11

I'm getting a duplicate FileSystemAccessRule from this code below:

C:\inetpub\wwwroot\AspInfo\Account
BUILTIN\IIS_IUSRS : Allow : ReadAndExecute, Synchronize
BUILTIN\IIS_IUSRS : Allow : -1610612736
NT SERVICE\TrustedInstaller : Allow : FullControl
NT SERVICE\TrustedInstaller : Allow : 268435456

and I can't work out what or why it is.

And the permissions being shown don't match what I can see file FileManager properties. For example, how do I find the "List Folder Contents" permission from this or similar iteration. If anyone knows of an example within the .NET docs it would be helpful.

protected void directoryInfo()
{
  var di = new DirectoryInfo(Server.MapPath("/"));
  foreach (DirectoryInfo dir in di.GetDirectories())
  {
    Response.Write(dir.FullName + "<br/>");
    DirectorySecurity ds = dir.GetAccessControl();
    foreach (FileSystemAccessRule fsar in ds.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
    {
      string userName = fsar.IdentityReference.Value;
      string userRights = fsar.FileSystemRights.ToString();
      string userAccessType = fsar.AccessControlType.ToString();
      Response.Write(userName + " : " + userAccessType + " : " + userRights + "<br/>");
    }
  }
}
Timwi
  • 65,159
  • 33
  • 165
  • 230
jradxl
  • 535
  • 1
  • 4
  • 20

1 Answers1

17

You will get separate rules entries for inherited rules and for rules that are explicitly set on that folder. There is also a difference depending on the the propagation settings on each rule. For example, you can have one set of permissions that are set to propagate to subfolders, and a different set to files within the folder. Your code is also getting the audit rules (SACL) on the folder where you seem to just be wanting the access permissions (DACL).

Try this:

protected void directoryInfo()
{
  var di = new DirectoryInfo(Server.MapPath("/"));
  foreach (DirectoryInfo dir in di.GetDirectories())
  {
    Response.Write(dir.FullName + "<br/>");
    DirectorySecurity ds = dir.GetAccessControl(AccessControlSections.Access);
    foreach (FileSystemAccessRule fsar in ds.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
    {
      string userName = fsar.IdentityReference.Value;
      string userRights = fsar.FileSystemRights.ToString();
      string userAccessType = fsar.AccessControlType.ToString();
      string ruleSource = fsar.IsInherited ? "Inherited" : "Explicit";
      string rulePropagation = fsar.PropagationFlags.ToString();
      string ruleInheritance = fsar.InheritanceFlags.ToString();
      Response.Write(userName + " : " + userAccessType + " : " + userRights + " : " + ruleSource + " : " + rulePropagation + " : " + ruleInheritance + "<br/>");
    }
  }
}

The ReadAndExecute permission you're seeing includes the "List Folder Contents" permission. You can check for individual permissions by using the appropriate flag in the FileSystemRights enum. For example:

if (fsar.FileSystemRights && FileSystemRights.ListDirectory)
  Console.WriteLine("Has List Directory permission");
Andrew Cooper
  • 32,176
  • 5
  • 81
  • 116
  • The `if` evaluation utilizing `FileSystemRights` is not permitted. – Thomas Sep 23 '15 at 13:56
  • Should be able to simply check `if (FileSystemRights.ListDirectory) { ... }`. https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesystemrights(v=vs.110).aspx You should not have to see if you have `FileSystemRights` on a given directory - if you are in the loop, you have directories. If you have directories, you have `FileSystemAccessRule` properties. If you are in the loop of `FileSystemAccessRule` properties, you will have `FileSystemRights` properties, guaranteed. – vapcguy Mar 30 '17 at 00:06
  • @vapcguy how does that exclude FileSystemAuditRule items? – Chalky May 11 '17 at 21:57
  • @Chalky Who said anything about excluding FileSystemAuditRule items? Did you mean `FileSystemAccessRule` properties? Not following. All my point was is that you don't have to check `userRights = fsar.FileSystemRights.ToString();` or any of those properties because you already know you have rights if you can list it, i.e. `di.GetDirectories()` comes back with that directory. You don't need the 2nd `foreach` at all, above, to know if they have List Directory rights. – vapcguy May 12 '17 at 21:33
  • 1
    @vapcguy yes, you're right, they are already excluded both by GetAccessControl(AccessControlSections.Access) and also GetAccessRules(). Doh. – Chalky May 13 '17 at 00:19