// Checks if the current user has write access to the file. private Boolean HasWriteAccess(String fileName) { // No user has access to edit read-only file. if ((File.GetAttributes(fileName) & FileAttributes.ReadOnly) != 0) { return(false); } // Retrieve the access rules of the specified file. AuthorizationRuleCollection rules = File.GetAccessControl(fileName).GetAccessRules(true, true, typeof(System.Security.Principal.SecurityIdentifier)); // Retrieve the groups the user is member in. IdentityReferenceCollection groups = WindowsIdentity.GetCurrent().Groups; // Retrieve the SecuityIdentifier of the current user. String sidCurrentUser = WindowsIdentity.GetCurrent().User.Value; // Check if writing is denied for the current user or group. if (rules.OfType <FileSystemAccessRule>().Any(r => (groups.Contains(r.IdentityReference) || r.IdentityReference.Value == sidCurrentUser) && r.AccessControlType == AccessControlType.Deny && (r.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData)) { return(false); } // Check if writing is allowed for the current user or group. return(rules.OfType <FileSystemAccessRule>().Any(r => (groups.Contains(r.IdentityReference) || r.IdentityReference.Value == sidCurrentUser) && r.AccessControlType == AccessControlType.Allow && (r.FileSystemRights & FileSystemRights.WriteData) == FileSystemRights.WriteData)); }
/// <summary> /// Determines whether the indicated file system security object has the indicated file system right. /// </summary> /// <param name="fss">The file system security object.</param> /// <param name="right">The file system right.</param> /// <returns>True, if the indicated file system security object has the indicated file system right.</returns> /// <remarks>The current Windows user identity is used to search the security object's ACL for /// relevent allow or deny rules. To have permission for the indicated right, the object's ACL /// list must contain an explicit allow rule and no deny rules for either the user identity or a group to which /// the user belongs.</remarks> private static bool HasPermission(FileSystemSecurity fss, FileSystemRights right) { AuthorizationRuleCollection rules = fss.GetAccessRules(true, true, typeof(SecurityIdentifier)); var groups = WindowsIdentity.GetCurrent().Groups; SecurityIdentifier user = WindowsIdentity.GetCurrent().User; FileSystemRights remaining = right; foreach (FileSystemAccessRule rule in rules.OfType <FileSystemAccessRule>()) { FileSystemRights test = rule.FileSystemRights & right; if (test != 0) { if (rule.IdentityReference == user || (groups != null && groups.Contains(rule.IdentityReference))) { if (rule.AccessControlType == AccessControlType.Allow) { remaining &= ~test; if (remaining == 0) { return(true); } } else if (rule.AccessControlType == AccessControlType.Deny) { return(false); } } } } return(false); }
public void IntitializeSecurity() { DirectorySecurity security = Directory.GetAccessControl(BasePath); AuthorizationRuleCollection rules = security.GetAccessRules( true, false, typeof(SecurityIdentifier)); var q = from r in rules.OfType <FileSystemAccessRule>() where r.IdentityReference == AccountSid select r; if (q.Count() != 0) { // Remove any existing rules which could be allow or deny. q.ToList().ForEach(r => security.RemoveAccessRule(r)); } // BIND only requires modify (e.g. for process file and log). FileSystemAccessRule rule = new FileSystemAccessRule( AccountSid, FileSystemRights.Modify, InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow); security.AddAccessRule(rule); Directory.SetAccessControl(BasePath, security); }
