Check permissions on Folder

"Fred W." <fr*************@yahoo.comwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
| When my application starts I need to check folder permissions to ensure
they
| have "Full Control" before I let them proceed on. How can I check this
| permission. Thank you, Fred
|
|

While I fail to see why you need full control, the way to test your
privileges is by using the System.Security.AccessControl namespace classes.

Willy.

I suppose I don't need full control, but just "Read, Write, and Append"
capability (Or perhaps you have another suggestion?).

Which classes specifically? Do I need to call "Directory.GetAccessControl"
and then iterate through the "AccessRules" or is there a function I can call
to check for "Read, Write and Append" access on a directory. Thanks

Fred

"Fred W." <fr*************@yahoo.comwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
|I suppose I don't need full control, but just "Read, Write, and Append"
| capability (Or perhaps you have another suggestion?).
|
| Which classes specifically? Do I need to call "Directory.GetAccessControl"
| and then iterate through the "AccessRules" or is there a function I can
call
| to check for "Read, Write and Append" access on a directory. Thanks
|
| Fred
|
|
|

Following sample enumerates the ACE collection of a Directory object and
prints the FileSystemRights for the administrators group.
NTAccount acc = new NTAccount("administrators");
SecurityIdentifier secId = acc.Translate(typeof(SecurityIdentifier))
as SecurityIdentifier;
DirectoryInfo dInfo = new DirectoryInfo("c:\\");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = dSecurity.GetAccessRules(
true,
true,
typeof(SecurityIdentifier) );
foreach(FileSystemAccessRule ar in rules)
{
if(secId.CompareTo(ar.IdentityReference as SecurityIdentifier) == 0)
Console.WriteLine(ar.FileSystemRights);
}

Hope it helps.

Willy.

If I'm understanding this correctly then I will need to walk through the
"FileSystemAccessRules" and accumulate what's allowed and denied. I will
also need to interpret if the user is a member of that group for each rule.
My understanding is that explicit rules take precedence over inherited rules
(can I tell the difference?). Also, denied take precedence over allowed. Do
I just assume owners have full control?

This just seems like a lot of work for something windows does for you when
you try to create, delete, modify files and folders. I can't help but think
there must be a better solution. I basically want the Effective Permissions
tab in Windows Explorer Properties. I've run across references to an
"AccessCheck" function (for Win32), but I have yet find anything
specifically for .NET. I suppose I could wrap the Win32 dlls, but I'm still
holding out for a .NET solution. Another solution I've been considering is
just creating a temporary files and folder in the folders I want to check
and catch exceptions to determine what's allow when I try to manipulate. Of
course I could end up littering files if I can't delete them.

Any additional comments are appreciated. Thank you.

-Fred

"Willy Denoyette [MVP]" <wi*************@telenet.bewrote in message
news:eK**************@TK2MSFTNGP02.phx.gbl...

>
"Fred W." <fr*************@yahoo.comwrote in message
news:%2****************@TK2MSFTNGP05.phx.gbl...
|I suppose I don't need full control, but just "Read, Write, and Append"
| capability (Or perhaps you have another suggestion?).
|
| Which classes specifically? Do I need to call
"Directory.GetAccessControl"
| and then iterate through the "AccessRules" or is there a function I can
call
| to check for "Read, Write and Append" access on a directory. Thanks
|
| Fred
|
|
|

Following sample enumerates the ACE collection of a Directory object and
prints the FileSystemRights for the administrators group.
NTAccount acc = new NTAccount("administrators");
SecurityIdentifier secId = acc.Translate(typeof(SecurityIdentifier))
as SecurityIdentifier;
DirectoryInfo dInfo = new DirectoryInfo("c:\\");
DirectorySecurity dSecurity = dInfo.GetAccessControl();
AuthorizationRuleCollection rules = dSecurity.GetAccessRules(
true,
true,
typeof(SecurityIdentifier) );
foreach(FileSystemAccessRule ar in rules)
{
if(secId.CompareTo(ar.IdentityReference as SecurityIdentifier) ==
0)
Console.WriteLine(ar.FileSystemRights);
}

Hope it helps.

Willy.

