Using WMI to grant permissions to new users on folder..

[scsharma]

Hi,
I would like to programatically modify the security setting of
folder. I am using Windows XP professional OS and C# as programming
language.I am using WMI(Windows Management instrumentation) for that.
I got a head start through a code that i got from Internet. Using WMI
i was able to add new users to the folder and set their permissions correctly
but i am running into strange problem where the inheritance property of all
the existing trustee(S) is getting messed up. Here is what I am doing.

I created a new folder using
DirectoryInfo Path = new DirectoryInfo(ROOT_DIR);
Path.CreateSubdirectory(nameDirectory);

At this point i checked the security settings and everything looks fine for
the newly created folder. I checked the inheritance property values for all
the users for this directory using folderproperties->Security Tab->Advanced
and i can see the list has the property value for "inherited from" set to
rigth value which was c:\ in my case.
Now i queried the security Descriptor for the folder using following code.
ManagementBaseObject ret = null;

ManagementPath path = new ManagementPath( );
path.Server = @"."; // server name or .
path.NamespacePath = @"root\cimv2";
path.RelativePath = @"Win32_LogicalFileSecuritySetting.Path=" + "'" +
nameDirectory + "'";

ManagementObject lfs = new ManagementObject(path);
bool EnablePrivileges = lfs.Scope.Options.EnablePrivileges;
lfs.Scope.Options.EnablePrivileges =true;

//Get the Scurity Descriptors.
ManagementBaseObject outParams = lfs.InvokeMethod("GetSecurityDescriptor",
null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if success
{
ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));


From the descriptor i got the DACL and from DACL i got the ACE's

ManagementBaseObject[] DaclObject =
((ManagementBaseObject[])(Descriptor.Properties["Dacl"].Value));

/Add New ACE,Access Control Entry, to the list
ManagementBaseObject[] newDACL = ACLACEHelperClass.AddACE(DaclObject,
username,"", msk);
When i assign newDACL to my newly created folder using following code

Descriptor.Properties["Dacl"].Value = newDACL ;
//Set the Security Descriptor
ManagementBaseObject inParams =
lfs.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;
ret = lfs.InvokeMethod("SetSecurityDescriptor", inParams, null);

I find that the "inherited from" value for each trustee is changed to <not
inherited>.
In order to test if adding new ACE to retrieved ACL list is causing
this problem i assigned the "DaclObject", originally retrieved ACL to
following line:

Descriptor.Properties["Dacl"].Value = newDACL ;
and i still got the same result. "Inherited from" for all the existing
trustee had value "Not Inherited".

has anyone ran into same problem? Does assigning ACL messes up the
inhertance properties of existing trustees or is there something wrong that i
am doing?
Thanks a lot in advance and sorry for making this post long but i wanted to
provide as much information as i can.
-
Thanks
SCS

 

[Peter Huang [MSFT]]

Hi,

Currently I am looking for somebody who could help you on it. We will reply
here with more information as soon as possible.
If you have any more concerns on it, please feel free to post here.


Thanks for your understanding!

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[[MSFT]]

Hello,

Would you please provide more info/code about the class
"ACLACEHelperClass"? With it, we may reproduce the problem, and see what
happened.

Thanks,

Luke

 

[scsharma]

Here is the code to add ACE to ACL.

public bool AddEntryToDacl(string TrusteeName, Enum AccessPrivileges)
{
Array newDACL;
// Copy the non-inherit aces
ArrayList aceList = new ArrayList();
// Creates and initializes a one-dimensional Array of type
ManagementBaseObject
// with space for one extra direct ACE.
newDACL=Array.CreateInstance( typeof(ManagementBaseObject), aceList.Count
+ 1);
// Copy AL to Array
aceList.CopyTo(newDACL);
ManagementBaseObject trustee = null;
ManagementBaseObject ace = null;

// Initialize new Trustee (here a local accoun as sample)
try
{
trustee = new ManagementClass( @"Win32_Trustee" );
// trustee.Properties["Domain"].Value = ""; // if domain other then
local machine
trustee.Properties["Name"].Value = TrusteeName;
}
// catch if non existing trustee
catch (Exception e)
{
Console.WriteLine(e.Message);
return false;
}
try
{
ace = new ManagementClass( @"Win32_ACE" );
ace.Properties["AccessMask"].Value = Mask.GenericRead;
ace.Properties["AceFlags"].Value = AceFlags.NoPropagateInheritAce;
ace.Properties["AceType"].Value = AceType.AccessAllowed;
ace.Properties["Trustee"].Value = trustee;
}
catch (Exception e)
{
Console.WriteLine(e.Message);
return false;
}
Console.WriteLine(newDACL.Length);
newDACL.SetValue(ace, newDACL.Length);
return WriteSecurityDescriptor((ManagementBaseObject[])ewDACL);
}

But as you might have noted in my initial post I think the problem is not
with code adding ACE to ACL. Infact if you retrieve a Security descriptor and
w/o making any modification to ACL set the retrieved ACL back then also you
will run into problem mentioned in my initial post.
Thanks a lot.

