is slow, the reason for this is
that for each trustee the underlying code has to access the local and/or the
domain security sustem (SAM data base) to map the SID from the ACE entree to
a user account name and Domain name.
If your really really need to do this, you should cache the ACE/trustee
mappings when the applcation starts and use the cached data, another approch
would be to persist the data in a DB and read the mappings from there.
Another option is to get the SID from the callers account/domain name (this
can be tricky) and only use the SID instead of doing the lookup for each
ACE.

Willy.
"Aleborg" <an****@aleborg.se> wrote in message
news:36**********************************@microsof t.com...
Hi!

Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "'" +
fileObject + "'"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);

}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA,
FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete,
ReadControl, Synchronize")
return 0;
else
return -1;
}

It works but we use it to get permissions for a list of files(if a
specific user has the correct permissions on the files/folders) but its
VERY slow, with 25 files we almost get a time out on the page(aspx).
What we're trying to do is to list files for a user that has logged in and
check a checkbox if the file has modify permissions.

And how can we set "modify" permissions on a file?

Nov 16 '05 #9
Hi anders,

Sorry for letting you wait for so long time.

To set the NTFS permission of certain file or folder, you may just use WMI
to invoke Win32_LogicalFileSecuritySetting.SetSecurityDescri ptor method to
get this done. There is a sample at:
http://groups.google.com/groups?hl=z...&selm=%23kHUtC
fcCHA.2004%40tkmsftngp12&rnum=2

Also, you may COM interop ADsSecurity.dll, then use SetSecurityDescriptor
method to achieve this. Please refer to:
"HOW TO: Programmatically Set NTFS File System Folder Permissions by Using
Microsoft Visual Basic .NET"
http://support.microsoft.com/default...b;en-us;818362

Yes, WMI may be somewhat slow of retrieving NTFS permissions. You may try
to COM interop ADsSecurity.dll to see if it improves your performance. I
think the article above provides you enough information to get this done.
Also, you may have a try of P/invoke GetSecurityInfo API.

===========================
Please apply my suggestion above and let me know if it helps resolve your
problem.

Thank you for your patience and cooperation. If you have any questions or
concerns, please feel free to post it in the group. I am standing by to be
of assistance.

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 16 '05 #10
Hi anders,

Does our reply makes sense to you? Do you still have any concern?

Please feel free to let me know, I will help you. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.

Nov 16 '05 #11

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
by: William C. White | last post by:
Does anyone know of a way to use PHP /w Authorize.net AIM without using cURL? Our website is hosted on a shared drive and the webhost company doesn't installed additional software (such as cURL)...
2
by: Albert Ahtenberg | last post by:
Hello, I don't know if it is only me but I was sure that header("Location:url") redirects the browser instantly to URL, or at least stops the execution of the code. But appearantely it continues...
3
by: James | last post by:
Hi, I have a form with 2 fields. 'A' 'B' The user completes one of the fields and the form is submitted. On the results page I want to run a query, but this will change subject to which...
0
by: Ollivier Robert | last post by:
Hello, I'm trying to link PHP with Oracle 9.2.0/OCI8 with gcc 3.2.3 on a Solaris9 system. The link succeeds but everytime I try to run php, I get a SEGV from inside the libcnltsh.so library. ...
1
by: Richard Galli | last post by:
I want viewers to compare state laws on a single subject. Imagine a three-column table with a drop-down box on the top. A viewer selects a state from the list, and that state's text fills the...
4
by: Albert Ahtenberg | last post by:
Hello, I have two questions. 1. When the user presses the back button and returns to a form he filled the form is reseted. How do I leave there the values he inserted? 2. When the...
1
by: inderjit S Gabrie | last post by:
Hi all Here is the scenerio ...is it possibly to do this... i am getting valid course dates output on to a web which i have designed ....all is okay so far , look at the following web url ...
2
by: Jack | last post by:
Hi All, What is the PHP equivilent of Oracle bind variables in a SQL statement, e.g. select x from y where z=:parameter Which in asp/jsp would be followed by some statements to bind a value...
3
by: Sandwick | last post by:
I am trying to change the size of a drawing so they are all 3x3. the script below is what i was trying to use to cut it in half ... I get errors. I can display the normal picture but not the...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.