static void Main(string[] args)
{
var item1 = new FileInfo("D:\\file1.txt");
var item2 = new DirectoryInfo("D:\\test3");
var account1 = new List <IdentityReference2>()
{
(IdentityReference2)@"raandree1\randr_000"
};
FileSystemAccessRule2.AddFileSystemAccessRule(item1, account1, FileSystemRights2.FullControl, AccessControlType.Allow, InheritanceFlags.ContainerInherit, PropagationFlags.None);
return;
var path = @"C:\Windows";
var account = @"raandree1\randr_000";
var server = "localhost";
var sd = Directory.GetAccessControl(path, AccessControlSections.Access);
var id = new IdentityReference2(account);
EffectiveAccess.GetEffectiveAccess(new FileInfo(path), id, "localhost");
var result1 = InvokeCommand("gi2 c:\\windows");
var result2 = InvokeCommand(@"gi -Path D:\SingleMachine\ | Get-EffectiveAccess")
.Select(ace => ace.ImmediateBaseObject)
.Cast <FileSystemAccessRule2>().ToList();
foreach (var ace in result2)
{
Console.WriteLine(string.Format("{0};{1}", ace.Account, ace.IsInherited));
}
Console.ReadKey();
}
public void DeniedRight(FileSystemRights deniedRight)
{
AddFileDenyACE(TestFile.FullName, CurrentIdentity, deniedRight);
var rights = EffectiveAccess.ComputeAccess(TestFile.FullName, CurrentIdentity);
Assert.False(rights.HasFlag(deniedRight));
}
public void WhenGroupIsDeniedWrite()
{
IdentityRights rights = new IdentityRights {
Identity = Group, Rights = FileSystemRights.FullControl
};
var descriptor = CreateSecurityDescriptor(null, denyRights: new[] { rights });
var access = EffectiveAccess.ComputeAccess(descriptor, CurrentIdentity);
Assert.False(access.HasFlag(ACCESS_MASK.STANDARD_RIGHTS_ALL));
}
public void WhenGroupHasAllStandardRights()
{
var rights = new IdentityRights {
Identity = Group, Rights = FileSystemRights.FullControl
};
var descriptor = CreateSecurityDescriptor(new[] { rights });
var access = EffectiveAccess.ComputeAccess(descriptor, CurrentIdentity);
Assert.True(access.HasFlag(ACCESS_MASK.STANDARD_RIGHTS_ALL));
}
public EffectiveAccess GetEffectiveAccess(string path)
{
var effectiveAccess = new EffectiveAccess {
Read = true, Write = true
};
bool isDirectory;
try
{
isDirectory = File.GetAttributes(path).HasFlag(FileAttributes.Directory);
}
catch (IOException)
{
return(new EffectiveAccess {
Read = false, Write = false
});
}
catch (UnauthorizedAccessException)
{
return(new EffectiveAccess {
Read = false, Write = false
});
}
if (isDirectory)
{
try
{
Directory.GetFileSystemEntries(path);
}
catch (IOException)
{
effectiveAccess.Read = false;
}
catch (UnauthorizedAccessException)
{
effectiveAccess.Read = false;
}
if (effectiveAccess.Read)
{
// create a FileSecurity object allowing full control so that we can be sure we
// have permissions to delete the file
var fileSecurity = new FileSecurity();
fileSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.FullControl, AccessControlType.Allow));
try
{
// create the file in a using statement to allow the FileStream, which
// implements IDisposable, to be closed on completion
using (File.Create(path + "\\write-test.shareaudit", 1, FileOptions.DeleteOnClose, fileSecurity))
{
}
}
catch (IOException)
{
effectiveAccess.Write = false;
}
catch (UnauthorizedAccessException)
{
effectiveAccess.Write = false;
}
}
}
else
{
try
{
using (File.Open(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite))
{
}
}
catch (IOException)
{
effectiveAccess.Read = false;
}
catch (UnauthorizedAccessException)
{
effectiveAccess.Read = false;
}
if (effectiveAccess.Read)
{
try
{
using (File.Open(path, FileMode.Open, FileAccess.Write, FileShare.ReadWrite))
{
}
}
catch (IOException)
{
effectiveAccess.Write = false;
}
catch (UnauthorizedAccessException)
{
effectiveAccess.Write = false;
}
}
}
return(effectiveAccess);
}
public void FullControlOfOwnedFile()
{
var rights = EffectiveAccess.ComputeAccess(TestFile.FullName, CurrentIdentity);
Assert.True(rights.HasFlag(FileSystemRights.FullControl));
}
protected override void ProcessRecord()
{
FileSystemInfo item = null;
foreach (var path in paths)
{
EffectiveAccessInfo result = null;
try
{
item = this.GetFileSystemInfo2(path);
}
catch (Exception ex)
{
this.WriteError(new ErrorRecord(ex, "ReadFileError", ErrorCategory.OpenError, path));
continue;
}
try
{
result = EffectiveAccess.GetEffectiveAccess(item, account, serverName);
if (!result.FromRemote)
{
WriteWarning("The effective rights can only be computed based on group membership on this" +
" computer. For more accurate results, calculate effective access rights on " +
"the target computer");
}
if (result.OperationFailed && securityPrivilege == null)
{
var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}' maybe because the 'Security' privilege is not enabled which might be required. Enable the priviliges using 'Enable-Privileges'. The error was '{1}'", serverName, result.AuthzException.Message), result.AuthzException);
WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item));
continue;
}
else if (result.OperationFailed)
{
var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}'. The error is '{1}'", serverName, result.AuthzException.Message), result.AuthzException);
WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item));
continue;
}
if (excludeNoneAccessEntries && result.Ace.AccessRights == FileSystemRights2.None)
{
continue;
}
}
//not sure if the following catch block willb be invoked, testing needed.
catch (UnauthorizedAccessException)
{
try
{
var ownerInfo = FileSystemOwner.GetOwner(item);
var previousOwner = ownerInfo.Owner;
FileSystemOwner.SetOwner(item, System.Security.Principal.WindowsIdentity.GetCurrent().User);
//--------------------
result = EffectiveAccess.GetEffectiveAccess(item, account, serverName);
if (!result.FromRemote)
{
WriteWarning("The effective rights can only be computed based on group membership on this" +
" computer. For more accurate results, calculate effective access rights on " +
"the target computer");
}
if (result.OperationFailed && securityPrivilege == null)
{
var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}' maybe because the 'Security' privilege is not enabled which might be required. Enable the priviliges using 'Enable-Privileges'. The error was '{1}'", serverName, result.AuthzException.Message), result.AuthzException);
WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item));
continue;
}
else if (result.OperationFailed)
{
var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}'. The error is '{1}'", serverName, result.AuthzException.Message), result.AuthzException);
WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item));
continue;
}
if (excludeNoneAccessEntries && result.Ace.AccessRights == FileSystemRights2.None)
{
continue;
}
//--------------------
FileSystemOwner.SetOwner(item, previousOwner);
}
catch (Exception ex2)
{
this.WriteError(new ErrorRecord(ex2, "ReadSecurityError", ErrorCategory.WriteError, path));
}
}
catch (Exception ex)
{
WriteError(new ErrorRecord(ex, "ReadEffectivePermissionError", ErrorCategory.ReadError, path));
}
finally
{
if (result != null)
{
WriteObject(result.Ace);
}
}
}
}
