Using WMI to grant permissions to new users on folder..

Discussion in 'ASP .Net Security' started by scsharma, Sep 23, 2005.

  1. scsharma

    scsharma Guest

    Hi,
    I would like to programatically modify the security setting of
    folder. I am using Windows XP professional OS and C# as programming
    language.I am using WMI(Windows Management instrumentation) for that.
    I got a head start through a code that i got from Internet. Using WMI
    i was able to add new users to the folder and set their permissions correctly
    but i am running into strange problem where the inheritance property of all
    the existing trustee(S) is getting messed up. Here is what I am doing.

    I created a new folder using
    DirectoryInfo Path = new DirectoryInfo(ROOT_DIR);
    Path.CreateSubdirectory(nameDirectory);

    At this point i checked the security settings and everything looks fine for
    the newly created folder. I checked the inheritance property values for all
    the users for this directory using folderproperties->Security Tab->Advanced
    and i can see the list has the property value for "inherited from" set to
    rigth value which was c:\ in my case.
    Now i queried the security Descriptor for the folder using following code.
    ManagementBaseObject ret = null;

    ManagementPath path = new ManagementPath( );
    path.Server = @"."; // server name or .
    path.NamespacePath = @"root\cimv2";
    path.RelativePath = @"Win32_LogicalFileSecuritySetting.Path=" + "'" +
    nameDirectory + "'";

    ManagementObject lfs = new ManagementObject(path);
    bool EnablePrivileges = lfs.Scope.Options.EnablePrivileges;
    lfs.Scope.Options.EnablePrivileges =true;

    //Get the Scurity Descriptors.
    ManagementBaseObject outParams = lfs.InvokeMethod("GetSecurityDescriptor",
    null, null);
    if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if success
    {
    ManagementBaseObject Descriptor =
    ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));


    From the descriptor i got the DACL and from DACL i got the ACE's

    ManagementBaseObject[] DaclObject =
    ((ManagementBaseObject[])(Descriptor.Properties["Dacl"].Value));

    /Add New ACE,Access Control Entry, to the list
    ManagementBaseObject[] newDACL = ACLACEHelperClass.AddACE(DaclObject,
    username,"", msk);
    When i assign newDACL to my newly created folder using following code

    Descriptor.Properties["Dacl"].Value = newDACL ;
    //Set the Security Descriptor
    ManagementBaseObject inParams =
    lfs.GetMethodParameters("SetSecurityDescriptor");
    inParams["Descriptor"] = Descriptor;
    ret = lfs.InvokeMethod("SetSecurityDescriptor", inParams, null);

    I find that the "inherited from" value for each trustee is changed to <not
    inherited>.
    In order to test if adding new ACE to retrieved ACL list is causing
    this problem i assigned the "DaclObject", originally retrieved ACL to
    following line:

    Descriptor.Properties["Dacl"].Value = newDACL ;
    and i still got the same result. "Inherited from" for all the existing
    trustee had value "Not Inherited".

    has anyone ran into same problem? Does assigning ACL messes up the
    inhertance properties of existing trustees or is there something wrong that i
    am doing?
    Thanks a lot in advance and sorry for making this post long but i wanted to
    provide as much information as i can.
    -
    Thanks
    SCS
     
    scsharma, Sep 23, 2005
    #1
    1. Advertising

  2. Hi,

    Currently I am looking for somebody who could help you on it. We will reply
    here with more information as soon as possible.
    If you have any more concerns on it, please feel free to post here.


    Thanks for your understanding!

    Best regards,

    Peter Huang
    Microsoft Online Partner Support

    Get Secure! - www.microsoft.com/security
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Peter Huang [MSFT], Sep 24, 2005
    #2
    1. Advertising

  3. scsharma

    [MSFT] Guest

    Hello,

    Would you please provide more info/code about the class
    "ACLACEHelperClass"? With it, we may reproduce the problem, and see what
    happened.

