Reading NTFS Permissions

ASP.NET

Reading NTFS Permissions    (Daniel Schaffer   8/4/2005 11:20:26 AM)

I've search on this site and google, and came up with several different results, all of which look exceedingly complicated and none of which seem to do quite what I want. I would like to be able to get a simple boolean value representing whether a given user has access to a given file - even if they don't have explicit access. This means that the file may only have full access granted to "Everyone", but not the specific user. Is this possible with .NET, and if so, what is the simplest way of doing it? Thanks!

Got it     (Daniel Schaffer   8/4/2005 12:18:25 PM)

Using the code from GotDotNet user sample:
http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=e6098575-dda0-48b8-9abf-e0705af065d9

public static bool HasFilePermission(string path, IPrincipal principal)
{
if(File.Exists(path))
{
SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity(path,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
foreach(Ace ace in secDesc.Dacl)
{
if(principal.IsInRole(ace.Sid.AccountName)) return true;
}
return false;

}
else return false;
}

This doesn't work on Network Resources    (Daniel Schaffer   8/4/2005 6:07:57 PM)

I've found that this method will incorrectly return false when checking permissions on paths that are network resources, including mapped drives. I don't think I'm getting the right IPrincipal instance... will work on it tomrrow.

I now officially rule     (Daniel Schaffer   8/5/2005 10:34:20 AM)

This uses the ADSI SDK - don't need that code I referenced in my previous post. Follow the instructions to set up the project as described here: http://support.microsoft.com/kb/818362

You'll need the ADSI 2.5 SDK, which is available here: http://download.microsoft.com/download/2/9/7/29720925-faa3-477f-a5cd-beef80adac07/adsrtk.msi

All this does, when run on an ASP.NET page, is print out the name of the current identity, then iterate through the ACEs listed for the file specified. Keep in mind that this only tests if the account is listed, not if the account actually has access. That will require some extra coding, but you should be able to figure that out from the KB article.

string path = @"FILE://C:/testfile.txt";
ADsSecurityClass adsi = new ADsSecurityClass();
SecurityDescriptor secDesc = (SecurityDescriptor)adsi.GetSecurityDescriptor(path);
AccessControlList dacl = (AccessControlList)secDesc.DiscretionaryAcl;
Response.Write("<b>" + Page.User.Identity.Name + "</b><br>");
foreach(AccessControlEntry ace in dacl)
{
Response.Write(ace.Trustee + ": " + Page.User.IsInRole(ace.Trustee) + "<br>");
}

Check for access    (Daniel Schaffer   8/5/2005 10:47:14 AM)

This is the revised version of the method posted in the 2nd post, using the ADSI SDK, which checks if the principal has access to the given file.

public static bool HasFilePermission(string path, IPrincipal principal)
{
if(File.Exists(path))
{
path = "file://" + path.Replace("\\", "/");
ADsSecurityClass adsi = new ADsSecurityClass();
SecurityDescriptor secDesc = (SecurityDescriptor)adsi.GetSecurityDescriptor(path);
AccessControlList dacl = (AccessControlList)secDesc.DiscretionaryAcl;

foreach(AccessControlEntry ace in dacl)
{
switch((ADS_ACETYPE_ENUM)ace.AceType)
{
case ADS_ACETYPE_ENUM.ADS_ACETYPE_ACCESS_ALLOWED:
if(principal.IsInRole(ace.Trustee)) return true;
else break;
default: break;
}
}
return false;

}
else return false;
}