Effektive Ordnerberechtigungen auslesen

1. offizieller Beitrag

    Hi,

    ich bin im Moment dabeit ein kleines Tool zu basteln, welches die Ordnerbrechtigungen (später rekursiv) auslesen soll. Nur scheitert es bei mir im Moment an der AccessMask. Das Programm soll jedoch nicht die Accessmask ausspucken sondern die eigentlichen Berechtigungen (Hier was zur AccessMask von MS). Mein Problem besteht darin das ich einfach nicht drauf komme, wie ichs umwandeln soll... . Eventuell ist mein Ansatz mit der AccessMask auch falsch.... Von euch hat da nicht zufällig noch Jemand eine Idee? :/ Wollte mit dem Tool meine arbeiten abschließend protkollieren. Habe leider kein Programm gefunden, welches es so macht, dass es auch der Kunde nachvollziehen kann.

    EDIT: http://itknowledgeexchange.techtarget.com/powershell/sha…he-access-mask/ das könnte auch was sein. Nur bin ich nicht gerade bewandert in der Powershell mit BitAND hat es bei mir nicht geklappt.

    Spoiler anzeigen
    [autoit]

    Local _
    $FILE_READ_DATA__FILE_LIST_DIRECTORY = 1, _;Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.
    $FILE_WRITE_DATA__FILE_ADD_FILE = 2, _;Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.
    $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY = 4, _;Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.
    $FILE_READ_EA = 8, _;Grants the right to read extended attributes.
    $FILE_WRITE_EA = 16, _;Grants the right to write extended attributes.
    $FILE_EXECUTE__FILE_TRAVERSE = 32, _;Grants the right to execute a file. For a directory, the directory can be traversed.
    $FILE_DELETE_CHILD = 64, _;Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.
    $FILE_READ_ATTRIBUTES = 128, _;Grants the right to read file attributes.
    $FILE_WRITE_ATTRIBUTES = 256, _;Grants the right to change file attributes.
    $DELETE = 65536, _;Grants delete access.
    $READ_CONTROL = 131072, _;Grants read access to the security descriptor and owner.
    $WRITE_DAC = 262144, _;Grants write access to the discretionary access control list (ACL).
    $WRITE_OWNER = 524288, _;Assigns the write owner.
    $SYNCHRONIZE = 1048576, _;Synchronizes access and allows a process to wait for an object to enter the signaled state.
    $OBJECT_INHERIT_ACE = 1, _;Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
    $CONTAINER_INHERIT_ACE = 2, _ ; Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
    $NO_PROPAGATE_INHERIT_ACE = 4, _ ;If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects.
    $INHERIT_ONLY_ACE = 8, _ ;Indicates an inherit-only ACE which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE which controls access to the object to which it is attached. Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags.
    $INHERITED_ACE = 16, _ ;The system sets this bit when it propagates an inherited ACE to a child object.
    $wbemFlagReturnImmediately = 0x10, _
    $wbemFlagForwardOnly = 0x20, _
    $colItems = "", _
    $strComputer = "localhost", _
    $objSD, _
    $Output = "", _
    $sFolderRights = ""

    [/autoit] [autoit][/autoit] [autoit]

    Local $sRootFolder = FileSelectFolder("Verzeichnis zum auslesen der Berechtigungen auswählen", "C:\Xampp")
    $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
    $colItems = $objWMIService.ExecQuery('SELECT * FROM Win32_LogicalFileSecuritySetting WHERE Path="' & StringReplace($sRootFolder, "\", "\\") & '"', "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
    If IsObj($colItems) Then
    For $objItem In $colItems
    $objItem.GetSecurityDescriptor($objSD)
    $Output = $Output & "Pfad: " & @TAB & @TAB & @TAB & $objItem.Path & @CRLF
    $colDacl = $objSD.DACL ; discretionary access control list(Array)
    For $objDacl In $colDacl
    $Output = $Output & "Benutzer/Gruppe: " & @TAB & $objDacl.Trustee.Name & @CRLF
    $Output = $Output & "Flags: " & @TAB & @TAB & @TAB & $objDacl.AceFlags & @CRLF
    $Output = $Output & "Rechte: " & $objDacl.AccessMask & @CRLF
    $Output = $Output & $sFolderRights
    Next
    Next
    ConsoleWrite($Output)
    Else
    MsgBox(1, "Error", "Pfad nicht gefunden")
    EndIf

    [/autoit]

    Danke schonmal im Voraus :)

    21 is only half the truth.

