static void Main(string[] args) { var item1 = new FileInfo("D:\\file1.txt"); var item2 = new DirectoryInfo("D:\\test3"); var account1 = new List <IdentityReference2>() { (IdentityReference2)@"raandree1\randr_000" }; FileSystemAccessRule2.AddFileSystemAccessRule(item1, account1, FileSystemRights2.FullControl, AccessControlType.Allow, InheritanceFlags.ContainerInherit, PropagationFlags.None); return; var path = @"C:\Windows"; var account = @"raandree1\randr_000"; var server = "localhost"; var sd = Directory.GetAccessControl(path, AccessControlSections.Access); var id = new IdentityReference2(account); EffectiveAccess.GetEffectiveAccess(new FileInfo(path), id, "localhost"); var result1 = InvokeCommand("gi2 c:\\windows"); var result2 = InvokeCommand(@"gi -Path D:\SingleMachine\ | Get-EffectiveAccess") .Select(ace => ace.ImmediateBaseObject) .Cast <FileSystemAccessRule2>().ToList(); foreach (var ace in result2) { Console.WriteLine(string.Format("{0};{1}", ace.Account, ace.IsInherited)); } Console.ReadKey(); }
public void DeniedRight(FileSystemRights deniedRight) { AddFileDenyACE(TestFile.FullName, CurrentIdentity, deniedRight); var rights = EffectiveAccess.ComputeAccess(TestFile.FullName, CurrentIdentity); Assert.False(rights.HasFlag(deniedRight)); }
public void WhenGroupIsDeniedWrite() { IdentityRights rights = new IdentityRights { Identity = Group, Rights = FileSystemRights.FullControl }; var descriptor = CreateSecurityDescriptor(null, denyRights: new[] { rights }); var access = EffectiveAccess.ComputeAccess(descriptor, CurrentIdentity); Assert.False(access.HasFlag(ACCESS_MASK.STANDARD_RIGHTS_ALL)); }
public void WhenGroupHasAllStandardRights() { var rights = new IdentityRights { Identity = Group, Rights = FileSystemRights.FullControl }; var descriptor = CreateSecurityDescriptor(new[] { rights }); var access = EffectiveAccess.ComputeAccess(descriptor, CurrentIdentity); Assert.True(access.HasFlag(ACCESS_MASK.STANDARD_RIGHTS_ALL)); }
public EffectiveAccess GetEffectiveAccess(string path) { var effectiveAccess = new EffectiveAccess { Read = true, Write = true }; bool isDirectory; try { isDirectory = File.GetAttributes(path).HasFlag(FileAttributes.Directory); } catch (IOException) { return(new EffectiveAccess { Read = false, Write = false }); } catch (UnauthorizedAccessException) { return(new EffectiveAccess { Read = false, Write = false }); } if (isDirectory) { try { Directory.GetFileSystemEntries(path); } catch (IOException) { effectiveAccess.Read = false; } catch (UnauthorizedAccessException) { effectiveAccess.Read = false; } if (effectiveAccess.Read) { // create a FileSecurity object allowing full control so that we can be sure we // have permissions to delete the file var fileSecurity = new FileSecurity(); fileSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.FullControl, AccessControlType.Allow)); try { // create the file in a using statement to allow the FileStream, which // implements IDisposable, to be closed on completion using (File.Create(path + "\\write-test.shareaudit", 1, FileOptions.DeleteOnClose, fileSecurity)) { } } catch (IOException) { effectiveAccess.Write = false; } catch (UnauthorizedAccessException) { effectiveAccess.Write = false; } } } else { try { using (File.Open(path, FileMode.Open, FileAccess.Read, FileShare.ReadWrite)) { } } catch (IOException) { effectiveAccess.Read = false; } catch (UnauthorizedAccessException) { effectiveAccess.Read = false; } if (effectiveAccess.Read) { try { using (File.Open(path, FileMode.Open, FileAccess.Write, FileShare.ReadWrite)) { } } catch (IOException) { effectiveAccess.Write = false; } catch (UnauthorizedAccessException) { effectiveAccess.Write = false; } } } return(effectiveAccess); }
public void FullControlOfOwnedFile() { var rights = EffectiveAccess.ComputeAccess(TestFile.FullName, CurrentIdentity); Assert.True(rights.HasFlag(FileSystemRights.FullControl)); }
protected override void ProcessRecord() { FileSystemInfo item = null; foreach (var path in paths) { EffectiveAccessInfo result = null; try { item = this.GetFileSystemInfo2(path); } catch (Exception ex) { this.WriteError(new ErrorRecord(ex, "ReadFileError", ErrorCategory.OpenError, path)); continue; } try { result = EffectiveAccess.GetEffectiveAccess(item, account, serverName); if (!result.FromRemote) { WriteWarning("The effective rights can only be computed based on group membership on this" + " computer. For more accurate results, calculate effective access rights on " + "the target computer"); } if (result.OperationFailed && securityPrivilege == null) { var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}' maybe because the 'Security' privilege is not enabled which might be required. Enable the priviliges using 'Enable-Privileges'. The error was '{1}'", serverName, result.AuthzException.Message), result.AuthzException); WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item)); continue; } else if (result.OperationFailed) { var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}'. The error is '{1}'", serverName, result.AuthzException.Message), result.AuthzException); WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item)); continue; } if (excludeNoneAccessEntries && result.Ace.AccessRights == FileSystemRights2.None) { continue; } } //not sure if the following catch block willb be invoked, testing needed. catch (UnauthorizedAccessException) { try { var ownerInfo = FileSystemOwner.GetOwner(item); var previousOwner = ownerInfo.Owner; FileSystemOwner.SetOwner(item, System.Security.Principal.WindowsIdentity.GetCurrent().User); //-------------------- result = EffectiveAccess.GetEffectiveAccess(item, account, serverName); if (!result.FromRemote) { WriteWarning("The effective rights can only be computed based on group membership on this" + " computer. For more accurate results, calculate effective access rights on " + "the target computer"); } if (result.OperationFailed && securityPrivilege == null) { var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}' maybe because the 'Security' privilege is not enabled which might be required. Enable the priviliges using 'Enable-Privileges'. The error was '{1}'", serverName, result.AuthzException.Message), result.AuthzException); WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item)); continue; } else if (result.OperationFailed) { var ex = new Exception(string.Format("Could not get effective permissions from machine '{0}'. The error is '{1}'", serverName, result.AuthzException.Message), result.AuthzException); WriteError(new ErrorRecord(ex, "GetEffectiveAccessError", ErrorCategory.ReadError, item)); continue; } if (excludeNoneAccessEntries && result.Ace.AccessRights == FileSystemRights2.None) { continue; } //-------------------- FileSystemOwner.SetOwner(item, previousOwner); } catch (Exception ex2) { this.WriteError(new ErrorRecord(ex2, "ReadSecurityError", ErrorCategory.WriteError, path)); } } catch (Exception ex) { WriteError(new ErrorRecord(ex, "ReadEffectivePermissionError", ErrorCategory.ReadError, path)); } finally { if (result != null) { WriteObject(result.Ace); } } } }