无法使用 AddAccessAllowedAce 将 ACE 附加到现有 ACL

发布于 2024-11-01 08:09:26 字数 1312 浏览 0 评论 0原文

我使用以下代码从 SD 获取 ACL：

...
PACL pDacl = NULL;
BOOL bDaclPresent = TRUE;
BOOL bDaclDefaulted = FALSE;
if(!GetSecurityDescriptorDacl((PSECURITY_DESCRIPTOR)spSecurityDescriptor.get(),
                                &bDaclPresent,
                                &pDacl,
                                &bDaclDefaulted))
{
    ReportError(TEXT("Failed to call GetSecurityDescriptorDacl."));
    ...
}

然后我使用 AddAccessAllowedAce 附加新的 ACE：

if(!AddAccessAllowedAce(pDacl,
                        ACL_REVISION,
                        MQSEC_QUEUE_GENERIC_ALL,
                        pAnnySid))
{
    dwErrCode = GetLastError();
    ReportError(dwErrCode);
    ReportError(TEXT("Failed to call AddAccessAllowedAce."));
    ...
}

我收到错误 1344，“没有更多内存可用于安全信息更新”。

然后我尝试增加 PACL 缓冲区的大小并更改 PACL 标头信息。但我仍然收到错误 1336“访问控制列表 (ACL) 结构无效。”

谁能给我一个有效的示例代码来执行此操作？

MSDN 在这里提供了 AddAccessAllowedAce 的示例： http://msdn.microsoft.com/en -us/library/ms707085%28v=vs.85%29.aspx 但它即将创建一个全新的 ACL，而不是同样的情况。

我什至想从旧的 ACL 中“GetAce”，然后将“AddAce”添加到新的 ACL，最后我附加自己的新 ACE。但看起来“AddAce”需要一个参数“nAceListLength”；我不知道如何从 ACE 获取这个值。

有什么想法吗？

原文

I use following code to get an ACL from SD:

...
PACL pDacl = NULL;
BOOL bDaclPresent = TRUE;
BOOL bDaclDefaulted = FALSE;
if(!GetSecurityDescriptorDacl((PSECURITY_DESCRIPTOR)spSecurityDescriptor.get(),
                                &bDaclPresent,
                                &pDacl,
                                &bDaclDefaulted))
{
    ReportError(TEXT("Failed to call GetSecurityDescriptorDacl."));
    ...
}

Then I use AddAccessAllowedAce to append a new ACE:

if(!AddAccessAllowedAce(pDacl,
                        ACL_REVISION,
                        MQSEC_QUEUE_GENERIC_ALL,
                        pAnnySid))
{
    dwErrCode = GetLastError();
    ReportError(dwErrCode);
    ReportError(TEXT("Failed to call AddAccessAllowedAce."));
    ...
}

I got an error 1344 that "No more memory is available for security information updates."

Then I tried to increase the size of PACL buffer and changed the PACL header information.
But I still got an error 1336 "The access control list (ACL) structure is invalid."

Could anyone give me a working sample code to do this?

MSDN privided an sample of AddAccessAllowedAce here:
http://msdn.microsoft.com/en-us/library/ms707085%28v=vs.85%29.aspx
But it's about to create a brand new ACL, not the same case.

I even think to 'GetAce' from old ACL then 'AddAce' to a new ACL, in the end I append my own new ACE.
But looks like 'AddAce' need a parameter 'nAceListLength'; and I don't know how to get this value from ACE.

Any ideas?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

行至春深 2024-11-08 08:09:26

GetSecurityDescriptorDacl() 只是为您提供一个指向 SECURITY_DESCRIPTOR 缓冲区中已存在的 DACL 的指针。如果您想向其中添加一些内容，您需要分配一个更大的缓冲区，复制现有的 DACL，然后添加新的 ACE。您需要执行类似以下操作（伪代码来自我的脑海；可能有错误）：

PACL pOldDacl = GetSecurityDescriptorDacl(pSecurityDescriptor);
DWORD cbOldSize = GetAclInformation(pOldDacl, ACL_SIZE_INFORMATION);
DWORD cbNewSize = cbOldSize + sizeof(ACE that you want to add);
PACL pNewDacl = alloc(cbNewSize);
InitializeAcl(pNewDacl, cbNewSize);
for each pAce in pOldDacl // GetAce(pOldDacl)
    AddAce(pNewDacl, pAce);
AddAce(pNewDacl, the ACE that you want to add); // or use specialized functions like AddAccessAllowedAce, etc
SetSecurityDescriptorDacl(pSecurityDescriptor, pNewDacl);

Microsoft KB 有一个文章。

GetSecurityDescriptorDacl() just gives you a pointer to the DACL that is already present in the SECURITY_DESCRIPTOR buffer. If you want to add something to it you need to allocate a larger buffer, copy the existing DACL, then add the new ACE. You need to do something like the following (pseudo-code off the top of my head; may have errors):

PACL pOldDacl = GetSecurityDescriptorDacl(pSecurityDescriptor);
DWORD cbOldSize = GetAclInformation(pOldDacl, ACL_SIZE_INFORMATION);
DWORD cbNewSize = cbOldSize + sizeof(ACE that you want to add);
PACL pNewDacl = alloc(cbNewSize);
InitializeAcl(pNewDacl, cbNewSize);
for each pAce in pOldDacl // GetAce(pOldDacl)
    AddAce(pNewDacl, pAce);
AddAce(pNewDacl, the ACE that you want to add); // or use specialized functions like AddAccessAllowedAce, etc
SetSecurityDescriptorDacl(pSecurityDescriptor, pNewDacl);

Microsoft KB has an article.

回复收藏 0 原文

~没有更多了~