Determining Directory Rights w/o Exception Handling

  • Thread starter Thread starter jehugaleahsa
  • Start date Start date
J

jehugaleahsa

Hello:

My executable can't call Directory.GetAccessControl on a directory it
doesn't have rights to (System Volume Information). That blows my
mind! Is there a way to find out whether I have rights without
handling an exception?

Thanks,
Travis

P.S. - This is just me playing around and being curious.
 
I don't know the specific answer, but I believe there's a general security
rule that you shouldn't be able to infer too much from the result of an API
call. If you ask about the existence of a file that you can't access you're
supposed to get an answer "there is no file" rather than the answer "the
file exists but you don't have access". In other words you shouldn't be
able to write a program that keeps looking for files like "payroll" until
you get a "no access" result because that tells you that such a file exists.
Now you can attack it..! So this might be an application of that general
principle.
 
My executable can't call Directory.GetAccessControl on a directory it
doesn't have rights to (System Volume Information). That blows my
mind! Is there a way to find out whether I have rights without
handling an exception?
Click to expand...

Exceptions are just information. Use that information to your advantage
instead of trying to avoid it.
 
Jeff said:
Exceptions are just information. Use that information to your advantage
instead of trying to avoid it.
Click to expand...

Well, to be fair: the cost of an exception could be significant if the
code is trying to examine a large number of directories in a short
period of time. If there were an alternative, it might be worth looking
into.

However, as Phil points out, not being able to get information about a
directory the code doesn't have access rights for is a security feature,
and a potentially important one at that.

Pete
 
Well, to be fair: the cost of an exception could be significant if the
code is trying to examine a large number of directories in a short
period of time.  If there were an alternative, it might be worth looking
into.

However, as Phil points out, not being able to get information about a
directory the code doesn't have access rights for is a security feature,
and a potentially important one at that.

Pete
Click to expand...

Well, here is a dumb question: When I say Directory.GetDirectories, it
will return System Volume Information. If I can see that it is in my
directory, why shouldn't I be able to get access information for it?
 
Well, here is a dumb question: When I say Directory.GetDirectories, it
will return System Volume Information. If I can see that it is in my
directory, why shouldn't I be able to get access information for it?
Click to expand...

It just depends on the access settings. If someone has set the access
settings to prohibit the retrieval of access settings for a specific
process, that process can't get the access settings.

Sometimes the information of who _is_ allowed to access a given file is
in and of itself sensitive information. Even the information of who
else is not allowed could be, in fact.

If you feel that there's no good reason for users without actual access
to the file to be restricted from looking at the access settings, you
could ask the admin to change the settings for that file, to allow
unrestricted access to the access settings.

Pete
 
It just depends on the access settings.  If someone has set the access
settings to prohibit the retrieval of access settings for a specific
process, that process can't get the access settings.

Sometimes the information of who _is_ allowed to access a given file is
in and of itself sensitive information.  Even the information of who
else is not allowed could be, in fact.

If you feel that there's no good reason for users without actual access
to the file to be restricted from looking at the access settings, you
could ask the admin to change the settings for that file, to allow
unrestricted access to the access settings.

Pete
Click to expand...

Hmm. Like I said, it is purely academic. I was playing around with F#
today, trying to make a simple recursive file navigator. I was hoping
for an elegant way of navigating directories, without using the built
in GetFiles methods, obviously. Thanks all!
 
Exceptions are just information. Use that information to your advantage
instead of trying to avoid it.
Click to expand...

Exceptions are great, but should only be used for exceptional
situations not for an expected situation.

Not so much for performance but for clarity in code.

Whether the specific case is an exceptional or expected
situation I will leave to the original poster.

Arne
 
Back
Top