    Thanks,

    Luke
     
    [MSFT], Sep 26, 2005
    #3
  4. scsharma

    scsharma Guest

    Here is the code to add ACE to ACL.

    public bool AddEntryToDacl(string TrusteeName, Enum AccessPrivileges)
    {
    Array newDACL;
    // Copy the non-inherit aces
    ArrayList aceList = new ArrayList();
    // Creates and initializes a one-dimensional Array of type
    ManagementBaseObject
    // with space for one extra direct ACE.
    newDACL=Array.CreateInstance( typeof(ManagementBaseObject), aceList.Count
    + 1);
    // Copy AL to Array
    aceList.CopyTo(newDACL);
    ManagementBaseObject trustee = null;
    ManagementBaseObject ace = null;

    // Initialize new Trustee (here a local accoun as sample)
    try
    {
    trustee = new ManagementClass( @"Win32_Trustee" );
    // trustee.Properties["Domain"].Value = ""; // if domain other then
    local machine
    trustee.Properties["Name"].Value = TrusteeName;
    }
    // catch if non existing trustee
    catch (Exception e)
    {
    Console.WriteLine(e.Message);
    return false;
    }
    try
    {
    ace = new ManagementClass( @"Win32_ACE" );
    ace.Properties["AccessMask"].Value = Mask.GenericRead;
    ace.Properties["AceFlags"].Value = AceFlags.NoPropagateInheritAce;
    ace.Properties["AceType"].Value = AceType.AccessAllowed;
    ace.Properties["Trustee"].Value = trustee;
    }
    catch (Exception e)
    {
    Console.WriteLine(e.Message);
    return false;
    }
    Console.WriteLine(newDACL.Length);
    newDACL.SetValue(ace, newDACL.Length);
    return WriteSecurityDescriptor((ManagementBaseObject[])ewDACL);
    }

    But as you might have noted in my initial post I think the problem is not
    with code adding ACE to ACL. Infact if you retrieve a Security descriptor and
    w/o making any modification to ACL set the retrieved ACL back then also you
    will run into problem mentioned in my initial post.
    Thanks a lot.

    -
    Thanks
    SCS


    "[MSFT]" wrote:

    > Hello,
    >
    > Would you please provide more info/code about the class
    > "ACLACEHelperClass"? With it, we may reproduce the problem, and see what
    > happened.
    >
    > Thanks,
    >
    > Luke
    >
    >
     
    scsharma, Sep 26, 2005
    #4
  5. scsharma

    [MSFT] Guest

    Hello,

    I add following code as you descripted:

    ManagementBaseObject Descriptor =
    ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
    ManagementBaseObject[] DaclObject =
    ((ManagementBaseObject[])(Descriptor.Properties["Dacl"].Value));

    Descriptor.Properties["Dacl"].Value = DaclObject;

    ManagementBaseObject inParams =
    lfs.GetMethodParameters("SetSecurityDescriptor");
    inParams["Descriptor"] = Descriptor;

    ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    inParams, null);

    After run these code on my computer, I got several new item in Permission
    entries list of the new folder. They are just replicates of original ones
    exception the "Inherited from" are set to "not inherited". Is this same
    with you? ( I am working on Windows 2003 server and .NET framework 1.1)

    Luke
     
    [MSFT], Sep 27, 2005
    #5
  6. scsharma

    scsharma Guest

    Yes. I was expecting the "inherited from" to be what they were before new
    DACL is commited. Is there some bug in WMI for .net?
    --
    Thanks
    SCS


    "[MSFT]" wrote:

    > Hello,
    >
    > I add following code as you descripted:
    >
    > ManagementBaseObject Descriptor =
    > ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
    > ManagementBaseObject[] DaclObject =
    > ((ManagementBaseObject[])(Descriptor.Properties["Dacl"].Value));
    >
    > Descriptor.Properties["Dacl"].Value = DaclObject;
    >
    > ManagementBaseObject inParams =
    > lfs.GetMethodParameters("SetSecurityDescriptor");
    > inParams["Descriptor"] = Descriptor;
    >
    > ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    > inParams, null);
    >
    > After run these code on my computer, I got several new item in Permission
    > entries list of the new folder. They are just replicates of original ones
    > exception the "Inherited from" are set to "not inherited". Is this same
    > with you? ( I am working on Windows 2003 server and .NET framework 1.1)
    >
    > Luke
    >
    >
     
    scsharma, Sep 27, 2005
    #6
  7. scsharma

    [MSFT] Guest

    Hello,

    I also suspect this issue a bug. The key line may be:

    Descriptor.Properties["Dacl"].Value = DaclObject;

    and

    ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    inParams, null);

    The old values is not replaced but appended.

