Geek Answers Handbook

Collision of a FileSystemRights value that is not defined in the enumeration

I wrote an application that checks all file system permissions in a directory.

The directory has several access rules (type FileSystemAccessRule ).

Each access rule has a FileSystemRights property, which is a flag enumeration.

While doing this, I continue to run into FileSystemRights with a value of 268435456 (which comes in 0x10000000 in hexadecimal format).

This value simply does not appear in the listing! This is actually higher than the maximum value of one flag ( Synchronize , which has a value of 0x100000 ).

Does anyone know what it is?

+8
security ntfs
source share
3 answers

See http://cjwdev.wordpress.com/2011/06/28/permissions-not-included-in-net-accessrule-filesystemrights-enum/

From this page:

Using .NET, you might think that determining the permissions assigned to a directory / file should be fairly simple, as it is determined that the FileSystemRights Enum contains all possible permissions that a file / directory can have and calling AccessRule.FileSystemRights returns a combination of these values. However, you will soon come across some permissions when the value in this property does not match any of the values ​​in the FileSystemRights Enum (I would like them to not name some properties with the same name as Type, but hey).

The end result of this is that for some files / directories you simply cannot determine what rights are assigned to them. If you do this AccessRule.FileSystemRights.ToString, then for these values ​​all that you see is a number, not a description (for example, Modify, Delete, FullControl, etc.). The common numbers you can see are:

-1610612736, -536805376 and 268435456

To determine what these permissions really exist, you need to look at what bits are set when you treat this number as 32 separate bits and not as an integer (since integers are 32 bits long) and compare them to this diagram: http: // msdn.microsoft.com/en-us/library/aa374896(v=vs.85).aspx

So, for example, -1610612736 has the first bit and third bit, which means GENERIC_READ in combination with GENERIC_EXECUTE. Now you can convert these general permissions to a specific system permissions file that they correspond to.

You can see what permissions are allowed for each general permission: http://msdn.microsoft.com/en-us/library/aa364399.aspx . Just know that STANDARD_RIGHTS_READ, STANDARD_RIGHTS_EXECUTE and STANDARD_RIGHTS_WRITE are the same thing (I don’t know why, it seems strange to me) and practically all are equal. FileSystemRights.ReadPermissions value.

+11
source share

from https://social.technet.microsoft.com/Forums/windowsserver/en-US/5211a077-63fc-4016-b750-25bf26b3ad15/why-does-getacl-return-filesystemrights-that-are-invalid-in-filesystemaccesrule -used-with-setacl? forum = winserverpowershell

268435456 - FullControl

-536805376 - Change, synchronize

-1610612736 - ReadAndExecute, Synchronize

(to save you some math)

+4
source share

Here is my solution to fix FileSystemRights to match enumeration.

There are several documents about this. Links are included in the code.

  public static FileSystemRights FileSystemRightsCorrector(FileSystemRights fsRights, bool removeSynchronizePermission = false) { // from: https://msdn.microsoft.com/en-us/library/aa374896%28v=vs.85%29.aspx const int C_BitGenericRead = (1 << 31); const int C_BitGenericWrite = (1 << 30); const int C_BitGenericExecute = (1 << 29); const int C_BitGenericAll = (1 << 28); // https://msdn.microsoft.com/en-us/library/aa364399.aspx // FILE_GENERIC_READ = FILE_READ_ATTRIBUTES | FILE_READ_DATA | FILE_READ_EA | STANDARD_RIGHTS_READ | SYNCHRONIZE // FILE_GENERIC_WRITE = FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA | FILE_WRITE_EA | STANDARD_RIGHTS_WRITE | SYNCHRONIZE // FILE_GENERIC_EXECUTE = FILE_EXECUTE | FILE_READ_ATTRIBUTES | STANDARD_RIGHTS_EXECUTE | SYNCHRONIZE //from Winnt.h //#define STANDARD_RIGHTS_READ (READ_CONTROL) //#define STANDARD_RIGHTS_WRITE (READ_CONTROL) //#define STANDARD_RIGHTS_EXECUTE (READ_CONTROL) // from: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379607%28v=vs.85%29.aspx // READ_CONTROL = "The right to read the information in the object security descriptor," // ==> STANDARD_RIGHTS_READ, STANDARD_RIGHTS_WRITE, STANDARD_RIGHTS_EXECUTE == FileSystemRights.ReadPermissions // translation for the generic rights to the FileSystemRights enum const FileSystemRights C_FsrGenericRead = FileSystemRights.ReadAttributes | FileSystemRights.ReadData | FileSystemRights.ReadExtendedAttributes | FileSystemRights.ReadPermissions | FileSystemRights.Synchronize; const FileSystemRights C_FsrGenericWrite = FileSystemRights.AppendData | FileSystemRights.WriteAttributes | FileSystemRights.WriteData | FileSystemRights.WriteExtendedAttributes | FileSystemRights.ReadPermissions | FileSystemRights.Synchronize; const FileSystemRights C_FsrGenericExecute = FileSystemRights.ExecuteFile | FileSystemRights.ReadAttributes | FileSystemRights.ReadPermissions | FileSystemRights.Synchronize; if (((int)fsRights & C_BitGenericRead) != 0) { fsRights |= C_FsrGenericRead; } if (((int)fsRights & C_BitGenericWrite) != 0) { fsRights |= C_FsrGenericWrite; } if (((int)fsRights & C_BitGenericExecute) != 0) { fsRights |= C_FsrGenericExecute; } if (((int)fsRights & C_BitGenericAll) != 0) { fsRights |= FileSystemRights.FullControl; } // delete the 4 highest bits if present fsRights = (FileSystemRights)((int)fsRights & ~(C_BitGenericRead | C_BitGenericWrite | C_BitGenericExecute | C_BitGenericAll)); // for some purposes the "Synchronize" flag must be deleted if (removeSynchronizePermission == true) { fsRights = (FileSystemRights)((int)fsRights & ~((int)FileSystemRights.Synchronize)); } return fsRights; }
+2
source share

More articles:


All Articles