Coming from a .Net development background with not that much experience in (NTFS) file system security most of the rights in System.Security.AccessControl.FileSystemRights are pretty clear to me.
However, FileSystemRights.Synchronize is an exception. From the documentation:
Specifies whether the application can wait for a file handle to
synchronize with the completion of an I/O operation.
Or as someone else explains it:
The Synchronize permission allows or denies different threads to wait
on the handle for the file or folder and synchronize with another
thread that may signal it. This permission applies only to
multiple-threaded, multiple-process programs.
So my questions are:
- Is the above clarification correct?
- And if it is, why not set the Synchronize right (if read access is granted)?
To answer my own questions after doing some research:
- Yes, it is correct. To quote Microsoft's "Permissions Entry Dialog Box" help screen from the advanced edit permissions dialog:
[Synchronize] Allows or denies different threads to wait on the handle
for the file or folder and synchronize with another thread that may
signal it. This permission applies only to multithreaded, multiprocess
programs.
- You can't not set the Synchronize right through the user interface. It is always set with other rights. Only with the .Net API (and most likely others as well) you can choose not to set the Synchronize right.
These are the coarse permissions you can set in the permissions dialog and the FileSystemRights they include:
- Full control (select all coarse permissions):
- FullControl (all FileSystemRights, including Synchronize)
- Modify (also selects Read & execute, List folder contents, Read, Write):
- Read & execute (also selects List folder contents, Read):
- ReadAndExecute
- Synchronize
- List folder contents:
- ReadAndExecute
- Synchronize
- Read:
- Write:
These are the granular permissions you can set in the advanced permissions dialog and the FileSystemRights they include:
- Full control:
- FullControl (all FileSystemRights, including Synchronize)
- Traverse folder / execute file:
- List folder / read data:
- Read attributes:
- ReadAttributes
- Synchronize
- Read extended attributes:
- ReadExtendedAttributes
- Synchronize
- Create files / write data:
- Create folders / append data:
- Write attributes:
- WriteAttributes
- Synchronize
- Write extended attributes:
- WriteExtendedAttributes
- Synchronize
- Delete subfolders and files:
- DeleteSubdirectoriesAndFiles
- Synchronize
- Delete:
- Read permissions:
- ReadPermissions
- Synchronize
- Change permissions:
- ChangePermissions
- Synchronize
- Take ownership:
- TakeOwnership
- Synchronize
Note that there are a few FileSystemRights that include other rights because of their bit mask. Those correspond to the rights you can set in the coarse permissions dialog. The FileSystemRights value and the other values they include:
- Read:
- ReadPermissions
- ReadAttributes
- ReadExtendedAttributes
- ListDirectory/ReadData
- ReadAndExecute (Read + ExecuteFile):
- ReadPermissions
- ReadAttributes
- ReadExtendedAttributes
- ListDirectory/ReadData
- ExecuteFile/Traverse
- Write:
- WriteAttributes
- WriteExtendedAttributes
- CreateDirectories/AppendData
- CreateFiles/WriteData
- Modify (ReadAndExecute + Write + Delete):
- ReadPermissions
- ReadAttributes
- ReadExtendedAttributes
- ListDirectory/ReadData
- ExecuteFile/Traverse
- WriteAttributes
- WriteExtendedAttributes
- CreateDirectories/AppendData
- CreateFiles/WriteData
- Delete
- FullControl: includes all.
There are also a few FileSystemRights that share the same value and are used interchangeably. They are:
- ListDirectory, ReadData: 1
- CreateFiles, WriteData: 2
- CreateDirectories, AppendData: 4
- ExecuteFile, Traverse: 32