Login/Register
Checking for shared directory permission - C#
Asked Answered
Solved c#.netwinformsaclaccess-control
G

1

6

I want to write a code that check for shared directory permission, i check more than one solution but it works good when trying to get local directory permission but when i make test cases for shared directories it fails.

I trying examples in this questions: SOF: checking-for-directory-and-file-write-permissions-in-net

but it works only on local directories.

For example, i used this class:

 public class CurrentUserSecurity
{
    WindowsIdentity _currentUser;
    WindowsPrincipal _currentPrincipal;

    public CurrentUserSecurity()
    {
        _currentUser = WindowsIdentity.GetCurrent();
        _currentPrincipal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
    }

    public bool HasAccess(DirectoryInfo directory, FileSystemRights right)
    {
        // Get the collection of authorization rules that apply to the directory.
        AuthorizationRuleCollection acl = directory.GetAccessControl()
            .GetAccessRules(true, true, typeof(SecurityIdentifier));
        return HasFileOrDirectoryAccess(right, acl);
    }

    public bool HasAccess(FileInfo file, FileSystemRights right)
    {
        // Get the collection of authorization rules that apply to the file.
        AuthorizationRuleCollection acl = file.GetAccessControl()
            .GetAccessRules(true, true, typeof(SecurityIdentifier));
        return HasFileOrDirectoryAccess(right, acl);
    }

    private bool HasFileOrDirectoryAccess(FileSystemRights right,
                                          AuthorizationRuleCollection acl)
    {
        bool allow = false;
        bool inheritedAllow = false;
        bool inheritedDeny = false;

        for (int i = 0; i < acl.Count; i++)
        {
            FileSystemAccessRule currentRule = (FileSystemAccessRule)acl[i];
            // If the current rule applies to the current user.
            if (_currentUser.User.Equals(currentRule.IdentityReference) ||
                _currentPrincipal.IsInRole(
                                (SecurityIdentifier)currentRule.IdentityReference))
            {

                if (currentRule.AccessControlType.Equals(AccessControlType.Deny))
                {
                    if ((currentRule.FileSystemRights & right) == right)
                    {
                        if (currentRule.IsInherited)
                        {
                            inheritedDeny = true;
                        }
                        else
                        { // Non inherited "deny" takes overall precedence.
                            return false;
                        }
                    }
                }
                else if (currentRule.AccessControlType
                                                .Equals(AccessControlType.Allow))
                {
                    if ((currentRule.FileSystemRights & right) == right)
                    {
                        if (currentRule.IsInherited)
                        {
                            inheritedAllow = true;
                        }
                        else
                        {
                            allow = true;
                        }
                    }
                }
            }
        }

        if (allow)
        { // Non inherited "allow" takes precedence over inherited rules.
            return true;
        }
        return inheritedAllow && !inheritedDeny;
    }
}

It check permission of current impersonation on directory or file. All test cases pass correctly when checking local directory but some of them fail in shared directory which is the problem i want to solve, so is there any solution for that?

The below test case fails although the directory didn't have write permission:

        [TestMethod]
    public void HasAccess_NotHaveAccess_ReturnsFalse()
    {
        CurrentUserSecurity cus = new CurrentUserSecurity();
        bool result = cus.HasAccess(new DirectoryInfo(@"\\sharedpc\readonly"), System.Security.AccessControl.FileSystemRights.Write);
        Assert.AreEqual(result, false);
    }
Gelhar answered 21/10, 2015 at 12:47 Comment(3)
Hi deserthero, I tried your code and everything works fine here. Are you sure that you set up the permissions appropiately for the current user in "\\sharedpc\readonly" folder?Arel
Hi, I put an answer below but think this is an environment thing or just a little bit of confusion. I understand your TestMethod returns True indicating the user does have permission but that's incorrect? 1. Can you edit your question and provide a screenshot of the folders permissions and 2. indicate the user account name that's running the code WindowsIdentity.GetCurrent. 3. Please confirm you have tested with a different WindowIdentity beside yourself, an easiest way to do that #125841 Thanks.Olivine
Have you tried this, msdn.microsoft.com/en-us/library/… ? Get method will probably not resolve nested rules or dependent rules such as rule applied to group etc, this method might give you actual access rule to verify.Granddaddy
O
4

Your code WOMM. I encourage you to work out why the standard .NET classes fail (in your environment) using the Win32 APIs directly to uncover any potential issues the BCL is hiding.

