SeBackupPrivilege, but cannot read all files

By Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about SeBackupPrivilege, but cannot read all files was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, permissions, file-permissions, ntfs, user-permissions.

I am trying to read full directories independent of the current file-permissions. But even though I do have “SeBackupPrivilege”, the following code leads to an “UnauthorizedAccessException”. How can this be?

//Create the test-directory.
string testPath = Path.Combine(Environment.CurrentDirectory, "TestDenied");
string filePath = Path.Combine(testPath, "Foo.txt");
Directory.CreateDirectory(testPath);
using (var fs = File.CreateText(filePath)) {
    fs.WriteLine("Foo");
}
var ds = Directory.GetAccessControl(testPath, Utils.AccessControlSectionsToRead);
ds.SetOwner(WindowsIdentity.GetCurrent().User);
ds.AddAccessRule((FileSystemAccessRule)ds.AccessRuleFactory(
    WindowsIdentity.GetCurrent().User,
    (int)FileSystemRights.FullControl,
    false,
    InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit,
    PropagationFlags.None,
    AccessControlType.Deny)
);
Directory.SetAccessControl(testPath, ds);

//Get the backup-privilege
WinAPI.ModifyPrivilege(PrivilegeName.SeBackupPrivilege, true);
//Checked the privilege on the command line here: The process has it.

//Try to access the forbidden file.
using (var fs = File.OpenRead(filePath)) {
    //UnauthorizedAccessException from the line above.
}

How can this happen? I thought, that SeBackupPrivilege gets me access to all files?

What Harry is referring to is what CreateFile refers to as FILE_FLAG_BACKUP_SEMANTICS. At last check, none of the .Net classes expose this flag (probably because using it is so uncommon).

However, for those with a need, there’s always PInvoke.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *