当前位置: 文江博客话题详情

我是否错误地使用了 SetNamedSecurityInfo? 我的文件的 ACL 似乎没有被正确修改

发布于 2024-07-26 13:13:16 字数 1787 浏览 4 评论 0原文

我正在尝试启用和禁用文件的某些访问权限。 我发现要做到这一点,你必须搞乱 DACL。 我使用以下代码来修改文件的 DACL:

 void set_DACL_for_object(const char *object, SE_OBJECT_TYPE object_type,
                          int access_perms, int access_mode) {

      PACL pDACL = NULL, pOldDACL = NULL;
      PSECURITY_DESCRIPTOR pSD = NULL;
      EXPLICIT_ACCESS ea;

      GetNamedSecurityInfo((LPTSTR)object, object_type,
                            DACL_SECURITY_INFORMATION, NULL, NULL,
                            &pOldDACL, NULL, &pSD);

      ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

      ea.grfAccessPermissions = access_perms;
      ea.grfAccessMode = access_mode;
      ea.grfInheritance = NO_INHERITANCE;
      ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
      ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
      ea.Trustee.ptstrName = _T("ADMINISTRATORS");

      SetEntriesInAcl(1, &ea, pOldDACL, &pDACL);

      SetNamedSecurityInfo((LPTSTR)object, object_type,
                            DACL_SECURITY_INFORMATION, NULL, NULL, pDACL, NULL);
 }

首先,我使用 fopen() 创建一个文件,创建一个 ACL 以授予对管理员组的所有访问权限,然后拒绝对管理员组的写访问权限:

 set_DACL_for_object("C:\\file.txt", SE_FILE_OBJECT, GENERIC_ALL, SET_ACCESS);
 set_DACL_for_object("C:\\file.txt", SE_FILE_OBJECT, GENERIC_WRITE, DENY_ACCESS);

但是,在这些调用之后,我没有对该文件的读取权限。 如果我不拨打电话,我就有读/写访问权限(正如预期的那样)。

我应该注意,我正在管理员帐户下运行,并且功能返回成功。 我还尝试修改特定受限用户的 ACL,但同样的事情发生...用户被拒绝读取访问,而不是像我想要的那样写入访问。

我尝试了一系列不同的 set_DACL_for_object() 调用组合,例如将 DENY_ACCESS 替换为 REVOKE_ACCESS、将 SET_ACCESS 替换为 GRANT_ACCESS、不进行任何 SET_ACCESS 调用等等,但似乎没有任何效果。

我应该注意,大部分代码取自 this MSDN 示例,所以我认为它应该可以工作。 我到底做错了什么?

原文

I'm trying to enable and disable certain access privileges on a file. I figured out that to do this, you have to mess with DACLs. I'm using the following code to modify the file's DACL:

 void set_DACL_for_object(const char *object, SE_OBJECT_TYPE object_type,
                          int access_perms, int access_mode) {

      PACL pDACL = NULL, pOldDACL = NULL;
      PSECURITY_DESCRIPTOR pSD = NULL;
      EXPLICIT_ACCESS ea;

      GetNamedSecurityInfo((LPTSTR)object, object_type,
                            DACL_SECURITY_INFORMATION, NULL, NULL,
                            &pOldDACL, NULL, &pSD);

      ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

      ea.grfAccessPermissions = access_perms;
      ea.grfAccessMode = access_mode;
      ea.grfInheritance = NO_INHERITANCE;
      ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
      ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
      ea.Trustee.ptstrName = _T("ADMINISTRATORS");

      SetEntriesInAcl(1, &ea, pOldDACL, &pDACL);

      SetNamedSecurityInfo((LPTSTR)object, object_type,
                            DACL_SECURITY_INFORMATION, NULL, NULL, pDACL, NULL);
 }

So first I'm creating a file with fopen(), creating an ACL to give all access to the Administrators group, and then denying write access to the Administrators group:

 set_DACL_for_object("C:\\file.txt", SE_FILE_OBJECT, GENERIC_ALL, SET_ACCESS);
 set_DACL_for_object("C:\\file.txt", SE_FILE_OBJECT, GENERIC_WRITE, DENY_ACCESS);

However, after these calls I have no read access to the file. If I don't make the calls, I have read/write access (as would be expected).