-
Thanks
SCS

 

[[MSFT]]

Hello,

I add following code as you descripted:

ManagementBaseObject Descriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
ManagementBaseObject[] DaclObject =
((ManagementBaseObject[])(Descriptor.Properties["Dacl"].Value));

Descriptor.Properties["Dacl"].Value = DaclObject;

ManagementBaseObject inParams =
lfs.GetMethodParameters("SetSecurityDescriptor");
inParams["Descriptor"] = Descriptor;

ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);

After run these code on my computer, I got several new item in Permission
entries list of the new folder. They are just replicates of original ones
exception the "Inherited from" are set to "not inherited". Is this same
with you? ( I am working on Windows 2003 server and .NET framework 1.1)

Luke

 

[scsharma]

Yes. I was expecting the "inherited from" to be what they were before new
DACL is commited. Is there some bug in WMI for .net?

 

[[MSFT]]

Hello,

I also suspect this issue a bug. The key line may be:

Descriptor.Properties["Dacl"].Value = DaclObject;

and

ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);

The old values is not replaced but appended.

I will record this and hope it can be fixed in later version.

Luke

 

[Dominick Baier [DevelopMentor]]

Hello [MSFT],

have you tried that?

http://www.leastprivilege.com/ACLSupportForNET.aspx

 

[scsharma]

I tried that but using this code i cannot add domain users to file
permissions lists. If i set the user id as <domain-name>\<userid> in
following line:

dacl.AddAce (new AceAccessAllowed (new Sid (@"<domain-name>\<userid>"),
AccessType.GENERIC_ALL));

I don't see the user being added to this list of trustees. I checked list
of trustees by navigating;
Properties of file->Secutiry.
I am pretty sure that format of "user id" i am passing is correct because
if i use any other format or some user which does not exist in our domain
then i get following error:


An unhandled exception of type 'System.Runtime.InteropServices.COMException'
occurred in mscorlib.dll

Additional information: No mapping between account names and security IDs
was done
Can you please let me know what am i missing?


--
Thanks
SCS

Hello [MSFT],

have you tried that?

http://www.leastprivilege.com/ACLSupportForNET.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hello,

I also suspect this issue a bug. The key line may be:

Descriptor.Properties["Dacl"].Value = DaclObject;

and

ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);

The old values is not replaced but appended.

I will record this and hope it can be fixed in later version.

Luke

 

[scsharma]

One more thing, Dominick. Did this code work for you? I wrote a very simple
code where i added and removed couple of trustees and then set the DACL back
to security descriptor. I am surprise to see that the changes are not
reflected on actual file.
Here is the sample code


string filename = ROOT_DIR+nameDirectory;
SecurityDescriptor secDesc =
SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);

Dacl dAcl = secDesc.Dacl;
dAcl.AddAce(new AceAccessAllowed(new Sid("ftpuser"),AccessType.GENERIC_READ));

dAcl.RemoveAces(new Sid(@"BatchFTP"));
foreach(Ace ace in dAcl) -- I am attaching output of following print
statements at this end of this post.
{
Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
Console.Write("ACE Type: {0} ", ace.Type);
Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
(EventAccessType)ace.AccessType);
}
secDesc.SetDacl(dAcl);

---Output of print statements----------------------
ACE SID: BUILTIN\Administrators ACE Type:
ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
ACE SID: NT AUTHORITY\SYSTEM ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE AccessType: 2032127 (0x001F01FF)
ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: 2032127 (0x001F01FF)
ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: GENERIC_ALL (0x10000000)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: 1179817 (0x001200A9)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: 4 (0x00000004)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: EVENT_MODIFY_STATE (0x00000002)
ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: GENERIC_READ (0x80000000)
--------End of print

Am i missing something? The output has all the trustees that i had added
but when i check the permission on file using file properties->Security Tab,
I still see "BatchFTP" group though i have removed that in above code. Also,
user "ssharma\f4" is not there.




Thanks
SCS

Hello [MSFT],

have you tried that?

http://www.leastprivilege.com/ACLSupportForNET.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hello,

I also suspect this issue a bug. The key line may be:

Descriptor.Properties["Dacl"].Value = DaclObject;

and

ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);

The old values is not replaced but appended.

I will record this and hope it can be fixed in later version.