    I will record this and hope it can be fixed in later version.

    Luke
     
    [MSFT], Sep 28, 2005
    #7
  8. Hello [MSFT],

    have you tried that?

    http://www.leastprivilege.com/ACLSupportForNET.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    >
    > I also suspect this issue a bug. The key line may be:
    >
    > Descriptor.Properties["Dacl"].Value = DaclObject;
    >
    > and
    >
    > ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    > inParams, null);
    >
    > The old values is not replaced but appended.
    >
    > I will record this and hope it can be fixed in later version.
    >
    > Luke
    >
     
    Dominick Baier [DevelopMentor], Sep 28, 2005
    #8
  9. scsharma

    scsharma Guest

    I tried that but using this code i cannot add domain users to file
    permissions lists. If i set the user id as <domain-name>\<userid> in
    following line:

    dacl.AddAce (new AceAccessAllowed (new Sid (@"<domain-name>\<userid>"),
    AccessType.GENERIC_ALL));

    I don't see the user being added to this list of trustees. I checked list
    of trustees by navigating;
    Properties of file->Secutiry.
    I am pretty sure that format of "user id" i am passing is correct because
    if i use any other format or some user which does not exist in our domain
    then i get following error:


    An unhandled exception of type 'System.Runtime.InteropServices.COMException'
    occurred in mscorlib.dll

    Additional information: No mapping between account names and security IDs
    was done
    Can you please let me know what am i missing?


    --
    Thanks
    SCS


    "Dominick Baier [DevelopMentor]" wrote:

    > Hello [MSFT],
    >
    > have you tried that?
    >
    > http://www.leastprivilege.com/ACLSupportForNET.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello,
    > >
    > > I also suspect this issue a bug. The key line may be:
    > >
    > > Descriptor.Properties["Dacl"].Value = DaclObject;
    > >
    > > and
    > >
    > > ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    > > inParams, null);
    > >
    > > The old values is not replaced but appended.
    > >
    > > I will record this and hope it can be fixed in later version.
    > >
    > > Luke
    > >

    >
    >
    >
     
    scsharma, Sep 28, 2005
    #9
  10. scsharma

    scsharma Guest

    One more thing, Dominick. Did this code work for you? I wrote a very simple
    code where i added and removed couple of trustees and then set the DACL back
    to security descriptor. I am surprise to see that the changes are not
    reflected on actual file.
    Here is the sample code


    string filename = ROOT_DIR+nameDirectory;
    SecurityDescriptor secDesc =
    SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);

    Dacl dAcl = secDesc.Dacl;
    dAcl.AddAce(new AceAccessAllowed(new Sid("ftpuser"),AccessType.GENERIC_READ));

    dAcl.RemoveAces(new Sid(@"BatchFTP"));
    foreach(Ace ace in dAcl) -- I am attaching output of following print
    statements at this end of this post.
    {
    Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
    Console.Write("ACE Type: {0} ", ace.Type);
    Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
    (EventAccessType)ace.AccessType);
    }
    secDesc.SetDacl(dAcl);

    ---Output of print statements----------------------
    ACE SID: BUILTIN\Administrators ACE Type:
    ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
    ACE SID: NT AUTHORITY\SYSTEM ACE Type: ACCESS_ALLOWED_ACE_TYPE
    ACE AccessType: 2032127 (0x001F01FF)
    ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    AccessType: 2032127 (0x001F01FF)
    ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    AccessType: GENERIC_ALL (0x10000000)
    ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    AccessType: 1179817 (0x001200A9)
    ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    AccessType: 4 (0x00000004)
    ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    AccessType: EVENT_MODIFY_STATE (0x00000002)
    ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    AccessType: GENERIC_READ (0x80000000)
    --------End of print

    Am i missing something? The output has all the trustees that i had added
    but when i check the permission on file using file properties->Security Tab,
    I still see "BatchFTP" group though i have removed that in above code. Also,
    user "ssharma\f4" is not there.




