当前位置: 文江博客话题详情

windows下有效的文件权限工具的api

发布于 2024-09-04 20:30:41 字数 406 浏览 6 评论 0原文

从 Windows Server 2003 开始​​,Windows 包含了一个新工具,用于计算用户的有效权限(基本上它解析所有组访问并处理所有“拒绝”权限)。举个例子,用户A属于组B和C。B被拒绝对文件F的读取权限,而C被允许对该文件的读写权限,我想计算用户A拥有的有效权限在文件 F 上。
此工具可在 Windows Server 2003、Vista、7 和 Server 2008 上使用,方法是右键单击文件并转至“属性”->“属性”。安全->高级->有效的权限。

我需要的是 C# 中的 API 来完成相同的工作。最常见的 FILE API 返回访问规则(FileAccessRules 类),但似乎没有直接的方法可以从这些访问规则集计算有效权限。
注意:如果可能的话,我不想在代码中处理有效权限,但我准备这样做作为最后的手段。

原文

Starting from Windows Server 2003, Windows included a new tool which calculates the effective permissions for a user (basically it resolves all groups access and takes care of all "deny" permissions as well). An example in point is that a user A belongs to groups B and C. B has been denied read permissions on a file F, while C has been allowed read and write permissions on the file and I want to calculate the effective permissions user A has on file F.
This tool is available on Windows Server 2003,Vista,7 and Server 2008 by right clicking on a file and going to properties -> security -> advanced -> effective permissions.

What I need is an API in C# which does the same job. The most common FILE API returns access rules (class FileAccessRules), but there seems to be no direct way to calculate effective permissions from these set of access rules.
Note: I do not want to process effective permissions in the code if at all possible, but am ready to do so as a last resort.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

来日方长 2024-09-11 20:30:41

一些快速代码:

using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.AccessControl;


namespace ConsoleApplication1
{
    class Program
    {
        [DllImport("advapi32.dll", SetLastError = true)]
        static extern uint GetEffectiveRightsFromAcl(IntPtr pDacl, ref TRUSTEE pTrustee, ref ACCESS_MASK pAccessRights);

        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 4)]
        struct TRUSTEE
        {
            IntPtr pMultipleTrustee; // must be null
            public int MultipleTrusteeOperation;
            public TRUSTEE_FORM TrusteeForm;
            public TRUSTEE_TYPE TrusteeType;
            [MarshalAs(UnmanagedType.LPStr)]
            public string ptstrName;
        }

        enum TRUSTEE_FORM
        {
            TRUSTEE_IS_SID,
            TRUSTEE_IS_NAME,
            TRUSTEE_BAD_FORM,
            TRUSTEE_IS_OBJECTS_AND_SID,
            TRUSTEE_IS_OBJECTS_AND_NAME
        }

        enum TRUSTEE_TYPE {
          TRUSTEE_IS_UNKNOWN,
          TRUSTEE_IS_USER,
          TRUSTEE_IS_GROUP,
          TRUSTEE_IS_DOMAIN,
          TRUSTEE_IS_ALIAS,
          TRUSTEE_IS_WELL_KNOWN_GROUP,
          TRUSTEE_IS_DELETED,
          TRUSTEE_IS_INVALID,
          TRUSTEE_IS_COMPUTER 
        } 

        [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
        static extern uint GetNamedSecurityInfo(
            string pObjectName,
            SE_OBJECT_TYPE ObjectType,
            SECURITY_INFORMATION SecurityInfo,
            out IntPtr pSidOwner,
            out IntPtr pSidGroup,
            out IntPtr pDacl,
            out IntPtr pSacl,
            out IntPtr pSecurityDescriptor);

        enum ACCESS_MASK : uint
        {
            DELETE = 0x00010000,
            READ_CONTROL = 0x00020000,
            WRITE_DAC = 0x00040000,
            WRITE_OWNER = 0x00080000,
            SYNCHRONIZE = 0x00100000,

            STANDARD_RIGHTS_REQUIRED = 0x000f0000,

            STANDARD_RIGHTS_READ = 0x00020000,
            STANDARD_RIGHTS_WRITE = 0x00020000,
            STANDARD_RIGHTS_EXECUTE = 0x00020000,

