This repository has been archived by the owner on Nov 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
UserFileAccessRights.cs
362 lines (333 loc) · 22.8 KB
/
UserFileAccessRights.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
using System.Security.AccessControl;
using System.Security.Principal;
using System.Text;
namespace IisLogRotator
{
///
/// This code was written by Bruce Hatt
/// Code obtained from : http://www.codeproject.com/useritems/UserFileAccessRights.asp
///
/// This class Contains a simple answer to a
/// potentially complicated question "Can I read this file or can I write to this file?"
///
/// Using the "rule of least privilege", one must check not only is access granted but
/// is it denied at any point including a possibly recursive check of groups.
///
/// For this simple check, a look at the user and immediate groups are only checked.
///
/// This class could be expanded to identify if the applicable allow/deny rule
/// was explicit or inherited
///
public class UserFileAccessRights
{
private string _path;
private WindowsIdentity _principal;
private bool _denyAppendData = false;
private bool _denyChangePermissions = false;
private bool _denyCreateDirectories = false;
private bool _denyCreateFiles = false;
private bool _denyDelete = false;
private bool _denyDeleteSubdirectoriesAndFiles = false;
private bool _denyExecuteFile = false;
private bool _denyFullControl = false;
private bool _denyListDirectory = false;
private bool _denyModify = false;
private bool _denyRead = false;
private bool _denyReadAndExecute = false;
private bool _denyReadAttributes = false;
private bool _denyReadData = false;
private bool _denyReadExtendedAttributes = false;
private bool _denyReadPermissions = false;
private bool _denySynchronize = false;
private bool _denyTakeOwnership = false;
private bool _denyTraverse = false;
private bool _denyWrite = false;
private bool _denyWriteAttributes = false;
private bool _denyWriteData = false;
private bool _denyWriteExtendedAttributes = false;
private bool _allowAppendData = false;
private bool _allowChangePermissions = false;
private bool _allowCreateDirectories = false;
private bool _allowCreateFiles = false;
private bool _allowDelete = false;
private bool _allowDeleteSubdirectoriesAndFiles = false;
private bool _allowExecuteFile = false;
private bool _allowFullControl = false;
private bool _allowListDirectory = false;
private bool _allowModify = false;
private bool _allowRead = false;
private bool _allowReadAndExecute = false;
private bool _allowReadAttributes = false;
private bool _allowReadData = false;
private bool _allowReadExtendedAttributes = false;
private bool _allowReadPermissions = false;
private bool _allowSynchronize = false;
private bool _allowTakeOwnership = false;
private bool _allowTraverse = false;
private bool _allowWrite = false;
private bool _allowWriteAttributes = false;
private bool _allowWriteData = false;
private bool _allowWriteExtendedAttributes = false;
public bool CanAppendData { get { return !_denyAppendData && _allowAppendData; } }
public bool CanChangePermissions { get { return !_denyChangePermissions && _allowChangePermissions; } }
public bool CanCreateDirectories { get { return !_denyCreateDirectories && _allowCreateDirectories; } }
public bool CanCreateFiles { get { return !_denyCreateFiles && _allowCreateFiles; } }
public bool CanDelete { get { return !_denyDelete && _allowDelete; } }
