WindowsFileSystemProvider checkAccess

Salter, Thomas A Thomas.Salter at unisys.com
Tue Aug 9 13:51:53 PDT 2011


From: Alan Bateman [mailto:Alan.Bateman at oracle.com]
Sent: Tuesday, August 09, 2011 4:38 PM
To: Salter, Thomas A
Cc: nio-dev at openjdk.java.net
Subject: Re: WindowsFileSystemProvider checkAccess

Salter, Thomas A wrote:
I've encountered a problem with WindowsFileSystemProvider checkAccess function.  When I'm running as an administrator, everything is fine, but when I run as an ordinary user (member of the default Users group),  the GetEffectiveRightsFromAcl function fails with an Access Denied (5) error result.  I've tried giving the individual user as well as the Users group "full control", but the only thing that seems to work is running under an administrator account.

I'm proven that the user does have access to the file by reading from the file from the same program after isReadable() returns false.  My test program is included below.

I'm running on Windows 7 with the FCS version of Java 7 downloaded from the public Java technology site: http://www.oracle.com/technetwork/java/index.html

Along the way, I noticed that WindowsNativeDispatcher.c does not test correctly for an error code.  The actual error is returned as the result, not with GetLastError.  My suggested change follows:

#if OLD CODE
    if (GetEffectiveRightsFromAcl(pAcl, pTrustee, &access) != ERROR_SUCCESS) {
        throwWindowsException(env, GetLastError());
    }
#else //NEW CODE
    DWORD result = GetEffectiveRightsFromAcl(pAcl, pTrustee, &access);
    if( result != ERROR_SUCCESS) {
        throwWindowsException(env, result );
    }
#endif
It might be a few days before I can look into this in detail. One thing that would be useful is if you could say whether you are in a domain and whether you are logged in with a local account (when using the user account). If I can't duplicate this then I might ask you to dump the ACL so that we can see whether it accessible by the domain group (cacls.exe can be used to print it out, as can the AclEdit sample in the JDK sample directory).

On the above code then you are right as we should be use the return value as the error code. Looking at this API then I also wonder if we should be using the Unicode version (need to check that too).

-Alan

[Salter, Thomas A] I am normally logged in as a domain user who is a member of the BUILTIN\Administrators account.  The ordinary user is a local user that's a member of BUILTIN\Users.  I ran as the local user while signed in as an administrator by using RunAs from the command prompt.  I thought maybe I didn't have permission to read the ACLs but I was able to run cacls while signed in as the ordinary user.

The ACLs don't seem very interesting:
C:\>cacls C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\drivers\etc\hosts BUILTIN\Administrators:(ID)F
                                      NT AUTHORITY\SYSTEM:(ID)F
                                      BUILTIN\Users:(ID)R


C:\>cacls C:\Java\jdk7_fcs\jre\readme.txt
C:\Java\jdk7_fcs\jre\README.txt BUILTIN\Administrators:(ID)F
                                NT AUTHORITY\SYSTEM:(ID)F
                                BUILTIN\Users:(ID)R
                                NT AUTHORITY\Authenticated Users:(ID)C



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/nio-dev/attachments/20110809/8782f06e/attachment-0001.html 


More information about the nio-dev mailing list