none
AccessCheck problem

    Question

  • Hi All

    I'm tyinmg to use AccessCheck to find out if I (current user of the applictaion) have permissions to a particular file or folder

    I've found some limited samples on the web in various languages and everything seems to work (ie getfilesecurity impersonateself openthreadtoken etc) but when I call AccessCheck no matter what I try it always return 0 and GetLastError is either 5 - Access denied or 1338 - Invalid Security descriptor

    I've tried it on both local files on W7 and W2003 and I cant seem to get it to work no matter which options I seem to try

    I've pasted my code below from the language i'm using called Visual Dataflex. Although it's not that mainstrem the code should be pretty easy to understand and hopefully someone can spot what i'm doing wrong

    I'm calling it like this

    Get CheckFileAccess of oFP "\\SOMESERVER\UserShares\SomeUser\SomeFile.txt" FP_MAXIMUM_ALLOWED to iResult

    Define FP_MAXIMUM_ALLOWED            for |CI$2000000
    Define FP_DELETE                     for |CI$10000
    Define FP_READ_CONTROL               for |CI$20000
    Define FP_WRITE_DAC                  for |CI$40000
    Define FP_WRITE_OWNER                for |CI$80000
    Define FP_SYNCHRONIZE                for |CI$100000
    Define FP_STANDARD_RIGHTS_READ       for FP_READ_CONTROL
    Define FP_STANDARD_RIGHTS_WRITE      for FP_READ_CONTROL
    Define FP_STANDARD_RIGHTS_EXECUTE    for FP_READ_CONTROL
    Define FP_STANDARD_RIGHTS_REQUIRED   for |CI$F0000
    Define FP_FILE_READ_DATA             for |CI$1   // file & pipe
    Define FP_FILE_LIST_DIRECTORY        for |CI$1   // directory
    Define FP_FILE_ADD_FILE              for |CI$2   // directory
    Define FP_FILE_WRITE_DATA            for |CI$2   // file & pipe
    Define FP_FILE_CREATE_PIPE_INSTANCE  for |CI$4   // named pipe
    Define FP_FILE_ADD_SUBDIRECTORY      for |CI$4   // directory
    Define FP_FILE_APPEND_DATA           for |CI$4   // file
    Define FP_FILE_READ_EA               for |CI$8   // file & directory
    Define FP_FILE_READ_PROPERTIES       for FP_FILE_READ_EA
    Define FP_FILE_WRITE_EA              for |CI$10   // file & directory
    Define FP_FILE_WRITE_PROPERTIES      for FP_FILE_WRITE_EA
    Define FP_FILE_EXECUTE               for |CI$20  // file
    Define FP_FILE_TRAVERSE              for |CI$20  // directory
    Define FP_FILE_DELETE_CHILD          for |CI$40  // directory
    Define FP_FILE_READ_ATTRIBUTES       for |CI$80  // all
    Define FP_FILE_WRITE_ATTRIBUTES      for |CI$100 // all
    Define FP_FILE_GENERIC_READ          for (FP_STANDARD_RIGHTS_READ or FP_FILE_READ_DATA or FP_FILE_READ_ATTRIBUTES or FP_FILE_READ_EA or FP_SYNCHRONIZE)
    Define FP_FILE_GENERIC_WRITE         for (FP_STANDARD_RIGHTS_WRITE or FP_FILE_WRITE_DATA or FP_FILE_WRITE_ATTRIBUTES or FP_FILE_WRITE_EA or FP_FILE_APPEND_DATA or FP_SYNCHRONIZE)
    Define FP_FILE_GENERIC_EXECUTE       for (FP_STANDARD_RIGHTS_EXECUTE or FP_FILE_READ_ATTRIBUTES or FP_FILE_EXECUTE or FP_SYNCHRONIZE)
    Define FP_FILE_ALL_ACCESS            for (FP_STANDARD_RIGHTS_REQUIRED or FP_SYNCHRONIZE or 511)
    Define FP_GENERIC_READ               for |CI$80000000
    Define FP_GENERIC_WRITE              for |CI$40000000
    Define FP_GENERIC_EXECUTE            for |CI$20000000
    Define FP_GENERIC_ALL                for |CI$10000000
          
    Define FP_OWNER_SECURITY_INFORMATION for |CI$1
    Define FP_GROUP_SECURITY_INFORMATION for |CI$2
    Define FP_DACL_SECURITY_INFORMATION  for |CI$4
    Define FP_SecurityImpersonation      for |CI$3
    Define FP_ANYSIZE_ARRAY              for 1