public bool CanDeleteSubdirectoriesAndFiles { get { return !_denyDeleteSubdirectoriesAndFiles && _allowDeleteSubdirectoriesAndFiles; } }
public bool CanExecuteFile { get { return !_denyExecuteFile && _allowExecuteFile; } }
public bool CanFullControl { get { return !_denyFullControl && _allowFullControl; } }
public bool CanListDirectory { get { return !_denyListDirectory && _allowListDirectory; } }
public bool CanModify { get { return !_denyModify && _allowModify; } }
public bool CanRead { get { return !_denyRead && _allowRead; } }
public bool CanReadAndExecute { get { return !_denyReadAndExecute && _allowReadAndExecute; } }
public bool CanReadAttributes { get { return !_denyReadAttributes && _allowReadAttributes; } }
public bool CanReadData { get { return !_denyReadData && _allowReadData; } }
public bool CanReadExtendedAttributes { get { return !_denyReadExtendedAttributes && _allowReadExtendedAttributes; } }
public bool CanReadPermissions { get { return !_denyReadPermissions && _allowReadPermissions; } }
public bool CanSynchronize { get { return !_denySynchronize && _allowSynchronize; } }
public bool CanTakeOwnership { get { return !_denyTakeOwnership && _allowTakeOwnership; } }
public bool CanTraverse { get { return !_denyTraverse && _allowTraverse; } }
public bool CanWrite { get { return !_denyWrite && _allowWrite; } }
public bool CanWriteAttributes { get { return !_denyWriteAttributes && _allowWriteAttributes; } }
public bool CanWriteData { get { return !_denyWriteData && _allowWriteData; } }
public bool CanWriteExtendedAttributes { get { return !_denyWriteExtendedAttributes && _allowWriteExtendedAttributes; } }
///
/// Simple accessor
///
///
public WindowsIdentity GetWindowsIdentity
{ get { return _principal; } }
///
/// Simple accessor
///
///
public string GetPath
{
get { return _path; }
}
///
/// Convenience constructor assumes the current user
///
///
public UserFileAccessRights(string path)
:
this(path, WindowsIdentity.GetCurrent())
{ }
///
/// Supply the path to the file or directory and a user or group. Access checks are done
/// during instanciation to ensure we always have a valid object
///
///
///
public UserFileAccessRights(string path, WindowsIdentity principal)
{
if ((principal != null) || !string.IsNullOrEmpty(path))
{
this._path = path;
this._principal = principal;
try
{
System.IO.FileInfo fi = new System.IO.FileInfo(_path);
AuthorizationRuleCollection acl = fi.GetAccessControl().GetAccessRules(true, true, typeof(SecurityIdentifier));
for (int i = 0; i < acl.Count; i++)
{
System.Security.AccessControl.FileSystemAccessRule rule = (System.Security.AccessControl.FileSystemAccessRule)acl[i];
if (_principal.User.Equals(rule.IdentityReference))
{
if (System.Security.AccessControl.AccessControlType.Deny.Equals(rule.AccessControlType))
{
if (Contains(FileSystemRights.AppendData, rule)) _denyAppendData = true;
if (Contains(FileSystemRights.ChangePermissions, rule)) _denyChangePermissions = true;
if (Contains(FileSystemRights.CreateDirectories, rule)) _denyCreateDirectories = true;
if (Contains(FileSystemRights.CreateFiles, rule)) _denyCreateFiles = true;
if (Contains(FileSystemRights.Delete, rule)) _denyDelete = true;
if (Contains(FileSystemRights.DeleteSubdirectoriesAndFiles, rule)) _denyDeleteSubdirectoriesAndFiles = true;
if (Contains(FileSystemRights.ExecuteFile, rule)) _denyExecuteFile = true;
if (Contains(FileSystemRights.FullControl, rule)) _denyFullControl = true;
if (Contains(FileSystemRights.ListDirectory, rule)) _denyListDirectory = true;