            STANDARD_RIGHTS_ALL = 0x001f0000,

            SPECIFIC_RIGHTS_ALL = 0x0000ffff,

            ACCESS_SYSTEM_SECURITY = 0x01000000,

            MAXIMUM_ALLOWED = 0x02000000,

            GENERIC_READ = 0x80000000,
            GENERIC_WRITE = 0x40000000,
            GENERIC_EXECUTE = 0x20000000,
            GENERIC_ALL = 0x10000000,

            DESKTOP_READOBJECTS = 0x00000001,
            DESKTOP_CREATEWINDOW = 0x00000002,
            DESKTOP_CREATEMENU = 0x00000004,
            DESKTOP_HOOKCONTROL = 0x00000008,
            DESKTOP_JOURNALRECORD = 0x00000010,
            DESKTOP_JOURNALPLAYBACK = 0x00000020,
            DESKTOP_ENUMERATE = 0x00000040,
            DESKTOP_WRITEOBJECTS = 0x00000080,
            DESKTOP_SWITCHDESKTOP = 0x00000100,

            WINSTA_ENUMDESKTOPS = 0x00000001,
            WINSTA_READATTRIBUTES = 0x00000002,
            WINSTA_ACCESSCLIPBOARD = 0x00000004,
            WINSTA_CREATEDESKTOP = 0x00000008,
            WINSTA_WRITEATTRIBUTES = 0x00000010,
            WINSTA_ACCESSGLOBALATOMS = 0x00000020,
            WINSTA_EXITWINDOWS = 0x00000040,
            WINSTA_ENUMERATE = 0x00000100,
            WINSTA_READSCREEN = 0x00000200,

            WINSTA_ALL_ACCESS = 0x0000037f
        }

        [Flags]
        enum SECURITY_INFORMATION : uint
        {
            OWNER_SECURITY_INFORMATION = 0x00000001,
            GROUP_SECURITY_INFORMATION = 0x00000002,
            DACL_SECURITY_INFORMATION = 0x00000004,
            SACL_SECURITY_INFORMATION = 0x00000008,
            UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
            UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
            PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
            PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
        }

        enum SE_OBJECT_TYPE
        {
            SE_UNKNOWN_OBJECT_TYPE = 0,
            SE_FILE_OBJECT,
            SE_SERVICE,
            SE_PRINTER,
            SE_REGISTRY_KEY,
            SE_LMSHARE,
            SE_KERNEL_OBJECT,
            SE_WINDOW_OBJECT,
            SE_DS_OBJECT,
            SE_DS_OBJECT_ALL,
            SE_PROVIDER_DEFINED_OBJECT,
            SE_WMIGUID_OBJECT,
            SE_REGISTRY_WOW64_32KEY
        }


        static void Main(string[] args)
        {            

        String user = "DOMAIN\\USER";
        String Path = "C:\\";

            IntPtr pSidOwner, pSidGroup, pDacl, pSacl, pSecurityDescriptor;
            ACCESS_MASK mask = new ACCESS_MASK();
            uint ret = GetNamedSecurityInfo(Path, 
                SE_OBJECT_TYPE.SE_FILE_OBJECT, 
                SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
                out pSidOwner, out pSidGroup, out pDacl, out pSacl, out pSecurityDescriptor);

            TRUSTEE t = new TRUSTEE();
            t.TrusteeForm = TRUSTEE_FORM.TRUSTEE_IS_NAME;
            t.TrusteeType= TRUSTEE_TYPE.TRUSTEE_IS_USER;
            t.ptstrName = user;
            ret = GetEffectiveRightsFromAcl(pDacl, ref t , ref mask);

            if ((mask & ACCESS_MASK.READ_CONTROL) == ACCESS_MASK.READ_CONTROL)
            {
                System.Diagnostics.Debug.WriteLine("Read");
            }
            else
            {
                System.Diagnostics.Debug.WriteLine("No Read");
            }