Luke

 

[Dominick Baier [DevelopMentor]]

Hello scsharma,

i never tried it - just thought this could be helpful for you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

One more thing, Dominick. Did this code work for you? I wrote a very
simple
code where i added and removed couple of trustees and then set the
DACL back
to security descriptor. I am surprise to see that the changes are not
reflected on actual file.
Here is the sample code
string filename = ROOT_DIR+nameDirectory;
SecurityDescriptor secDesc =
SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL
_SECURITY_INFORMATION);
Dacl dAcl = secDesc.Dacl;
dAcl.AddAce(new AceAccessAllowed(new
Sid("ftpuser"),AccessType.GENERIC_READ));
dAcl.RemoveAces(new Sid(@"BatchFTP"));
foreach(Ace ace in dAcl) -- I am attaching output of following print
statements at this end of this post.
{
Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
Console.Write("ACE Type: {0} ", ace.Type);
Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
(EventAccessType)ace.AccessType);
}
secDesc.SetDacl(dAcl);
---Output of print statements----------------------
ACE SID: BUILTIN\Administrators ACE Type:
ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
ACE SID: NT AUTHORITY\SYSTEM ACE Type:
ACCESS_ALLOWED_ACE_TYPE
ACE AccessType: 2032127 (0x001F01FF)
ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: 2032127 (0x001F01FF)
ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: GENERIC_ALL (0x10000000)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: 1179817 (0x001200A9)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: 4 (0x00000004)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: EVENT_MODIFY_STATE (0x00000002)
ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: GENERIC_READ (0x80000000)
--------End of print
Am i missing something? The output has all the trustees that i had
added but when i check the permission on file using file
properties->Security Tab, I still see "BatchFTP" group though i have
removed that in above code. Also, user "ssharma\f4" is not there.

Thanks
SCS

Hello [MSFT],

have you tried that?

http://www.leastprivilege.com/ACLSupportForNET.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hello,

I also suspect this issue a bug. The key line may be:

Descriptor.Properties["Dacl"].Value = DaclObject;

and

ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);

The old values is not replaced but appended.

I will record this and hope it can be fixed in later version.

Luke

 

[scsharma]

Thanks for the help and taking time to post the information. I wish it had
worked for me.
--
Thanks
SCS

Hello scsharma,

i never tried it - just thought this could be helpful for you.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

One more thing, Dominick. Did this code work for you? I wrote a very
simple
code where i added and removed couple of trustees and then set the
DACL back
to security descriptor. I am surprise to see that the changes are not
reflected on actual file.
Here is the sample code
string filename = ROOT_DIR+nameDirectory;
SecurityDescriptor secDesc =
SecurityDescriptor.GetFileSecurity("c:\temp",SECURITY_INFORMATION.DACL
_SECURITY_INFORMATION);
Dacl dAcl = secDesc.Dacl;
dAcl.AddAce(new AceAccessAllowed(new
Sid("ftpuser"),AccessType.GENERIC_READ));
dAcl.RemoveAces(new Sid(@"BatchFTP"));
foreach(Ace ace in dAcl) -- I am attaching output of following print
statements at this end of this post.
{
Console.Write("ACE SID: {0} ", ace.Sid.CanonicalName);
Console.Write("ACE Type: {0} ", ace.Type);
Console.WriteLine("ACE AccessType: {0} (0x{0:X})",
(EventAccessType)ace.AccessType);
}
secDesc.SetDacl(dAcl);
---Output of print statements----------------------
ACE SID: BUILTIN\Administrators ACE Type:
ACCESS_ALLOWED_ACE_TYPE ACE AccessType: 2032127 (0x001F01FF)
ACE SID: NT AUTHORITY\SYSTEM ACE Type:
ACCESS_ALLOWED_ACE_TYPE
ACE AccessType: 2032127 (0x001F01FF)
ACE SID: AOC\ssharma ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: 2032127 (0x001F01FF)
ACE SID: CREATOR OWNER ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: GENERIC_ALL (0x10000000)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: 1179817 (0x001200A9)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: 4 (0x00000004)
ACE SID: BUILTIN\Users ACE Type: ACCESS_ALLOWED_ACE_TYPE
ACE
AccessType: EVENT_MODIFY_STATE (0x00000002)
ACE SID: SSHARMA\f4 ACE Type: ACCESS_ALLOWED_ACE_TYPE ACE
AccessType: GENERIC_READ (0x80000000)
--------End of print
Am i missing something? The output has all the trustees that i had
added but when i check the permission on file using file
properties->Security Tab, I still see "BatchFTP" group though i have
removed that in above code. Also, user "ssharma\f4" is not there.

Thanks
SCS

Hello [MSFT],

have you tried that?

http://www.leastprivilege.com/ACLSupportForNET.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

I also suspect this issue a bug. The key line may be:

Descriptor.Properties["Dacl"].Value = DaclObject;

and

ManagementBaseObject ret = lfs.InvokeMethod("SetSecurityDescriptor",
inParams, null);

The old values is not replaced but appended.

I will record this and hope it can be fixed in later version.

Luke