    I

    ch bin leider noch ein ziemlicher AutoIt Noob - aber vielleicht kann ich Dir ja doch ein paar denkanstösse geben. Anscheinend willst Du die vollen Angaben zu den Permissions... Ich glaube da brauchst Du dann mehr wie WMI :huh:

    Mit den komandozeilentools subinacl und setacl kann man die berechtigung ausgeben lassen, auf den Schirm, und DOS gerecht natürlich auch zb in eine Datei, um dass dann so weiter zu bearbeiten.

    • Offizieller Beitrag

    Ich weiß nicht mit welchem Aufruf und als welchen Datentyp (sollte eigentlich ein DWORD sein) du die Ordnerberechtigungen bekommst. Falls es aus einem Dll-Aufruf kommt, könntest du einen Pointer dadrauf erstellen und mit folgender Struktur (die Struktur habe ich aus der MS WinAPI Deklaration) laden. Dann mit DllStructurGetData die Werte auslesen und mit den Rechte-Konstanten vergleichen.

    Spoiler anzeigen
    [autoit]

    Local $tag_ACCESS_MASK = _
    'WORD SpecificRights;' & _
    'Byte StandardRights;' & _
    'Byte AccessSystemAcl[1];' & _
    'Byte Reserved[3];' & _
    'Byte GenericAll[1];' & _
    'Byte GenericExecute[1];' & _
    'Byte GenericWrite[1];' & _
    'Byte GenericRead[1];)' & _

    [/autoit] [autoit][/autoit] [autoit]

    ;== Du brauchst vermutlich einen Pointer ($_PACCESS_MASK) auf die Rechte, dann so einsetzen:
    $t_ACCESS_MASK = DllStructCreate($tag_ACCESS_MASK, $_PACCESS_MASK)

    [/autoit]

    Danke für die Antworten (habe schon gedacht der Thread wäre gestorben :D)

    Bin aber auch schon einen erheblichen Schritt weiter :)

    Spoiler anzeigen
    [autoit]