    Thanks
    SCS


    "Dominick Baier [DevelopMentor]" wrote:

    > Hello [MSFT],
    >
    > have you tried that?
    >
    > http://www.leastprivilege.com/ACLSupportForNET.aspx
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello,
    > >
    > > I also suspect this issue a bug. The key line may be:
    > >
    > > Descriptor.Properties["Dacl"].Value = DaclObject;
    > >
    > > and
    > >
    > > ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    > > inParams, null);
    > >
    > > The old values is not replaced but appended.
    > >
    > > I will record this and hope it can be fixed in later version.
    > >
    > > Luke
    > >

    >
    >
    >
     
    scsharma, Sep 28, 2005
    #10
  11. Hello scsharma,

    i never tried it - just thought this could be helpful for you.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > One more thing, Dominick. Did this code work for you? I wrote a very
    > simple
    > code where i added and removed couple of trustees and then set the
    > DACL back
    > to security descriptor. I am surprise to see that the changes are not
    > reflected on actual file.
    > Here is the sample code
    > string filename = ROOT_DIR+nameDirectory;
    > SecurityDescriptor secDesc =
    > SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL
    > _SECURITY_INFORMATION);
    > Dacl dAcl = secDesc.Dacl;
    > dAcl.AddAce(new AceAccessAllowed(new
    > Sid("ftpuser"),AccessType.GENERIC_READ));
    > dAcl.RemoveAces(new Sid(@"BatchFTP"));
    > foreach(Ace ace in dAcl) -- I am attaching output of following print
    > statements at this end of this post.
    > {
    > Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
    > Console.Write("ACE Type: {0} ", ace.Type);
    > Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
    > (EventAccessType)ace.AccessType);
    > }
    > secDesc.SetDacl(dAcl);
    > ---Output of print statements----------------------
    > ACE SID: BUILTIN\Administrators ACE Type:
    > ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
    > ACE SID: NT AUTHORITY\SYSTEM ACE Type:
    > ACCESS_ALLOWED_ACE_TYPE
    > ACE AccessType: 2032127 (0x001F01FF)
    > ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > ACE
    > AccessType: 2032127 (0x001F01FF)
    > ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > ACE
    > AccessType: GENERIC_ALL (0x10000000)
    > ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > ACE
    > AccessType: 1179817 (0x001200A9)
    > ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > ACE
    > AccessType: 4 (0x00000004)
    > ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > ACE
    > AccessType: EVENT_MODIFY_STATE (0x00000002)
    > ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    > AccessType: GENERIC_READ (0x80000000)
    > --------End of print
    > Am i missing something? The output has all the trustees that i had
    > added but when i check the permission on file using file
    > properties->Security Tab, I still see "BatchFTP" group though i have
    > removed that in above code. Also, user "ssharma\f4" is not there.
    >
    > Thanks
    > SCS
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello [MSFT],
    >>
    >> have you tried that?
    >>
    >> http://www.leastprivilege.com/ACLSupportForNET.aspx
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hello,
    >>>
    >>> I also suspect this issue a bug. The key line may be:
    >>>
    >>> Descriptor.Properties["Dacl"].Value = DaclObject;
    >>>
    >>> and
    >>>
    >>> ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    >>> inParams, null);
    >>>
    >>> The old values is not replaced but appended.
    >>>
    >>> I will record this and hope it can be fixed in later version.
    >>>
    >>> Luke
    >>>
     
