1

I am trying to get the effective rights a user has on a file using interop in C#. Following is the code I am using : 

        public static FileSystemRights GetFileEffectiveRights(string FileName, string UserName)
    {
        IntPtr pDacl, pZero = IntPtr.Zero;
        int Mask = 0;
        uint errorReturn = GetNamedSecurityInfo(FileName, SE_OBJECT_TYPE.SE_FILE_OBJECT, SECURITY_INFORMATION.Dacl
            , out pZero, out pZero, out pDacl, out pZero, out pZero);
        if (errorReturn != 0)
        {
            throw new Exception("Win error : " + errorReturn);
        }
        Program.TRUSTEE pTrustee = new TRUSTEE();
        pTrustee.pMultipleTrustee = IntPtr.Zero;
        pTrustee.MultipleTrusteeOperation = (int)Program.MULTIPLE_TRUSTEE_OPERATION.NO_MULTIPLE_TRUSTEE;
        pTrustee.ptstrName = UserName;
        pTrustee.TrusteeForm = (int)Program.TRUSTEE_FORM.TRUSTEE_IS_NAME;
        pTrustee.TrusteeType = (int)Program.TRUSTEE_TYPE.TRUSTEE_IS_USER;
        errorReturn = GetEffectiveRightsFromAcl(pDacl, ref pTrustee, ref Mask);
        if (errorReturn != 0)
        {
            throw new Exception("Win error : " + errorReturn);
        }
        return (FileSystemRights)Mask;
    }

This code works fine until I start modifying the ACL structure using the classes FileAccessRule and FileInfo, and then I start getting Windows Error 1336 : ERROR_INVALID_ACL. Same is the case if I debug the process : I call GetFileEffectiveRights once, pause the process,change the ACL through windows API, and resume and call GetFileEffectiveRights again(the 1st call succeeds but the second gives 1336.)
What is going wrong?
PS : I am developing on Windows 7 using VS 2008 and .NET 3.5
EDIT : I only get the error when I try to get rights for a file for which a non-inherited ACE was added through the Windows GUI/ C#'s File API.

apoorv020
  • 5,420
  • 11
  • 40
  • 63

1 Answers1

1

The problem is in the other part of your problem which change the ACL through windows API.

The order of ACEs in DACL is very important. In http://support.microsoft.com/kb/269175/en for example you will find the full description about correct ACE order and a code example.

If you will stay have the same problem, just post the code example of modification of ACL in your question.

Oleg
  • 220,925
  • 34
  • 403
  • 798
  • I'm using the standard msdn sample code on http://msdn.microsoft.com/en-us/library/system.io.directoryinfo.setaccesscontrol%28v=VS.100%29.aspx and http://msdn.microsoft.com/en-us/library/system.io.fileinfo.setaccesscontrol.aspx to change the ACLs. – apoorv020 Jun 19 '10 at 12:32
  • Corresponds to http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.filesecurity.aspx: "The FileSecurity class hides many of the details of DACLs and SACLs; you do not have to worry about ACE ordering or null DACLS." and http://msdn.microsoft.com/en-us/library/system.security.accesscontrol.directorysecurity.aspx: "The DirectorySecurity class hides many of the details of DACLs and SACLs; you do not have to worry about ACE ordering or null DACLS." the oder of ACEs must be correct. Nevertheless you have a bug somware. Try change SD and then verify in explore, that no error exist. – Oleg Jun 19 '10 at 13:15
  • In case of wrong Security Descriptor you will see an error message if you try look details of a wrong Secirity Descriptor in Explorer. – Oleg Jun 19 '10 at 13:16