    Define FP_TK_ASSIGN_PRIMARY for |CI$1
    Define FP_TK_DUPLICATE for |CI$2
    Define FP_TK_IMPERSONATE for |CI$4
    Define FP_TK_QUERY for |CI$8
    Define FP_TK_QUERY_SOURCE for |CI$10
    Define FP_TK_ADJUST_PRIVILEGES for |CI$20
    Define FP_TK_ADJUST_GROUPS for |CI$40
    Define FP_TK_ADJUST_DEFAULT for |CI$80
    Define FP_TK_ADJUST_SESSIONID for |CI$100
    Define FP_TK_READ for (FP_STANDARD_RIGHTS_READ or FP_TK_QUERY)
    Define FP_TK_ALL for (FP_STANDARD_RIGHTS_REQUIRED or FP_TK_ASSIGN_PRIMARY or FP_TK_DUPLICATE or FP_TK_IMPERSONATE or FP_TK_QUERY or FP_TK_QUERY_SOURCE or FP_TK_ADJUST_PRIVILEGES or FP_TK_ADJUST_GROUPS or FP_TK_ADJUST_DEFAULT or FP_TK_ADJUST_SESSIONID)
    Define FP_TK_EXECUTE for FP_STANDARD_RIGHTS_EXECUTE


    Struct tdGENERIC_MAPPING
        Integer GenericRead
        Integer GenericWrite
        Integer GenericExecute
        Integer GenericAll
    End_Struct

    Struct tdLUID
        Integer LowPart
        Integer HighPart
    End_Struct

    Struct tdLUID_AND_ATTRIBUTES
        tdLUID pLuid
        Integer Attributes
    End_Struct

    Struct tdPRIVILEGE_SET
        Integer PrivilegeCount
        Integer Control
        tdLUID_AND_ATTRIBUTES[] Privilege
    End_Struct

    External_Function AccessCheck "AccessCheck" advapi32.dll String pSecurityDesc Integer hClientToken Integer iAccess Pointer pGenMap Pointer pPrivSet Integer iPrivSetLength Pointer pGrantedAccess Pointer pStatus Returns Integer

    External_Function GetFileSecurity "GetFileSecurityA" advapi32.dll String lpFileName Integer iRequestedInformation Pointer pSecurityDescriptor Integer nLength Pointer lpnLengthNeeded Returns Integer
    External_Function ImpersonateSelf "ImpersonateSelf" advapi32.dll Integer ImpersonationLevel Returns Integer
    External_Function RevertToSelf "RevertToSelf" advapi32.dll Returns Integer
    External_Function MapGenericMask "MapGenericMask" advapi32.dll Pointer pAccessMask Pointer pGenericMapping Returns Integer
    External_Function OpenThreadToken "OpenThreadToken" advapi32.dll Integer ThreadHandle Integer DesiredAccess Integer OpenAsSelf Integer TokenHandle Returns Integer
    External_Function GetCurrentThread "GetCurrentThread" kernel32.dll Returns Integer
    External_Function CloseHandle "CloseHandle" kernel32.dll Integer hObject Returns Integer

    Struct tdOSVERSIONINFO
        Integer dwOSVersionInfoSize
        Integer dwMajorVersion
        Integer dwMinorVersion
        Integer dwBuildNumber
        Integer dwPlatformId
        String  szCSDVersion
    End_Struct

    External_Function GetVersionEx "GetVersionExA" kernel32.dll Pointer ptOSVER Returns Integer

    Define FP_VER_PLATFORM_WIN32_NT for |CI$2

    Define FP_FS_PERSISTENT_ACLS for |CI$8
    External_Function GetVolumeInformation "GetVolumeInformationA" kernel32.dll String lpRootPathName Pointer lpVolNameBuf Integer nVolNamSiz Pointer lpVolSerNum Pointer lpMaxCompoLen Pointer lpFSFlag Pointer lpFSNameBuff Integer nFSNameSize Returns Integer

    Function IsNT Returns Boolean
            tdOSVERSIONINFO tOSVer
            Integer iVoid

            Move (Repeat(character(0),128)) to tOSVer.szCSDVersion
            Move (SizeOfType(tdOSVERSIONINFO)+124) to tOSVer.dwOSVersionInfoSize
            Move (GetVersionEx(AddressOf(tOSVer))) to iVoid
           
            Function_Return (tOSVer.dwPlatformId=FP_VER_PLATFORM_WIN32_NT)
        End_Function
       