if (Contains(FileSystemRights.Modify, rule)) _denyModify = true;
if (Contains(FileSystemRights.Read, rule)) _denyRead = true;
if (Contains(FileSystemRights.ReadAndExecute, rule)) _denyReadAndExecute = true;
if (Contains(FileSystemRights.ReadAttributes, rule)) _denyReadAttributes = true;
if (Contains(FileSystemRights.ReadData, rule)) _denyReadData = true;
if (Contains(FileSystemRights.ReadExtendedAttributes, rule)) _denyReadExtendedAttributes = true;
if (Contains(FileSystemRights.ReadPermissions, rule)) _denyReadPermissions = true;
if (Contains(FileSystemRights.Synchronize, rule)) _denySynchronize = true;
if (Contains(FileSystemRights.TakeOwnership, rule)) _denyTakeOwnership = true;
if (Contains(FileSystemRights.Traverse, rule)) _denyTraverse = true;
if (Contains(FileSystemRights.Write, rule)) _denyWrite = true;
if (Contains(FileSystemRights.WriteAttributes, rule)) _denyWriteAttributes = true;
if (Contains(FileSystemRights.WriteData, rule)) _denyWriteData = true;
if (Contains(FileSystemRights.WriteExtendedAttributes, rule)) _denyWriteExtendedAttributes = true;
}
else if (System.Security.AccessControl.AccessControlType.Allow.Equals(rule.AccessControlType))
{
if (Contains(FileSystemRights.AppendData, rule)) _allowAppendData = true;
if (Contains(FileSystemRights.ChangePermissions, rule)) _allowChangePermissions = true;
if (Contains(FileSystemRights.CreateDirectories, rule)) _allowCreateDirectories = true;
if (Contains(FileSystemRights.CreateFiles, rule)) _allowCreateFiles = true;
if (Contains(FileSystemRights.Delete, rule)) _allowDelete = true;
if (Contains(FileSystemRights.DeleteSubdirectoriesAndFiles, rule)) _allowDeleteSubdirectoriesAndFiles = true;
if (Contains(FileSystemRights.ExecuteFile, rule)) _allowExecuteFile = true;
if (Contains(FileSystemRights.FullControl, rule)) _allowFullControl = true;
if (Contains(FileSystemRights.ListDirectory, rule)) _allowListDirectory = true;
if (Contains(FileSystemRights.Modify, rule)) _allowModify = true;
if (Contains(FileSystemRights.Read, rule)) _allowRead = true;
if (Contains(FileSystemRights.ReadAndExecute, rule)) _allowReadAndExecute = true;
if (Contains(FileSystemRights.ReadAttributes, rule)) _allowReadAttributes = true;
if (Contains(FileSystemRights.ReadData, rule)) _allowReadData = true;
if (Contains(FileSystemRights.ReadExtendedAttributes, rule)) _allowReadExtendedAttributes = true;
if (Contains(FileSystemRights.ReadPermissions, rule)) _allowReadPermissions = true;
if (Contains(FileSystemRights.Synchronize, rule)) _allowSynchronize = true;
if (Contains(FileSystemRights.TakeOwnership, rule)) _allowTakeOwnership = true;
if (Contains(FileSystemRights.Traverse, rule)) _allowTraverse = true;
if (Contains(FileSystemRights.Write, rule)) _allowWrite = true;
if (Contains(FileSystemRights.WriteAttributes, rule)) _allowWriteAttributes = true;
if (Contains(FileSystemRights.WriteData, rule)) _allowWriteData = true;
if (Contains(FileSystemRights.WriteExtendedAttributes, rule)) _allowWriteExtendedAttributes = true;
}
}
}
IdentityReferenceCollection groups = _principal.Groups;
for (int j = 0; j < groups.Count; j++)
{
for (int i = 0; i < acl.Count; i++)
{
System.Security.AccessControl.FileSystemAccessRule rule = (System.Security.AccessControl.FileSystemAccessRule)acl[i];
if (groups[j].Equals(rule.IdentityReference))
{
if (System.Security.AccessControl.AccessControlType.Deny.Equals(rule.AccessControlType))
{
if (Contains(FileSystemRights.AppendData, rule)) _denyAppendData = true;