        }
    }
}

Some quick code:

using System;
using System.IO;
using System.Collections.Generic;
using System.Text;
using System.Runtime.InteropServices;
using System.Security.AccessControl;


namespace ConsoleApplication1
{
    class Program
    {
        [DllImport("advapi32.dll", SetLastError = true)]
        static extern uint GetEffectiveRightsFromAcl(IntPtr pDacl, ref TRUSTEE pTrustee, ref ACCESS_MASK pAccessRights);

        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto, Pack = 4)]
        struct TRUSTEE
        {
            IntPtr pMultipleTrustee; // must be null
            public int MultipleTrusteeOperation;
            public TRUSTEE_FORM TrusteeForm;
            public TRUSTEE_TYPE TrusteeType;
            [MarshalAs(UnmanagedType.LPStr)]
            public string ptstrName;
        }

        enum TRUSTEE_FORM
        {
            TRUSTEE_IS_SID,
            TRUSTEE_IS_NAME,
            TRUSTEE_BAD_FORM,
            TRUSTEE_IS_OBJECTS_AND_SID,
            TRUSTEE_IS_OBJECTS_AND_NAME
        }

        enum TRUSTEE_TYPE {
          TRUSTEE_IS_UNKNOWN,
          TRUSTEE_IS_USER,
          TRUSTEE_IS_GROUP,
          TRUSTEE_IS_DOMAIN,
          TRUSTEE_IS_ALIAS,
          TRUSTEE_IS_WELL_KNOWN_GROUP,
          TRUSTEE_IS_DELETED,
          TRUSTEE_IS_INVALID,
          TRUSTEE_IS_COMPUTER 
        } 

        [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
        static extern uint GetNamedSecurityInfo(
            string pObjectName,
            SE_OBJECT_TYPE ObjectType,
            SECURITY_INFORMATION SecurityInfo,
            out IntPtr pSidOwner,
            out IntPtr pSidGroup,
            out IntPtr pDacl,
            out IntPtr pSacl,
            out IntPtr pSecurityDescriptor);

        enum ACCESS_MASK : uint
        {
            DELETE = 0x00010000,
            READ_CONTROL = 0x00020000,
            WRITE_DAC = 0x00040000,
            WRITE_OWNER = 0x00080000,
            SYNCHRONIZE = 0x00100000,

            STANDARD_RIGHTS_REQUIRED = 0x000f0000,

            STANDARD_RIGHTS_READ = 0x00020000,
            STANDARD_RIGHTS_WRITE = 0x00020000,
            STANDARD_RIGHTS_EXECUTE = 0x00020000,

            STANDARD_RIGHTS_ALL = 0x001f0000,

            SPECIFIC_RIGHTS_ALL = 0x0000ffff,

            ACCESS_SYSTEM_SECURITY = 0x01000000,

            MAXIMUM_ALLOWED = 0x02000000,

            GENERIC_READ = 0x80000000,
            GENERIC_WRITE = 0x40000000,
            GENERIC_EXECUTE = 0x20000000,
            GENERIC_ALL = 0x10000000,

            DESKTOP_READOBJECTS = 0x00000001,
            DESKTOP_CREATEWINDOW = 0x00000002,
            DESKTOP_CREATEMENU = 0x00000004,
            DESKTOP_HOOKCONTROL = 0x00000008,
            DESKTOP_JOURNALRECORD = 0x00000010,
            DESKTOP_JOURNALPLAYBACK = 0x00000020,
            DESKTOP_ENUMERATE = 0x00000040,
            DESKTOP_WRITEOBJECTS = 0x00000080,
            DESKTOP_SWITCHDESKTOP = 0x00000100,

            WINSTA_ENUMDESKTOPS = 0x00000001,
            WINSTA_READATTRIBUTES = 0x00000002,
            WINSTA_ACCESSCLIPBOARD = 0x00000004,
            WINSTA_CREATEDESKTOP = 0x00000008,
            WINSTA_WRITEATTRIBUTES = 0x00000010,
            WINSTA_ACCESSGLOBALATOMS = 0x00000020,
            WINSTA_EXITWINDOWS = 0x00000040,
            WINSTA_ENUMERATE = 0x00000100,
            WINSTA_READSCREEN = 0x00000200,

