in security system of windows, user can belong many groups, , group can contain other groups. 'rules' how conflicting permissions resolved in windows?
for instance, user in group , in group b. group has 'deny read' on file while 'group b' has 'allow read'. can user read file?
what if user has been denied rights read something, it's in group permission explicitly allowed?
while know how permissions particular filesystem resource via accessrules , rights expose, since rules target specific identityreference user or group, have seen conflicts , trying determine logic figure out 'who wins'.
...or there known way 'get me rights user, taking consideration memberships' , let system worry it? (i'm surprised haven't found already. i'm doing seems awful lot of work.)
var identity = windowsidentity.getcurrent(); var fileinfo = new fileinfo(@"c:\code\path\to\some\file.txt"); // identity references user (user's , it's groups) var identityreferences = new hashset<identityreference>(); identityreferences.add(identity.user); foreach(var group in identity.groups) identityreferences.add(group); // rules user on specific fileinfo var filesystemaccessrules = fileinfo.getaccesscontrol() .getaccessrules(true, true, typeof(securityidentifier)) .oftype<filesystemaccessrule>() .where(rule => identityreferences.contains(rule.identityreference)); filesystemrights alloweduserrightsmask = 0; filesystemrights denieduserrightsmask = 0; // mask of granted, , denied rules foreach(var filesystemaccessrule in filesystemaccessrules) { var rulerights = filesystemaccessrule.filesystemrights; var relevantuserrightsmask = (filesystemaccessrule.accesscontroltype == accesscontroltype.allow) ? alloweduserrightsmask : denieduserrightsmask; relevantuserrightsmask |= rulerights; } // final user rights mask here.
the precedence determined order of aces, described in oddly named how accesscheck works in msdn:
the system examines each ace in sequence until 1 of following events occurs:
an access-denied ace explicitly denies of requested access rights 1 of trustees listed in thread's access token.
one or more access-allowed aces trustees listed in thread's access token explicitly grant requested access rights.
all aces have been checked , there still @ least 1 requested access right has not been explicitly allowed, in case, access implicitly denied.
there standard order in aces in dacl should appear, described in order of aces in dacl. if permissions have been set built-in windows tools, aces in order, how rules esteban described in answer (see referenced article). note, however, dacl not have follow standard. applications can set dacl not - though unwise so, because confuses windows gui.
(note apis may automatically reorder aces in acl standard order; if need retain actual order of aces in acl, make sure using api not this.)
to complicate matters, there additional rules, such fact owner of object has read_control , write_dac granted implicitly, , there additional trustees such interactive in typical access token, not related group membership.
typically, correct behaviour not attempt determine access rights have, rather attempt whatever action want take , handle error if fails. (in particular, keep in mind access file fail reason other access rights, such because file in use process.)
however, in rare cases need determine applicable access rights, can using authzaccesscheck() function. sample code available in documentation on (deprecated , inaccurate) geteffectiverightsfromacl() function.
(i not familiar enough .net sure whether contains built-in equivalent; guess not. however, can p/invoke if necessary.)
Comments
Post a Comment