if (Contains(FileSystemRights.ChangePermissions, rule)) _denyChangePermissions = true;
if (Contains(FileSystemRights.CreateDirectories, rule)) _denyCreateDirectories = true;
if (Contains(FileSystemRights.CreateFiles, rule)) _denyCreateFiles = true;
if (Contains(FileSystemRights.Delete, rule)) _denyDelete = true;
if (Contains(FileSystemRights.DeleteSubdirectoriesAndFiles, rule)) _denyDeleteSubdirectoriesAndFiles = true;
if (Contains(FileSystemRights.ExecuteFile, rule)) _denyExecuteFile = true;
if (Contains(FileSystemRights.FullControl, rule)) _denyFullControl = true;
if (Contains(FileSystemRights.ListDirectory, rule)) _denyListDirectory = true;
if (Contains(FileSystemRights.Modify, rule)) _denyModify = true;
if (Contains(FileSystemRights.Read, rule)) _denyRead = true;
if (Contains(FileSystemRights.ReadAndExecute, rule)) _denyReadAndExecute = true;
if (Contains(FileSystemRights.ReadAttributes, rule)) _denyReadAttributes = true;
if (Contains(FileSystemRights.ReadData, rule)) _denyReadData = true;
if (Contains(FileSystemRights.ReadExtendedAttributes, rule)) _denyReadExtendedAttributes = true;
if (Contains(FileSystemRights.ReadPermissions, rule)) _denyReadPermissions = true;
if (Contains(FileSystemRights.Synchronize, rule)) _denySynchronize = true;
if (Contains(FileSystemRights.TakeOwnership, rule)) _denyTakeOwnership = true;
if (Contains(FileSystemRights.Traverse, rule)) _denyTraverse = true;
if (Contains(FileSystemRights.Write, rule)) _denyWrite = true;
if (Contains(FileSystemRights.WriteAttributes, rule)) _denyWriteAttributes = true;
if (Contains(FileSystemRights.WriteData, rule)) _denyWriteData = true;
if (Contains(FileSystemRights.WriteExtendedAttributes, rule)) _denyWriteExtendedAttributes = true;
}
else if (System.Security.AccessControl.AccessControlType.Allow.Equals(rule.AccessControlType))
{
if (Contains(FileSystemRights.AppendData, rule)) _allowAppendData = true;
if (Contains(FileSystemRights.ChangePermissions, rule)) _allowChangePermissions = true;
if (Contains(FileSystemRights.CreateDirectories, rule)) _allowCreateDirectories = true;
if (Contains(FileSystemRights.CreateFiles, rule)) _allowCreateFiles = true;
if (Contains(FileSystemRights.Delete, rule)) _allowDelete = true;
if (Contains(FileSystemRights.DeleteSubdirectoriesAndFiles, rule)) _allowDeleteSubdirectoriesAndFiles = true;
if (Contains(FileSystemRights.ExecuteFile, rule)) _allowExecuteFile = true;
if (Contains(FileSystemRights.FullControl, rule)) _allowFullControl = true;
if (Contains(FileSystemRights.ListDirectory, rule)) _allowListDirectory = true;
if (Contains(FileSystemRights.Modify, rule)) _allowModify = true;
if (Contains(FileSystemRights.Read, rule)) _allowRead = true;
if (Contains(FileSystemRights.ReadAndExecute, rule)) _allowReadAndExecute = true;
if (Contains(FileSystemRights.ReadAttributes, rule)) _allowReadAttributes = true;
if (Contains(FileSystemRights.ReadData, rule)) _allowReadData = true;
if (Contains(FileSystemRights.ReadExtendedAttributes, rule)) _allowReadExtendedAttributes = true;
if (Contains(FileSystemRights.ReadPermissions, rule)) _allowReadPermissions = true;
if (Contains(FileSystemRights.Synchronize, rule)) _allowSynchronize = true;
if (Contains(FileSystemRights.TakeOwnership, rule)) _allowTakeOwnership = true;
if (Contains(FileSystemRights.Traverse, rule)) _allowTraverse = true;
if (Contains(FileSystemRights.Write, rule)) _allowWrite = true;
if (Contains(FileSystemRights.WriteAttributes, rule)) _allowWriteAttributes = true;
