none
How to Check Permission for FIle/Folder

    Question

  • Hi ,
    i want to check the access permissions for a folder for a given user. How to check Read/Write permission given for a user in a programmatic way.
    We need to give error before opening the file which is present in a folder having 'Deny Write Access' for the user running our application.
     
    e.g. I have a folder "D:/ReadOnly".  I have given security permission to the folder for following user's
    1. For Administrator group -  Full Access
    2. For Users group - Deny Write permission.
    3. For a user (say 'psudo-admin' belongs to Administrator group) - Deny Write permission.

    If i call a function which returns me the access right for the folder(D:/ReadOnly)   for the User which is running that application.

    If i am logged in as a standard user It should "Deny" access to the folder.
    if i am logged in as a standard however run the process as Administrator then it should "Allow" the access.
    If i am logged in as 'psudo-admin' user it should Denny the access to the folder.

    i have tried
    1.GetProcessToken
    2. GetTokenInformation (to get the tokenuser and SID for the user)
    3.GetNamedSecurityInfo (to get the DACL for the given folder) and
    4. BuildTrusteeWithSid(pTrustee, pSidUser);
    5. GetEffectiveRightsFromAcl

    But it is failing in some cases.

    i need a code or at least the details work flow to get this thing work in all the cases.

    Thanks in advance.

    P.S. In C++, Win32 :D
    Tuesday, March 09, 2010 5:45 AM

Answers

All replies

  • You are using the right set of functions, so there are two things you need to do.
    1. Define failing. Does not give what you expect? Does it crash?
    2. Give sample code which you have written. People around here don't just give out code. The way we like to do things is have you post a sample of what you have given and then we guide you from there. This helps because it shows you are willing/have put in the effort, (there are a lot of people who come on here to get code written for them without doing anything). It also shows what you have done so we can help out by pointing out what has gone wrong.
    Visit my (not very good) blog at http://c2kblog.blogspot.com/
    Tuesday, March 09, 2010 6:04 AM
  • Thanks crescens2k for such a quick reply ! (i am happy to know that i am on right path :))

    Following is the sample code.
    //1. Get User SID
    OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken);
    //  (Do i need to Impersonate token ?)
     
    PTOKEN_USER ptUser; 
    //(does PTOKEN_USER give the SID of user running this process ?) if (!GetTokenInformation(hToken,TokenUser,NULL,0,&dwLength) ) { if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { cout<<endl<<"Error"; return; } ptUser = (PTOKEN_USER)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwLength); } //to get the size and allocate
    if (!GetTokenInformation(hToken,TokenUser,(LPVOID), ptUser, dwLength, &dwLength )) { cout<<endl<<"Error"; return; } PSID pSidUser = ptUser->User.Sid;
    //(Is this the correct Step ?) //2. Get SID of File/Folder PACL pOldDACL = NULL, pNewDACL = NULL; PSECURITY_DESCRIPTOR pSD = NULL; char read[]="D:\\ReadOnly"; DWORD dwRes = GetNamedSecurityInfo(read, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, &pSD); //3.Build Trustee
    PTRUSTEE pTrustee = new TRUSTEE(); BuildTrusteeWithSid(pTrustee, pSidUser); //4. Now check access ACCESS_MASK mask; DWORD dwRetVal = ::GetEffectiveRightsFromAcl(pOldDACL, pTrustee, &mask); delete pTrustee; //5. Unmask if (mask & WRITE_DAC) (What should i use to Check the Write access) { cout<<endl<<"Write Access"<<endl; } else { cout<<endl<<"NO Write Access"<<endl; } //Cleanup
    Currently this code work in none of the cases. It tells "Write Access" for all the users.

    i am totally unaware this Windows security area. It would be really helpful if i get some good links which tells me what i am doing.

    One more thing. Does this work for network folders ?

    Thanks Again,
    Amol

     
    Tuesday, March 09, 2010 2:00 PM
  • There is a security programming forum at http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/threads.
    You may want to do some searches on the APIs you used to see how others are using the APIs.


    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    • Marked as answer by Nancy Shao Wednesday, March 17, 2010 3:38 AM
    Tuesday, March 09, 2010 9:46 PM