Duplicate GetAccessRules, FileSystemAccessRule entries

Question

Hi, I'm getting a duplicate FileSystemAccessRule from this code below:

C:\inetpub\wwwroot\AspInfo\Account
BUILTIN\IIS_IUSRS : Allow : ReadAndExecute, Synchronize
BUILTIN\IIS_IUSRS : Allow : -1610612736
NT SERVICE\TrustedInstaller : Allow : FullControl
NT SERVICE\TrustedInstaller : Allow : 268435456

and I can't work out what or why it is.

And the permissions being shown don't match what I can see file FileManager properties. For example, how do I find the "List Folder Contents" permission from this or similar iteration. If anyone knows of an example within the .NET docs it would be helpful.

protected void directoryInfo()
{
  var di = new DirectoryInfo(Server.MapPath("/"));
  foreach (DirectoryInfo dir in di.GetDirectories())
  {
    Response.Write(dir.FullName + "<br/>");
    DirectorySecurity ds = dir.GetAccessControl();
    foreach (FileSystemAccessRule fsar in ds.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
    {
      string userName = fsar.IdentityReference.Value;
      string userRights = fsar.FileSystemRights.ToString();
      string userAccessType = fsar.AccessControlType.ToString();
      Response.Write(userName + " : " + userAccessType + " : " + userRights + "<br/>");
    }
  }
}

Answer 1

You will get separate rules entries for inherited rules and for rules that are explicitly set on that folder. There is also a difference depending on the the propagation settings on each rule. For example, you can have one set of permissions that are set to propagate to subfolders, and a different set to files within the folder. Your code is also getting the audit rules (SACL) on the folder where you seem to just be wanting the access permissions (DACL).

Try this:

protected void directoryInfo()
{
  var di = new DirectoryInfo(Server.MapPath("/"));
  foreach (DirectoryInfo dir in di.GetDirectories())
  {
    Response.Write(dir.FullName + "<br/>");
    DirectorySecurity ds = dir.GetAccessControl(AccessControlSections.Access);
    foreach (FileSystemAccessRule fsar in ds.GetAccessRules(true, true, typeof(System.Security.Principal.NTAccount)))
    {
      string userName = fsar.IdentityReference.Value;
      string userRights = fsar.FileSystemRights.ToString();
      string userAccessType = fsar.AccessControlType.ToString();
      string ruleSource = fsar.IsInherited ? "Inherited" : "Explicit";
      string rulePropagation = fsar.PropagationFlags.ToString();
      string ruleInheritance = fsar.InheritanceFlags.ToString();
      Response.Write(userName + " : " + userAccessType + " : " + userRights + " : " + ruleSource + " : " + rulePropagation + " : " + ruleInheritance + "<br/>");
    }
  }
}

The ReadAndExecute permission you're seeing includes the "List Folder Contents" permission. You can check for individual permissions by using the appropriate flag in the FileSystemRights enum. For example:

if (fsar.FileSystemRights && FileSystemRights.ListDirectory)
  Console.WriteLine("Has List Directory permission");