if (Contains(FileSystemRights.WriteData, rule)) _allowWriteData = true;
if (Contains(FileSystemRights.WriteExtendedAttributes, rule)) _allowWriteExtendedAttributes = true;
}
}
}
}
}
catch
{
//Deal with io exceptions if you want
throw;
}
}
}
///
/// Simply displays all allowed rights
///
/// Useful if say you want to test for write access and find
/// it is false;
/// <xmp>
/// UserFileAccessRights rights = new UserFileAccessRights(txtLogPath.Text);
/// System.IO.FileInfo fi = new System.IO.FileInfo(txtLogPath.Text);
/// if (rights.canWrite() && rights.canRead()) {
/// lblLogMsg.Text = "R/W access";
/// } else {
/// if (rights.canWrite()) {
/// lblLogMsg.Text = "Only Write access";
/// } else if (rights.canRead()) {
/// lblLogMsg.Text = "Only Read access";
/// } else {
/// lblLogMsg.CssClass = "error";
/// lblLogMsg.Text = rights.ToString()
/// }
/// }
///
/// </xmp>
///
///
///
public override string ToString()
{
StringBuilder sb = new StringBuilder();
if (CanAppendData) { if (sb.Length != 0) sb.Append(","); sb.Append("AppendData"); }
if (CanChangePermissions) { if (sb.Length != 0) sb.Append(","); sb.Append("ChangePermissions"); }
if (CanCreateDirectories) { if (sb.Length != 0) sb.Append(","); sb.Append("CreateDirectories"); }
if (CanCreateFiles) { if (sb.Length != 0) sb.Append(","); sb.Append("CreateFiles"); }
if (CanDelete) { if (sb.Length != 0) sb.Append(","); sb.Append("Delete"); }
if (CanDeleteSubdirectoriesAndFiles) { if (sb.Length != 0) sb.Append(","); sb.Append("DeleteSubdirectoriesAndFiles"); }
if (CanExecuteFile) { if (sb.Length != 0) sb.Append(","); sb.Append("ExecuteFile"); }
if (CanFullControl) { if (sb.Length != 0) sb.Append(","); sb.Append("FullControl"); }
if (CanListDirectory) { if (sb.Length != 0) sb.Append(","); sb.Append("ListDirectory"); }
if (CanModify) { if (sb.Length != 0) sb.Append(","); sb.Append("Modify"); }
if (CanRead) { if (sb.Length != 0) sb.Append(","); sb.Append("Read"); }
if (CanReadAndExecute) { if (sb.Length != 0) sb.Append(","); sb.Append("ReadAndExecute"); }
if (CanReadAttributes) { if (sb.Length != 0) sb.Append(","); sb.Append("ReadAttributes"); }
if (CanReadData) { if (sb.Length != 0) sb.Append(","); sb.Append("ReadData"); }
if (CanReadExtendedAttributes) { if (sb.Length != 0) sb.Append(","); sb.Append("ReadExtendedAttributes"); }
if (CanReadPermissions) { if (sb.Length != 0) sb.Append(","); sb.Append("ReadPermissions"); }
if (CanSynchronize) { if (sb.Length != 0) sb.Append(","); sb.Append("Synchronize"); }
if (CanTakeOwnership) { if (sb.Length != 0) sb.Append(","); sb.Append("TakeOwnership"); }
if (CanTraverse) { if (sb.Length != 0) sb.Append(","); sb.Append("Traverse"); }
if (CanWrite) { if (sb.Length != 0) sb.Append(","); sb.Append("Write"); }
if (CanWriteAttributes) { if (sb.Length != 0) sb.Append(","); sb.Append("WriteAttributes"); }
if (CanWriteData) { if (sb.Length != 0) sb.Append(","); sb.Append("WriteData"); }
if (CanWriteExtendedAttributes) { if (sb.Length != 0) sb.Append(","); sb.Append("WriteExtendedAttributes"); }
if (sb.Length == 0)
sb.Append("None");
return sb.ToString();
}
/// <summary>
/// Convenience method to test if the right exists within the given rights
/// </summary>
/// <param name="right"></param>
/// <param name="rule"></param>
/// <returns></returns>
public static bool Contains(FileSystemRights right, FileSystemAccessRule rule)
{
bool returnValue = false;
if (rule != null)
{
returnValue = (((int)right & (int)rule.FileSystemRights) == (int)right);
}
return returnValue;
}
}
}