Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

Get a WindowsPrincipal from a SecurityIdentifier (or system accoun

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Bart Vries - 03 Jan 2006 15:19 GMT
Hi,

I'vr written a function which checks if a use has rights to write a file.
This function uses WindowsPrincipal.IsInRole to check if the user is part of
a role defined on the file acl. Now I want ot change the function to also
check is the system account (NT AUTHORITY\SYSTEM) has rights to access the
file. I can construct a system account sid using:

SecurityIdentifier systemAccount = new
SecurityIdentifier(WellKnownSidType.LocalSystemSid, null);

The problem is that I seem to find any code to create a WindowsPrincipal
based on the system account and I cannot check if a SecurityIdentifier is
part of a role/group. I'm using c# 2.0.

Best regards,

Bart Vries
Reply to this Message
Joe Kaplan (MVP - ADSI) - 04 Jan 2006 18:01 GMT
Are you sure you can get valid results with an approach like this?  Local
System generally has all privileges which means that it can take ownership.
This means that file system ACLs are essentially useless as it can change
them at will.

Joe K.

> Hi,
>
[quoted text clipped - 15 lines]
>
> Bart Vries
Reply to this Message
Bart Vries - 05 Jan 2006 16:30 GMT
Hi Joe,

I would like to check if the system account currently has rights to write to
a file on a specific location. This is a diagnostic tool and I want to check
if the administrator has configured the rights correctly and I want to
display a message if they are not setup correctly. I don't want to modify the
rights on a system.

Thanks in advance,

Bart

> Are you sure you can get valid results with an approach like this?  Local
> System generally has all privileges which means that it can take ownership.
[quoted text clipped - 22 lines]
> >
> > Bart Vries
Reply to this Message
Joe Kaplan (MVP - ADSI) - 05 Jan 2006 16:37 GMT
Have you looked at p/invoking the AuthzAccessCheck function?  That is
probably the way to go.  I don't have a sample though as I've never done it.

Joe K.

> Hi Joe,
>
[quoted text clipped - 44 lines]
>> >
>> > Bart Vries
Reply to this Message
Bart Vries - 09 Jan 2006 09:33 GMT
Thanks Joe,

I'll try to implement it using this api. I was hoping to be able to
implement this check without using interop, but the security api's in .net
2.0 seem to be to limited to get this to work.

Best regards,

Bart Vries

> Have you looked at p/invoking the AuthzAccessCheck function?  That is
> probably the way to go.  I don't have a sample though as I've never done it.
[quoted text clipped - 49 lines]
> >> >
> >> > Bart Vries
Reply to this Message
Dominick Baier [DevelopMentor] - 09 Jan 2006 13:23 GMT
hi,

well - you can alway iterate through the ACLs of a file/directory to see
if SYSTEM has the necessary access.

Use File.GetAccessControl.

does this help you?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks Joe,
>
[quoted text clipped - 65 lines]
>>>>>
>>>>> Bart Vries
Reply to this Message
Bart Vries - 09 Jan 2006 13:50 GMT
Hi Dominick,

That is what I'm trying to do. The problem is the rule returns an
IdentityReference, but I don't know how to check if the SYSTEM account is a
member of the group defined by the IdentityReference. The only way I know is
by using WindowsPrincipal.IsInRole. The problem that I cannot seem to
construct a WindowsPrincipal for the SYSTEM account. I can construct a
SecurityIdentifier for the system account, but I cannot convert it to a
WindowsPrincipal.

Thanks for your response,

Bart Vries

> hi,
>
[quoted text clipped - 78 lines]
> >>>>>
> >>>>> Bart Vries
Reply to this Message
Dominick Baier [DevelopMentor] - 09 Jan 2006 14:05 GMT
Hi,

use the Translate method to convert the IdentityReference to a SecurityIdentifier
or NTAccount object.

haven't tried it - but this should get you closer.

          // List DACLs in order
           Console.WriteLine("\nDACLs:");
           foreach (FileSystemAccessRule rule in security.GetAccessRules(true,
true, typeof(NTAccount)))
           {
               Console.WriteLine("{0} {1} access to {2}",
                   rule.AccessControlType == AccessControlType.Allow ?
                       "grant: " : "deny: ",
                   rule.FileSystemRights,
                   rule.IdentityReference.ToString());
               SecurityIdentifier sid = (SecurityIdentifier)rule.IdentityReference.Translate(typeof(SecurityIdentifier));
               Console.WriteLine(sid.Value);
           }

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
[quoted text clipped - 97 lines]
>>>>>>> Best regards,
>>>>>>> Bart Vries
Reply to this Message
Bart Vries - 09 Jan 2006 14:29 GMT
Hi Dominick,

I also got this far, but now I got a sid and I still don't know if the
system account sid is part of the group returned by the
rule.IdentityReference. This is because the file can have, for example,
defined full control rights for the everyone group. Sorry if I wasn't clear
before. I need to find out if the system account is part of that group so I
know if the system account has rights to write the file.

Thanks in advance,

Bart Vries

> Hi,
>
[quoted text clipped - 122 lines]
> >>>>>>> Best regards,
> >>>>>>> Bart Vries
Reply to this Message
Dominick Baier [DevelopMentor] - 09 Jan 2006 14:44 GMT
hi,

to be honest - that's not how the SYSTEM account is supposed to be used.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
[quoted text clipped - 151 lines]
>>>>>>>>> Best regards,
>>>>>>>>> Bart Vries
Reply to this Message
Bart Vries - 10 Jan 2006 17:50 GMT
Hi Dominick,

To problem is that msi installer does certain actions on the server side.
These actions execute as the system account. We have over 10k customers. Some
customers seem to remove system account rights on some dirs and files which
cause the msi installer to rollback. They call our support department. I want
to build a tool to check if the system account has rights on the appropriate
files. So it is not an issue of how the system account should be used. MS
installer forces me to use the system account. I think the problem is that
the .net security api's are not rich enough (yet) to do this check.

I'll try to use the AuthzAccessCheck function to do the check instead.

Best regards,

Bart Vries

> hi,
>
[quoted text clipped - 159 lines]
> >>>>>>>>> Best regards,
> >>>>>>>>> Bart Vries
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.