    Dominick Baier [DevelopMentor], Sep 28, 2005
    #11
  12. scsharma

    scsharma Guest

    Thanks for the help and taking time to post the information. I wish it had
    worked for me.
    --
    Thanks
    SCS


    "Dominick Baier [DevelopMentor]" wrote:

    > Hello scsharma,
    >
    > i never tried it - just thought this could be helpful for you.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > One more thing, Dominick. Did this code work for you? I wrote a very
    > > simple
    > > code where i added and removed couple of trustees and then set the
    > > DACL back
    > > to security descriptor. I am surprise to see that the changes are not
    > > reflected on actual file.
    > > Here is the sample code
    > > string filename = ROOT_DIR+nameDirectory;
    > > SecurityDescriptor secDesc =
    > > SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL
    > > _SECURITY_INFORMATION);
    > > Dacl dAcl = secDesc.Dacl;
    > > dAcl.AddAce(new AceAccessAllowed(new
    > > Sid("ftpuser"),AccessType.GENERIC_READ));
    > > dAcl.RemoveAces(new Sid(@"BatchFTP"));
    > > foreach(Ace ace in dAcl) -- I am attaching output of following print
    > > statements at this end of this post.
    > > {
    > > Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
    > > Console.Write("ACE Type: {0} ", ace.Type);
    > > Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
    > > (EventAccessType)ace.AccessType);
    > > }
    > > secDesc.SetDacl(dAcl);
    > > ---Output of print statements----------------------
    > > ACE SID: BUILTIN\Administrators ACE Type:
    > > ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
    > > ACE SID: NT AUTHORITY\SYSTEM ACE Type:
    > > ACCESS_ALLOWED_ACE_TYPE
    > > ACE AccessType: 2032127 (0x001F01FF)
    > > ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > > ACE
    > > AccessType: 2032127 (0x001F01FF)
    > > ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > > ACE
    > > AccessType: GENERIC_ALL (0x10000000)
    > > ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > > ACE
    > > AccessType: 1179817 (0x001200A9)
    > > ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > > ACE
    > > AccessType: 4 (0x00000004)
    > > ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
    > > ACE
    > > AccessType: EVENT_MODIFY_STATE (0x00000002)
    > > ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
    > > AccessType: GENERIC_READ (0x80000000)
    > > --------End of print
    > > Am i missing something? The output has all the trustees that i had
    > > added but when i check the permission on file using file
    > > properties->Security Tab, I still see "BatchFTP" group though i have
    > > removed that in above code. Also, user "ssharma\f4" is not there.
    > >
    > > Thanks
    > > SCS
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello [MSFT],
    > >>
    > >> have you tried that?
    > >>
    > >> http://www.leastprivilege.com/ACLSupportForNET.aspx
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Hello,
    > >>>
    > >>> I also suspect this issue a bug. The key line may be:
    > >>>
    > >>> Descriptor.Properties["Dacl"].Value = DaclObject;
    > >>>
    > >>> and
    > >>>
    > >>> ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
    > >>> inParams, null);
    > >>>
    > >>> The old values is not replaced but appended.
    > >>>
    > >>> I will record this and hope it can be fixed in later version.
    > >>>
    > >>> Luke
    > >>>

    >
    >
    >
     
    scsharma, Sep 28, 2005
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dante
    Replies:
    0
    Views:
    367
    Dante
    May 11, 2004
  2. harry
    Replies:
    1
    Views:
    473
    Scott Allen
    Feb 1, 2005
  3. Andreas Zita
    Replies:
    2
    Views:
    377
    John Timney \(ASP.NET MVP\)
    Jun 16, 2005
  4. =?Utf-8?B?a2FhcmtleQ==?=

    grant folder write permission

    =?Utf-8?B?a2FhcmtleQ==?=, Oct 10, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    2,926
    =?Utf-8?B?a2FhcmtleQ==?=
    Oct 11, 2005
  5. Gallagher, Tim (NE)
    Replies:
    1
    Views:
    365
    Adam Jones
    Aug 21, 2006
Loading...

Share This Page