File Security / Permissions

[Dmyze]

How do you read file permissions?

In Windows NT if you right-click on a file, choose properties you can see a tab called "Security" and under that you will see a list of users who have permission to access the file. I would like to read that list and make sure files have the correct permissions.

[Dmyze]

Ok, this code will retrun a list of users who have permissions to a file and the SID that is connected to the user. Anyone know how to read the SID and get permissions? I tried looking at the SID (ie S-1-5-21-2127521184-1604012920-1887927527-820657) changing the user's permission to the file, and then looking at the SID again, but the SID was unchanged.

Code:

   Public Shared Sub Main()

  Dim ie As IEnumerator
  Dim path As New ManagementPath()

         path.Server = "."
         path.NamespacePath = "root\cimv2"
         path.RelativePath = "Win32_LogicalFileSecuritySetting.Path='c:\\test.txt'" ' // using tmp as folder name
         ' using tmp as folder name
         Dim lfs As New ManagementObject(path)
         ' Dump all trustees (this includes owner)
         Dim b As ManagementBaseObject
         For Each b In lfs.GetRelated()
            ie = b.Properties.GetEnumerator

              Do Until ie.MoveNext = False
                Console.WriteLine(ie.Current.name & ": " & ie.Current.value.ToString)
              Loop
            Console.WriteLine(vbCrLf)
            'Console.WriteLine("Trustee: {0} " + ControlChars.Tab + " SID [{1}]", Left(b("AccountName"), 10), b("SID"))
         Next b ' Get the security descriptor for this object
        Console.Read()

   End Sub 'Main

[Dmyze]

Ok I got it, for anyone interested. I found some C# code that did it, and used http://www.aspalliance.com/aldotnet/...translate.aspx to translate it to VB.NET. Then spent a long time picking it apart, but this works:

sFile is the name and path of the file you are interested in.

Code:

   Public Shared Sub Main(ByVal sFile As String)

  Dim sSec As String
  Dim ie As IEnumerator
  Dim path As New ManagementPath()
  Dim oPath As System.IO.Path



    path.Server = "."
    path.NamespacePath = "root\cimv2"
    path.Path = "Win32_LogicalFileSecuritySetting.Path='" & sFile & "'"

  Dim lfs As New ManagementObject(path)
  Dim b As ManagementBaseObject

    Dim outParams As ManagementBaseObject = lfs.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)
        Dim i As UInt32

         If outParams.Properties("ReturnValue").Value.Equals(i) Then 'ToDo: Unsigned Integers not supported
            Dim Descriptor As ManagementBaseObject = outParams.Properties("Descriptor").Value
            Dim DaclObject As ManagementBaseObject() = Descriptor.Properties("Dacl").Value
            DumpACEs(DaclObject, sSec)
           Dim OwnerObject As ManagementBaseObject = CType(Descriptor.Properties("Owner").Value, ManagementBaseObject)
           DumpOwnerProperties(OwnerObject.Properties, sSec) ' Show owner properies
         End If

        MsgBox(sSec)

   End Sub 'Main


Shared Sub DumpACEs(ByVal DaclObject() As ManagementBaseObject, ByRef sSec As String) '


   Dim mbo As ManagementBaseObject

    For Each mbo In DaclObject

      sSec = sSec & "-------------------------------------------------" & vbCrLf
      sSec = sSec & mbo("AccessMask").ToString & vbCrLf '& mbo("AceFlags").ToString & vbCrLf & mbo("AceType").ToString & vbCrLf
      ' Access allowed/denied ACE
      If mbo("AceType").ToString() = "1" Then
        sSec = sSec & "DENIED ACE TYPE" & vbCrLf
      Else
        sSec = sSec & "ALLOWED ACE TYPE" & vbCrLf
      End If ' Dump trustees

      Dim Trustee As ManagementBaseObject = mbo("Trustee")

      sSec = sSec & Trustee.Properties("Name").Value & vbCrLf
      sSec = sSec & Trustee.Properties("Domain").Value & vbCrLf
      sSec = sSec & Trustee.Properties("SIDString").Value & vbCrLf

    Next mbo

End Sub 'DumpACEs

   Shared Sub DumpOwnerProperties(ByVal Owner As PropertyDataCollection, ByRef sSec As String)
      'Used to find Owner Stuff, not used in this tool.
      sSec = sSec & vbCrLf & "=============== Owner Properties ========================" & vbCrLf
      sSec = sSec & vbCrLf
      sSec = sSec & "Domain {0} " + ControlChars.Tab + "Name {1}" & Owner("Domain").Value & Owner("Name").Value
      sSec = sSec & "SID " + ControlChars.Tab + "{0}" & Owner("SidString").Value
   End Sub 'DumpOwnerProperties

[Seppis]

Hi everybody!,
Is this possible with VB6?

[Frans C]

It is a bit more work with VB6.
I wrote some code a while back. You can find it in this thread

[Seppis]

Thank's for your reply Frans.
Code looks good.
Is it possible make function then return permissions when give username and filename parameters?
eg.
User have read permissions => function returns "R".User have read+write permissions => function returns "RW".

[Dmyze]

The access Mask I believe holds that information.

mbo("AccessMask").ToString

1179785 is read only

But I am just guessing off of making a file and giving people different permissions and looking at the number, so far it has always been consistent for me.

Of course these are used to get the user and domain:

Trustee.Properties("Name").Value
Trustee.Properties("Domain").Value

Just collect all the users and their permissions and then search through them for your user.

[cpatzer]

Do I really have to do all that just to get the file's owner?

[cpatzer]

I can't even import System.Managment why?

[Asgorath]

Originally posted by cpatzer
I can't even import System.Managment why?

You need to add the reference before you can import it..

Regards
Jorge

[cpatzer]

I did eventually get it to work thanks. I needed the owner of a file. This unfortunatly will not work on a samba share:

Code:

Imports System
Imports System.Management
Imports System.Security


Public Class SystemManagment

    Public Sub Main()
        QueryFileSecurity("c:\\temp")
    End Sub


    Public Sub QueryFileSecurity(ByVal fileName As String)

        Dim o As ManagementObject = New ManagementObject("Win32_LogicalFileSecuritySetting.Path=""" + fileName + """")
        Dim outP As ManagementBaseObject = o.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)
        If System.Convert.ToSingle(outP.Properties("ReturnValue").Value) = 0 Then
            Dim Descriptor As ManagementBaseObject = outP.Properties("Descriptor").Value
            Dim OwnerObject As ManagementBaseObject = Descriptor.Properties("Owner").Value
            Dim Owner As PropertyDataCollection = OwnerObject.Properties
            Dim OwnerText As String = Owner("Name").Value
            MsgBox(OwnerText)
        End If
    End Sub

End Class