    #include <File.au3>
    Local _
    $FILE_READ_DATA__FILE_LIST_DIRECTORY = 1, _;Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.
    $FILE_WRITE_DATA__FILE_ADD_FILE = 2, _;Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.
    $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY = 4, _;Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.
    $FILE_READ_EA = 8, _;Grants the right to read extended attributes.
    $FILE_WRITE_EA = 16, _;Grants the right to write extended attributes.
    $FILE_EXECUTE__FILE_TRAVERSE = 32, _;Grants the right to execute a file. For a directory, the directory can be traversed.
    $FILE_DELETE_CHILD = 64, _;Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.
    $FILE_READ_ATTRIBUTES = 128, _;Grants the right to read file attributes.
    $FILE_WRITE_ATTRIBUTES = 256, _;Grants the right to change file attributes.
    $DELETE = 65536, _;Grants delete access.
    $READ_CONTROL = 131072, _;Grants read access to the security descriptor and owner.
    $WRITE_DAC = 262144, _;Grants write access to the discretionary access control list (ACL).
    $WRITE_OWNER = 524288, _;Assigns the write owner.
    $SYNCHRONIZE = 1048576, _;Synchronizes access and allows a process to wait for an object to enter the signaled state.
    $OBJECT_INHERIT_ACE = 1, _;Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
    $CONTAINER_INHERIT_ACE = 2, _ ; Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set.
    $NO_PROPAGATE_INHERIT_ACE = 4, _ ;If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects.
    $INHERIT_ONLY_ACE = 8, _ ;Indicates an inherit-only ACE which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE which controls access to the object to which it is attached. Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags.
    $INHERITED_ACE = 16, _ ;The system sets this bit when it propagates an inherited ACE to a child object.
    $wbemFlagReturnImmediately = 0x10, _
    $wbemFlagForwardOnly = 0x20, _
    $colItems = "", _
    $strComputer = "localhost", _
    $objSD, _
    $Output = "", _
    $objDaclAccessmask
    Local $aRights2dArray[1][21]
    Local $aRightFlags[14] = [$FILE_READ_DATA__FILE_LIST_DIRECTORY, $FILE_WRITE_DATA__FILE_ADD_FILE, $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY, $FILE_READ_EA, $FILE_WRITE_EA, $FILE_EXECUTE__FILE_TRAVERSE, $FILE_DELETE_CHILD, $FILE_READ_ATTRIBUTES, $FILE_WRITE_ATTRIBUTES, $DELETE, $READ_CONTROL, $WRITE_DAC, $WRITE_OWNER, $SYNCHRONIZE]
    Local $aAceflags[5] = [$OBJECT_INHERIT_ACE, $CONTAINER_INHERIT_ACE, $NO_PROPAGATE_INHERIT_ACE, $INHERIT_ONLY_ACE, $INHERITED_ACE]
    Local $sRootFolder = FileSelectFolder("Verzeichnis zum auslesen der Berechtigungen auswählen", "C:\Vol1")
    Local $pathall
    ConsoleWrite($sRootFolder & " wird durchsucht ..." & @CRLF)
    $aReturnfolderlist = _ReFileListToString($sRootFolder & "\")
    ConsoleWrite(UBound($aReturnfolderlist) & " Ordner gefunden" & @CRLF & @CRLF)
    For $i3 = 0 To UBound($aReturnfolderlist) - 1
    If StringRight($aReturnfolderlist[$i3], 1) = "\" Then $aReturnfolderlist[$i3] = StringTrimRight($aReturnfolderlist[$i3], 1)
    $aReturnRights = _geteffberechtigungen($aReturnfolderlist[$i3])
    For $i2 = 1 To UBound($aReturnRights) - 1
    For $i = 0 To UBound($aReturnRights, 2) - 6
    If Not $aReturnRights[$i2][19] = "INHERIT_ONLY_ACE" And Not $aReturnRights[$i2][$i] = "" And Not $aReturnRights[$i2][20] = "INHERIT_ACE" Then
    If $aReturnRights[$i2][1] = $aReturnfolderlist[$i3] Then ConsoleWrite($aReturnRights[$i2][$i] & @CRLF)
    EndIf
    Next
    If Not $aReturnRights[$i2][19] = "INHERIT_ONLY_ACE" And $aReturnRights[$i2][1] = $aReturnfolderlist[$i3] And Not $aReturnRights[$i2][20] = "INHERIT_ACE" Then ConsoleWrite(@CRLF)
    Next
    Next

    [/autoit] [autoit][/autoit] [autoit]

    ConsoleWrite(@CRLF & "...Done" & @CRLF)

    [/autoit] [autoit][/autoit] [autoit]

    Func _geteffberechtigungen($sFolder)
    Local $objWMIService = ObjGet("winmgmts:\\" & $strComputer & "\root\CIMV2")
    Local $colItems = $objWMIService.ExecQuery('SELECT * FROM Win32_LogicalFileSecuritySetting WHERE Path="' & StringReplace($sFolder, "\", "\\") & '"', "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
    If IsObj($colItems) Then
    For $objItem In $colItems
    $objItem.GetSecurityDescriptor($objSD)
    $colDacl = $objSD.DACL
    For $objDacl In $colDacl
    ReDim $aRights2dArray[UBound($aRights2dArray) + 1][21]
    $iRights2dArray = 0
    $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = $objDacl.Trustee.Name
    $iRights2dArray += 1
    $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = $objItem.Path
    $iRights2dArray += 1
    For $RightFlag In $aRightFlags
    If BitAND($objDacl.AccessMask, $RightFlag) Then $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = _makerightflagsreadable($RightFlag)
    $iRights2dArray += 1
    Next
    For $Aceflag In $aAceflags
    If BitAND($objDacl.AceFlags, $Aceflag) Then $aRights2dArray[UBound($aRights2dArray) - 1][$iRights2dArray] = _makeaceflagsreadable($Aceflag)
    $iRights2dArray += 1
    Next
    Next
    Next
    Return $aRights2dArray
    Else
    Return SetError(0)
    EndIf
    EndFunc ;==>_geteffberechtigungen

    [/autoit] [autoit][/autoit] [autoit][/autoit] [autoit]