            WINSTA_ALL_ACCESS = 0x0000037f
        }

        [Flags]
        enum SECURITY_INFORMATION : uint
        {
            OWNER_SECURITY_INFORMATION = 0x00000001,
            GROUP_SECURITY_INFORMATION = 0x00000002,
            DACL_SECURITY_INFORMATION = 0x00000004,
            SACL_SECURITY_INFORMATION = 0x00000008,
            UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
            UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
            PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
            PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
        }

        enum SE_OBJECT_TYPE
        {
            SE_UNKNOWN_OBJECT_TYPE = 0,
            SE_FILE_OBJECT,
            SE_SERVICE,
            SE_PRINTER,
            SE_REGISTRY_KEY,
            SE_LMSHARE,
            SE_KERNEL_OBJECT,
            SE_WINDOW_OBJECT,
            SE_DS_OBJECT,
            SE_DS_OBJECT_ALL,
            SE_PROVIDER_DEFINED_OBJECT,
            SE_WMIGUID_OBJECT,
            SE_REGISTRY_WOW64_32KEY
        }


        static void Main(string[] args)
        {            

        String user = "DOMAIN\\USER";
        String Path = "C:\\";

            IntPtr pSidOwner, pSidGroup, pDacl, pSacl, pSecurityDescriptor;
            ACCESS_MASK mask = new ACCESS_MASK();
            uint ret = GetNamedSecurityInfo(Path, 
                SE_OBJECT_TYPE.SE_FILE_OBJECT, 
                SECURITY_INFORMATION.DACL_SECURITY_INFORMATION,
                out pSidOwner, out pSidGroup, out pDacl, out pSacl, out pSecurityDescriptor);

            TRUSTEE t = new TRUSTEE();
            t.TrusteeForm = TRUSTEE_FORM.TRUSTEE_IS_NAME;
            t.TrusteeType= TRUSTEE_TYPE.TRUSTEE_IS_USER;
            t.ptstrName = user;
            ret = GetEffectiveRightsFromAcl(pDacl, ref t , ref mask);

            if ((mask & ACCESS_MASK.READ_CONTROL) == ACCESS_MASK.READ_CONTROL)
            {
                System.Diagnostics.Debug.WriteLine("Read");
            }
            else
            {
                System.Diagnostics.Debug.WriteLine("No Read");
            }

        }
    }
}
回复 原文
回忆那么伤 2024-09-11 20:30:41

我在advapi32.dll中发现了一个名为GetEffectiveRightsFromAcl的函数。这似乎正是我一直在寻找的东西。
实际上,有效的权限工具使用AuthzAccessCheck函数。我使用了它,并没有发现性能下降得像我想象的那么严重。 (但是,我被告知 Authz 不包括 Windows 7 及更高版本中可用的“完整性”概念,并且可能会报告错误的结果。)

I found a function called GetEffectiveRightsFromAcl in advapi32.dll. This seems to be exactly what I was looking for.
Actually, the effective permissions tool uses the AuthzAccessCheck function. I used it, and did not find performance degradation by as much as I thought. (However, I am told that Authz does not include the "integrity" concept available in windows 7 and above, and may report wrong results.)

回复 原文
吲‖鸣 2024-09-11 20:30:41

您可以使用Windows提供的Authz API来确定用户对文件/文件夹的有效权限。
请点击以下链接。
https://msdn.microsoft .com/en-us/library/windows/desktop/ff394768(v=vs.85).aspx 还有这个。 https://msdn.microsoft .com/en-us/library/windows/desktop/aa446637(v=vs.85).aspx。我已经在从 Windows Server 2003 开始​​的所有 Windows 版本中尝试过此方法,并获得了相当不错的性能。

You can determine the effective permission of an user over a file/folder by using the Authz API provided by Windows.
Follow the below link.
https://msdn.microsoft.com/en-us/library/windows/desktop/ff394768(v=vs.85).aspx and also this. https://msdn.microsoft.com/en-us/library/windows/desktop/aa446637(v=vs.85).aspx. I have tried this out in all versions of Windows starting from Windows server 2003 and got fairly good performance.

回复 原文
~没有更多了~

关于作者

幽蝶幻影

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文