I should note I'm running under an admin account and the functions are returning as successful. I also tried modifying the ACL for a specific limited user, but the same thing happens... the user is denied read access, not write access like I wanted.

I tried a bunch of different combos of calls to set_DACL_for_object(), like replacing DENY_ACCESS with REVOKE_ACCESS, SET_ACCESS with GRANT_ACCESS, not making any SET_ACCESS calls, etc, etc, but nothing seems to work.

I should note, most of the code was taken from this MSDN example, so I would think it should work. What exactly am I doing wrong?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

心舞飞扬 2024-08-02 13:13:21

我认为 set_DACL_for_object 调用应指定 FILE_ALL_ACCESSFILE_GENERIC_WRITE,而不是 GENERIC_ALLGENERIC_WRITE 。 我用这些更改编译了您的代码片段,它按您的预期工作。

附带说明一下,如果您应该将其编译为 Unicode,则 LPTSTR 强制转换会阻止编译器检测到该代码是 Ansi,因此在这种情况下,代码将在运行时失败。

您应该使用 _T("ADMINISTRATORS") 来代替。

i think the set_DACL_for_object calls should specify FILE_ALL_ACCESS and FILE_GENERIC_WRITE, not GENERIC_ALL and GENERIC_WRITE. i compiled your code snippet with these changes and it worked as you expect.

As a side note, the LPTSTR cast prevents the compiler from detecting that this code is Ansi if you should ever compile this as Unicode, so the code will fail at runtime in this case.

You should use _T("ADMINISTRATORS") instead.

回复 原文
神仙妹妹 2024-08-02 13:13:20

在哪个程序中打开并阅读? ACL 设置为我所期望的,但 FILE_GENERIC_WRITE 对于您的目的来说可能太通用; 看起来这还设置了一个影响阅读属性的“特殊”权限。

来自 winnt.h:

#define FILE_GENERIC_WRITE        (STANDARD_RIGHTS_WRITE    |\
                                   FILE_WRITE_DATA          |\
                                   FILE_WRITE_ATTRIBUTES    |\
                                   FILE_WRITE_EA            |\
                                   FILE_APPEND_DATA         |\
                                   SYNCHRONIZE)

如果我使用一组更有限的标志进行调用,则现在可以打开和读取测试文件,至少在记事本中,但管理员用户无法保存文档:

DWORD dwCustomWrite = FILE_WRITE_DATA       | 
                      FILE_WRITE_ATTRIBUTES | 
                      FILE_WRITE_EA         | 
                      FILE_APPEND_DATA;
set_DACL_for_object(..., SE_FILE_OBJECT, dwCustomWrite, DENY_ACCESS);

在安全选项卡的高级权限列表上文件中,通过上述调用,只有以下内容被标记为“管理员”组的“拒绝”:

“创建文件/写入数据”、“创建文件夹/追加数据”、“写入属性”、“写入扩展属性”

有了这些知识,您应该能够选择所需的确切标志集。

Open and read it in which program? The ACL was set to what i expected, but FILE_GENERIC_WRITE may be too generic for your purposes; it looks like that also sets a 'special' permission that affects reading attributes.

from winnt.h:

#define FILE_GENERIC_WRITE        (STANDARD_RIGHTS_WRITE    |\
                                   FILE_WRITE_DATA          |\
                                   FILE_WRITE_ATTRIBUTES    |\
                                   FILE_WRITE_EA            |\
                                   FILE_APPEND_DATA         |\
                                   SYNCHRONIZE)

if i call with a more limited set of flags the test file can now be opened and read, at least in notepad, but the administrator user can not save the document:

DWORD dwCustomWrite = FILE_WRITE_DATA       | 
                      FILE_WRITE_ATTRIBUTES | 
                      FILE_WRITE_EA         | 
                      FILE_APPEND_DATA;
set_DACL_for_object(..., SE_FILE_OBJECT, dwCustomWrite, DENY_ACCESS);

on the advanced permissions list from the security tab on the file, with the above call only the following are marked as 'deny' for the 'administrators' group:

'Create files / write data', 'create folders / append data', 'Write attributes', 'Write extended attributes'

With this knowledge you should be able to pick the exact set of flags you need.

回复 原文
~没有更多了~

关于作者

嘿咻

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文