Fingers crossed if you try this lower level method it yields errors to give you a clue what the problem is with the BCL classes or use it as a workaround.

using System;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;

class MainConsole
{
    [DllImport("Netapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    static extern int NetShareGetInfo(
        [MarshalAs(UnmanagedType.LPWStr)] string serverName,
        [MarshalAs(UnmanagedType.LPWStr)] string netName,
        Int32 level,
        out IntPtr bufPtr);

    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    static extern bool GetSecurityDescriptorDacl(
        IntPtr pSecurityDescriptor,
        [MarshalAs(UnmanagedType.Bool)] out bool bDaclPresent,
        ref IntPtr pDacl,
        [MarshalAs(UnmanagedType.Bool)] out bool bDaclDefaulted
        );

    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    static extern bool GetAclInformation(
        IntPtr pAcl,
        ref ACL_SIZE_INFORMATION pAclInformation,
        uint nAclInformationLength,
        ACL_INFORMATION_CLASS dwAclInformationClass
     );

    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    static extern int GetAce(
        IntPtr aclPtr,
        int aceIndex,
        out IntPtr acePtr
     );

    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    static extern int GetLengthSid(
        IntPtr pSID
     );

    [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    [return: MarshalAs(UnmanagedType.Bool)]
    static extern bool ConvertSidToStringSid(
        [MarshalAs(UnmanagedType.LPArray)] byte[] pSID,
        out IntPtr ptrSid
     );

    [DllImport("netapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
    static extern int NetApiBufferFree(
        IntPtr buffer
     );

    enum SID_NAME_USE
    {
        SidTypeUser = 1,
        SidTypeGroup,
        SidTypeDomain,
        SidTypeAlias,
        SidTypeWellKnownGroup,
        SidTypeDeletedAccount,
        SidTypeInvalid,
        SidTypeUnknown,
        SidTypeComputer
    }

    [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
    static extern bool LookupAccountSid(
      string lpSystemName,
      [MarshalAs(UnmanagedType.LPArray)] byte[] Sid,
      System.Text.StringBuilder lpName,
      ref uint cchName,
      System.Text.StringBuilder ReferencedDomainName,
      ref uint cchReferencedDomainName,
      out SID_NAME_USE peUse);

    [StructLayout(LayoutKind.Sequential)]
    struct SHARE_INFO_502
    {
        [MarshalAs(UnmanagedType.LPWStr)]
        public string shi502_netname;
        public uint shi502_type;
        [MarshalAs(UnmanagedType.LPWStr)]
        public string shi502_remark;
        public Int32 shi502_permissions;
        public Int32 shi502_max_uses;
        public Int32 shi502_current_uses;
        [MarshalAs(UnmanagedType.LPWStr)]
        public string shi502_path;
        public IntPtr shi502_passwd;
        public Int32 shi502_reserved;
        public IntPtr shi502_security_descriptor;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct ACL_SIZE_INFORMATION
    {
        public uint AceCount;
        public uint AclBytesInUse;
        public uint AclBytesFree;
    }

    [StructLayout(LayoutKind.Sequential)]
    public struct ACE_HEADER
    {
        public byte AceType;
        public byte AceFlags;
        public short AceSize;
    }