        Function CheckFileAccess String sFilename Integer eDesiredAccess Returns Integer
            Integer iPos iSDSize iFSFlags iReturn iOK iVolSerNo iMaxComponentLen iLastError iVoid iAccessMask iStatus iPrivSetSize
            Handle hToken
            tdPRIVILEGE_SET tPrivSet
            tdGENERIC_MAPPING tGenMap
            String sVolume sVolNameBuff sFSNameBuff sSecurityDescriptor
            Boolean bIsNT
           
            Get IsNT to bIsNT
           
            If (bIsNT) Begin
                If (Left(sFilename,2)="\\") Begin
                    Move (Pos("\",sFilename,3)) to iPos
                    If (iPos=0) Begin
                        If (Right(sFilename,1)<>"\") Begin
                            Move (sFilename+"\") to sVolume
                        End
                        Else Begin
                            Move (Left(sFilename,iPos)) to sVolume
                        End
                    End
                End
                Else Begin
                    If (Mid(sFilename,2,2)=":\") Begin
                        Move (Left(sFilename,3)) to sVolume
                    End
                End
               
            End
            Else Begin
                Move -1 to iReturn
            End
           
            Move (Repeat(character(0),256)) to sVolNameBuff
            Move (Repeat(character(0),256)) to sFSNameBuff
            Move 0 to iFSFlags
            Move 0 to iVolSerNo
            Move 0 to iMaxComponentLen
            Move (GetVolumeInformation(sVolume,Addressof(sVolNameBuff),Length(sVolNameBuff),Addressof(iVolSerNo),AddressOf(iMaxComponentLen),AddressOf(iFSFlags),AddressOf(sFSNameBuff),Length(sFSNameBuff))) to iOK
            If (iOK) Begin
                If ((iFSFlags and FP_FS_PERSISTENT_ACLS)=0) Begin
                    Move -1 to iReturn
                End
                Else Begin
                    Move 0 to iSDSize
                    Move (GetFileSecurity(sFilename,(FP_OWNER_SECURITY_INFORMATION or FP_GROUP_SECURITY_INFORMATION or FP_DACL_SECURITY_INFORMATION),0,0,AddressOf(iSDSize))) to iOK
                    Move (GetLastError()) to iLastError
                    If (iLastError<>122) Begin
                        Move -1 to iReturn
                    End
                    Else Begin
                        If (iSDSize>0) Begin
                            Increment iSDSize
                            Move (Repeat(character(0),iSDSize)) to sSecurityDescriptor
                            Move (GetFileSecurity(sFilename,(FP_OWNER_SECURITY_INFORMATION or FP_GROUP_SECURITY_INFORMATION or FP_DACL_SECURITY_INFORMATION),Addressof(sSecurityDescriptor),iSDSize,AddressOf(iSDSize))) to iOK
                            If (iOK) Begin
                                Move (ImpersonateSelf(FP_SecurityImpersonation)) to iOK  
                                If (iOK) Begin
                                    Move 0 to hToken
                                    Move (OpenThreadToken(GetCurrentThread(),(FP_TK_QUERY),0,AddressOf(hToken))) to iOK
                                    If (iOK) Begin
                                  Move FP_FILE_GENERIC_READ       to tGenMap.GenericRead
                                  Move FP_FILE_GENERIC_WRITE      to tGenMap.GenericWrite
                                  Move FP_FILE_GENERIC_EXECUTE    to tGenMap.GenericExecute
                                  Move FP_FILE_ALL_ACCESS         to tGenMap.GenericAll
                                        Move (MapGenericMask(AddressOf(eDesiredAccess),AddressOf(tGenMap))) to iVoid
                                        Move 0 to iAccessMask
                                        Move 0 to iStatus
                                        Move 0 to tPrivSet.Privilege[0].pLuid.HighPart
                                        Move 0 to tPrivSet.Privilege[0].pLuid.LowPart
                                        Move 20 to iPrivSetSize
                                        Move (AccessCheck(sSecurityDescriptor,hToken,eDesiredAccess,AddressOf(tGenMap),AddressOf(tPrivSet),AddressOf(iPrivSetSize),AddressOf(iAccessMask),AddressOf(iStatus))) to iOK
                                        Move (GetLastError()) to iLastError
                                        Move (CloseHandle(hToken)) to iOK
                                    End
                                    Move (RevertToSelf()) to iVoid
                                End
                            End
                        End
                    End
                End
            End
            Function_Return iReturn
        End_Function

    Thursday, September 05, 2013 11:43 AM