"Fred W." <fr*************@yahoo.comwrote in message
news:%2***************@TK2MSFTNGP03.phx.gbl...
| If I'm understanding this correctly then I will need to walk through the
| "FileSystemAccessRules" and accumulate what's allowed and denied. I will
| also need to interpret if the user is a member of that group for each
rule.

That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.

| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).

Yes, they do.
Sure, take a look at the IsInherited propery.

Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|
Denied take precedence.
Owners have it by default, but this can be changed.

| This just seems like a lot of work for something windows does for you when
| you try to create, delete, modify files and folders.

Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.
I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.

What exactly do you mean by this? Do you want to display the same dialog as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything simpler,
really.
I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.

AccessCheck is a complex function, before you can call it you need to fetch
a security descriptor, an access token, you need to construct a generic mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).
I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering is
| just creating a temporary files and folder in the folders I want to check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.
You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.

Willy.

I agree with your point about just letting the OS perform the required
Access check, and I will start to adjust my application with that philosophy
in mind. However, my intent here is only to give my users an "upstream"
warning that they may encounter issue if the folder permissions are not
configured properly. My deployment project will configure the appropriate
permissions for them upon installation, but the application administrator
can change paths in the application for the data output (such as the log).
These alternate paths are typically accessible to the administrator, but
once the restricted user logs in, I have my issues (i.e. the administrator
has NOT done his job).

I will probably proceed with the 'Access Rules Walk' approach, unless anyone
is aware of any 3rd party code that performs this for .Net 2.0 already. I
will avoid the dll wrapper of 'AccessCheck".

Thanks again for your help.

- Fred

"Willy Denoyette [MVP]" <wi*************@telenet.bewrote in message
news:eU**************@TK2MSFTNGP05.phx.gbl...

>
"Fred W." <fr*************@yahoo.comwrote in message
news:%2***************@TK2MSFTNGP03.phx.gbl...
| If I'm understanding this correctly then I will need to walk through the
| "FileSystemAccessRules" and accumulate what's allowed and denied. I will
| also need to interpret if the user is a member of that group for each
rule.

That's right, you need to do exactly as the OS (the FileSystem in case of
File or Directory) does when accessing the object.

| My understanding is that explicit rules take precedence over inherited
rules
| (can I tell the difference?).

Yes, they do.
Sure, take a look at the IsInherited propery.

Also, denied take precedence over allowed. Do
| I just assume owners have full control?
|
Denied take precedence.
Owners have it by default, but this can be changed.

| This just seems like a lot of work for something windows does for you
when
| you try to create, delete, modify files and folders.

Yes, object access and security checking is hard in Windows, and that
doesn't change with .NET, really. And it's something you should never do
from end-user code, the security API's are mainly meant to be used from
management and security editing applications, not really from user
applications that want to perform access checks.
All you should do from user code is try to open the object, the OS will
perform the required access checks, if it fails you will get a security
exception, if it succeeds you are done. Failures should be really
exceptional when administrator have done their job, most of the time they
point to illegal access.
I can't help but think
| there must be a better solution. I basically want the Effective
Permissions
| tab in Windows Explorer Properties.

What exactly do you mean by this? Do you want to display the same dialog
as
the security editor from your code, or do you want to get the same
information? Quite a different task really. You won't find anything
simpler,
really.
I've run across references to an
| "AccessCheck" function (for Win32), but I have yet find anything
| specifically for .NET.

AccessCheck is a complex function, before you can call it you need to
fetch
a security descriptor, an access token, you need to construct a generic
mask
and you need to check the out parameters when done, and don't forget to
check the return code and call SetLastError when anything fails. The
lines
of code will largely exceed the pure managed solution (not to mention it's
error prone).
I suppose I could wrap the Win32 dlls, but I'm still
| holding out for a .NET solution. Another solution I've been considering
is
| just creating a temporary files and folder in the folders I want to
check
| and catch exceptions to determine what's allow when I try to manipulate.
Of
| course I could end up littering files if I can't delete them.
| Any additional comments are appreciated. Thank you.
You don't need to do this, if your Folder and it's inheritance chain is
set-up correctly for the application at hand.

Willy.