    Func _makerightflagsreadable($sFlag)
    Switch $sFlag
    Case $FILE_READ_DATA__FILE_LIST_DIRECTORY
    Return "Ordner auflisten / Daten lesen"
    Case $FILE_WRITE_DATA__FILE_ADD_FILE
    Return "Dateien erstellen / Daten schreiben"
    Case $FILE_APPEND_DATA__FILE_ADD_SUBDIRECTORY
    Return "Ordner erstellen / Daten anhängen"
    Case $FILE_READ_EA
    Return "Erweiterte Attribute lesen"
    Case $FILE_WRITE_EA
    Return "Erweiterte Attribute schreiben"
    Case $FILE_EXECUTE__FILE_TRAVERSE
    Return "Ordner durchsuchen / Dateien ausführen"
    Case $FILE_DELETE_CHILD
    Return "Unterordner und Dateien löschen"
    Case $FILE_READ_ATTRIBUTES
    Return "Attribute lesen"
    Case $FILE_WRITE_ATTRIBUTES
    Return "Attribute schreiben"
    Case $DELETE
    Return "Löschen"
    Case $READ_CONTROL
    Return "Berechtigungen lesen"
    Case $WRITE_DAC
    Return "Berechtigungen ändern"
    Case $WRITE_OWNER
    Return "Besitz übernehmen"
    Case $SYNCHRONIZE
    Return "Synchronisiert den Zugriff und erlaubt einem Prozess auf einem bestimmten Status eines Objektes zu warten"
    EndSwitch
    EndFunc ;==>_makerightflagsreadable

    [/autoit] [autoit][/autoit] [autoit]

    Func _makeaceflagsreadable($sFlag)
    Switch $sFlag
    Case $OBJECT_INHERIT_ACE
    Return "OBJECT_INHERIT_ACE"
    Case $CONTAINER_INHERIT_ACE
    Return "CONTAINER_INHERIT_ACE"
    Case $NO_PROPAGATE_INHERIT_ACE
    Return "NO_PROPAGATE_INHERIT_ACE"
    Case $INHERIT_ONLY_ACE
    Return "INHERIT_ONLY_ACE"
    Case $INHERITED_ACE
    Return "INHERITED_ACE"
    EndSwitch
    EndFunc ;==>_makeaceflagsreadable

    [/autoit] [autoit][/autoit] [autoit]

    Func _ReFileListToString($path) ;by Oscar (Autoit.de)
    Local $count, $Files
    Local $dFileList = _FileListToArray($path, '*', 2)
    $pathall &= $path & "|"
    If IsArray($dFileList) Then
    For $i = 1 To $dFileList[0]
    Local $hSearch, $sFile
    $hSearch = FileFindFirstFile($path & $dFileList[$i] & "\" & '*.*')
    If $hSearch <> -1 Then
    While 1
    $sFile = FileFindNextFile($hSearch)
    If @error Then
    SetError(0)
    ExitLoop
    EndIf
    If StringInStr(FileGetAttrib($path & $dFileList[$i] & "\" & $sFile), "D") <> 0 Then ContinueLoop
    $count += 1
    $Files &= $path & $dFileList[$i] & "\" & $sFile & '|'
    WEnd
    FileClose($hSearch)
    EndIf
    _ReFileListToString($path & $dFileList[$i] & '\')
    Next
    EndIf
    Return StringSplit(StringTrimRight($pathall, 1), "|", 2)
    EndFunc ;==>_ReFileListToString

    [/autoit]

    21 is only half the truth.

    Einmal editiert, zuletzt von Mahagon (16. Februar 2011 um 12:02)

    Genu sowas suche ich ... leider funktioniert es nicht mehr ... oder ich weiß nicht warum
    Hier mal der Fehler. Ich hab den Code aus dem letzten Post genommen der "verbessert" ist. Der obere Script geht auch nicht.
    Habs auf Win8 und 2003 Probiert ... und kommt gleicher Fehler.

    Danke schonmal

    Code
    C:\temp wird durchsucht ...
12 Ordner gefunden
eff.au3 (54) : ==> Variable must be of type "Object".:
Local $colItems = $objWMIService.ExecQuery('SELECT * FROM Win32_LogicalFileSecuritySetting WHERE Path="' & StringReplace($sFolder, "", "") & '"', "WQL", $wbemFlagReturnImmediately + $wbemFlagForwardOnly)
Local $colItems = $objWMIService^ ERROR
->16:51:27 AutoIt3.exe ended.rc:1