private ServerStatusElement getIscBindSecurityStatus() { ServerStatusElement e = new ServerStatusElement(); e.Name = "ISC BIND security (" + ServerConfig.IscBindDirectory.FullName + ")"; DirectorySecurity security = ServerConfig.IscBindDirectory.GetAccessControl(); AuthorizationRuleCollection rules = security.GetAccessRules( true, false, typeof(SecurityIdentifier)); WindowsUserManager wuManager = new WindowsUserManager(ServerConfig.WindowsServerName); WindowsUser namedUser = wuManager.Find(iscBindUser); if (namedUser == null) { e.Value = "Windows user '" + iscBindUser + "' is missing"; e.Condition = ServerStatusCondition.Error; } else { var q = from r in rules.OfType <FileSystemAccessRule>() where r.IdentityReference == namedUser.Sid where r.AccessControlType == AccessControlType.Allow select r; if (q.Count() != 0) { if ((q.Single().FileSystemRights & FileSystemRights.Modify) == FileSystemRights.Modify) { e.Value = "User '" + iscBindUser + "' can modify"; e.Condition = ServerStatusCondition.Normal; } else { e.Value = "User '" + iscBindUser + "' cannot modify"; e.Condition = ServerStatusCondition.Error; } } else { e.Value = "User '" + iscBindUser + "' does not have any access"; e.Condition = ServerStatusCondition.Error; } if (e.Condition == ServerStatusCondition.Error) { // At this point, if the user exists but the security is wrong, it can be reset. e.ActionText = "Repair"; e.ActionCommand = "RepairBindSecurity"; } } return(e); }
private IEnumerable <FileSystemAccessRule> getMatchingRules <TSecurity>( SecurityIdentifier identity, AccessControlType access, TSecurity security) where TSecurity : FileSystemSecurity { AuthorizationRuleCollection rules = security.GetAccessRules( true, false, typeof(SecurityIdentifier)); var q = from r in rules.OfType <FileSystemAccessRule>() where r.IdentityReference == identity where r.AccessControlType == access select r; return(q); }
private void CheckAgentRootDirectorySecure() { Trace.Info(nameof(CheckAgentRootDirectorySecure)); try { string rootDirPath = HostContext.GetDirectory(WellKnownDirectory.Root); if (!String.IsNullOrEmpty(rootDirPath)) { // Get info about root folder DirectoryInfo dirInfo = new DirectoryInfo(rootDirPath); // Get directory access control list DirectorySecurity directorySecurityInfo = dirInfo.GetAccessControl(); AuthorizationRuleCollection dirAccessRules = directorySecurityInfo.GetAccessRules(true, true, typeof(NTAccount)); // Get identity reference of the BUILTIN\Users group IdentityReference bulitInUsersGroup = new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null).Translate(typeof(NTAccount)); // Check if BUILTIN\Users group have modify/write rights for the agent root folder List <FileSystemAccessRule> potentiallyInsecureRules = dirAccessRules.OfType <FileSystemAccessRule>().AsParallel() .Where(rule => rule.IdentityReference == bulitInUsersGroup && (rule.FileSystemRights.HasFlag(FileSystemRights.Write) || rule.FileSystemRights.HasFlag(FileSystemRights.Modify))) .ToList <FileSystemAccessRule>(); // Notify user if there are some potentially insecure access rules for the agent root folder if (potentiallyInsecureRules.Count != 0) { Trace.Warning("The {0} group have the following permissions to the agent root folder: ", bulitInUsersGroup.ToString()); potentiallyInsecureRules.ForEach(accessRule => Trace.Warning("- {0}", accessRule.FileSystemRights.ToString())); _term.Write(StringUtil.Loc("agentRootFolderInsecure", bulitInUsersGroup.ToString())); } } else { Trace.Warning("Can't get path to the agent root folder, check was skipped."); } } catch (Exception ex) { Trace.Warning("Can't check permissions for agent root folder:"); Trace.Warning(ex.Message); _term.Write(StringUtil.Loc("agentRootFolderCheckError")); } }
public void ClearDenyACEs(string path) { if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { FileSecurity fs = new FileSecurity(path, AccessControlSections.Access); AuthorizationRuleCollection rules = fs.GetAccessRules(true, true, typeof(SecurityIdentifier)); SecurityIdentifier user = WindowsIdentity.GetCurrent().User; AuthorizationRuleCollection newRules = new AuthorizationRuleCollection(); FileSystemSecurity fssNew = new FileSecurity(); foreach (FileSystemAccessRule rule in rules.OfType <FileSystemAccessRule>()) { if (rule.IdentityReference == user && rule.AccessControlType == AccessControlType.Deny) { fs.RemoveAccessRule(rule); FileInfo fi = new FileInfo(path); fi.SetAccessControl(fs); } } } }
private static bool IsFileSystemAccessRuleSet(FileSystemRights rights, CommonObjectSecurity commonObjectSecurity, AccessControlType accessControlType) { AuthorizationRuleCollection rules = commonObjectSecurity.GetAccessRules(true, false, typeof(SecurityIdentifier)); return(rules.OfType <FileSystemAccessRule>().Any(fs => fs.FileSystemRights.HasFlag(rights) && fs.AccessControlType == accessControlType)); }