    [StructLayout(LayoutKind.Sequential)]
    struct ACCESS_ALLOWED_ACE
    {
        public ACE_HEADER Header;
        public int Mask;
        public int SidStart;
    }

    enum ACL_INFORMATION_CLASS
    {
        AclRevisionInformation = 1,
        AclSizeInformation
    }



    static void Main(string[] args)
    {
        IntPtr bufptr = IntPtr.Zero;
        int err = NetShareGetInfo("ServerName", "ShareName", 502, out bufptr);
        if (0 == err)
        {
            SHARE_INFO_502 shareInfo = (SHARE_INFO_502)Marshal.PtrToStructure(bufptr, typeof(SHARE_INFO_502));

            bool bDaclPresent;
            bool bDaclDefaulted;
            IntPtr pAcl = IntPtr.Zero;
            GetSecurityDescriptorDacl(shareInfo.shi502_security_descriptor, out bDaclPresent, ref pAcl, out bDaclDefaulted);
            if (bDaclPresent)
            {
                ACL_SIZE_INFORMATION AclSize = new ACL_SIZE_INFORMATION();
                GetAclInformation(pAcl, ref AclSize, (uint)Marshal.SizeOf(typeof(ACL_SIZE_INFORMATION)), ACL_INFORMATION_CLASS.AclSizeInformation);
                for (int i = 0; i < AclSize.AceCount; i++)
                {
                    IntPtr pAce;
                    err = GetAce(pAcl, i, out pAce);
                    ACCESS_ALLOWED_ACE ace = (ACCESS_ALLOWED_ACE)Marshal.PtrToStructure(pAce, typeof(ACCESS_ALLOWED_ACE));

                    IntPtr iter = (IntPtr)((long)pAce + (long)Marshal.OffsetOf(typeof(ACCESS_ALLOWED_ACE), "SidStart"));
                    byte[] bSID = null;
                    int size = (int)GetLengthSid(iter);
                    bSID = new byte[size];
                    Marshal.Copy(iter, bSID, 0, size);
                    IntPtr ptrSid;
                    ConvertSidToStringSid(bSID, out ptrSid);
                    string strSID = Marshal.PtrToStringAuto(ptrSid);

                    Console.WriteLine("The details of ACE number {0} are: ", i+1);

                    StringBuilder name = new StringBuilder();
                    uint cchName = (uint)name.Capacity;
                    StringBuilder referencedDomainName = new StringBuilder();
                    uint cchReferencedDomainName = (uint)referencedDomainName.Capacity;
                    SID_NAME_USE sidUse;

                    LookupAccountSid(null, bSID, name, ref cchName, referencedDomainName, ref cchReferencedDomainName, out sidUse);

                    Console.WriteLine("Trustee Name: " + name);
                    Console.WriteLine("Domain Name: " + referencedDomainName);

                    if ((ace.Mask & 0x1F01FF) == 0x1F01FF)
                    {
                        Console.WriteLine("Permission: Full Control");
                    }
                    else if ((ace.Mask & 0x1301BF) == 0x1301BF)
                    {
                        Console.WriteLine("Permission: READ and CHANGE");
                    }
                    else if ((ace.Mask & 0x1200A9) == 0x1200A9)
                    {
                        Console.WriteLine("Permission: READ only");
                    }
                    Console.WriteLine("SID: {0} \nHeader AceType: {1} \nAccess Mask: {2} \nHeader AceFlag: {3}", strSID, ace.Header.AceType.ToString(), ace.Mask.ToString(), ace.Header.AceFlags.ToString());
                    Console.WriteLine("\n");
                }
            }
            err = NetApiBufferFree(bufptr);
        }
    }
}

REF: http://blogs.msdn.com/b/dsadsi/archive/2012/03/30/to-read-shared-permissions-of-a-server-resource-in-c-using-netsharegetinfo.aspx

Also if you can, please try your code and this code on another network because I'm thinking its some environment issue.

Olivine answered 24/10, 2015 at 6:45 Comment(1)
Great solution! But: You must check shareInfo.shi502_security_descriptor != IntPtr.Zero before calling GetSecurityDescriptorDacl(...) since, at least for server 2016, it is not set for administrative shares and you will get an access violation thenNewburg

© 2022 - 2024 — McMap. All rights reserved.