无法使用 AddAccessAllowedAce 将 ACE 附加到现有 ACL

发布于 2024-11-01 08:09:26 字数 1312 浏览 3 评论 0原文

我使用以下代码从 SD 获取 ACL:

...
PACL pDacl = NULL;
BOOL bDaclPresent = TRUE;
BOOL bDaclDefaulted = FALSE;
if(!GetSecurityDescriptorDacl((PSECURITY_DESCRIPTOR)spSecurityDescriptor.get(),
                                &bDaclPresent,
                                &pDacl,
                                &bDaclDefaulted))
{
    ReportError(TEXT("Failed to call GetSecurityDescriptorDacl."));
    ...
}

然后我使用 AddAccessAllowedAce 附加新的 ACE:

if(!AddAccessAllowedAce(pDacl,
                        ACL_REVISION,
                        MQSEC_QUEUE_GENERIC_ALL,
                        pAnnySid))
{
    dwErrCode = GetLastError();
    ReportError(dwErrCode);
    ReportError(TEXT("Failed to call AddAccessAllowedAce."));
    ...
}

我收到错误 1344,“没有更多内存可用于安全信息更新”。

然后我尝试增加 PACL 缓冲区的大小并更改 PACL 标头信息。 但我仍然收到错误 1336“访问控制列表 (ACL) 结构无效。”

谁能给我一个有效的示例代码来执行此操作?

MSDN 在这里提供了 AddAccessAllowedAce 的示例: http://msdn.microsoft.com/en -us/library/ms707085%28v=vs.85%29.aspx 但它即将创建一个全新的 ACL,而不是同样的情况。

我什至想从旧的 ACL 中“GetAce”,然后将“AddAce”添加到新的 ACL,最后我附加自己的新 ACE。 但看起来“AddAce”需要一个参数“nAceListLength”;我不知道如何从 ACE 获取这个值。

有什么想法吗?

I use following code to get an ACL from SD:

...
PACL pDacl = NULL;
BOOL bDaclPresent = TRUE;
BOOL bDaclDefaulted = FALSE;
if(!GetSecurityDescriptorDacl((PSECURITY_DESCRIPTOR)spSecurityDescriptor.get(),
                                &bDaclPresent,
                                &pDacl,
                                &bDaclDefaulted))
{
    ReportError(TEXT("Failed to call GetSecurityDescriptorDacl."));
    ...
}

Then I use AddAccessAllowedAce to append a new ACE:

if(!AddAccessAllowedAce(pDacl,
                        ACL_REVISION,
                        MQSEC_QUEUE_GENERIC_ALL,
                        pAnnySid))
{
    dwErrCode = GetLastError();
    ReportError(dwErrCode);
    ReportError(TEXT("Failed to call AddAccessAllowedAce."));
    ...
}

I got an error 1344 that "No more memory is available for security information updates."

Then I tried to increase the size of PACL buffer and changed the PACL header information.
But I still got an error 1336 "The access control list (ACL) structure is invalid."

Could anyone give me a working sample code to do this?

MSDN privided an sample of AddAccessAllowedAce here:
http://msdn.microsoft.com/en-us/library/ms707085%28v=vs.85%29.aspx
But it's about to create a brand new ACL, not the same case.

I even think to 'GetAce' from old ACL then 'AddAce' to a new ACL, in the end I append my own new ACE.
But looks like 'AddAce' need a parameter 'nAceListLength'; and I don't know how to get this value from ACE.

Any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

行至春深 2024-11-08 08:09:26

GetSecurityDescriptorDacl() 只是为您提供一个指向 SECURITY_DESCRIPTOR 缓冲区中已存在的 DACL 的指针。如果您想向其中添加一些内容,您需要分配一个更大的缓冲区,复制现有的 DACL,然后添加新的 ACE。您需要执行类似以下操作(伪代码来自我的脑海;可能有错误):

PACL pOldDacl = GetSecurityDescriptorDacl(pSecurityDescriptor);
DWORD cbOldSize = GetAclInformation(pOldDacl, ACL_SIZE_INFORMATION);
DWORD cbNewSize = cbOldSize + sizeof(ACE that you want to add);
PACL pNewDacl = alloc(cbNewSize);
InitializeAcl(pNewDacl, cbNewSize);
for each pAce in pOldDacl // GetAce(pOldDacl)
    AddAce(pNewDacl, pAce);
AddAce(pNewDacl, the ACE that you want to add); // or use specialized functions like AddAccessAllowedAce, etc
SetSecurityDescriptorDacl(pSecurityDescriptor, pNewDacl);

Microsoft KB 有一个 文章

GetSecurityDescriptorDacl() just gives you a pointer to the DACL that is already present in the SECURITY_DESCRIPTOR buffer. If you want to add something to it you need to allocate a larger buffer, copy the existing DACL, then add the new ACE. You need to do something like the following (pseudo-code off the top of my head; may have errors):

PACL pOldDacl = GetSecurityDescriptorDacl(pSecurityDescriptor);
DWORD cbOldSize = GetAclInformation(pOldDacl, ACL_SIZE_INFORMATION);
DWORD cbNewSize = cbOldSize + sizeof(ACE that you want to add);
PACL pNewDacl = alloc(cbNewSize);
InitializeAcl(pNewDacl, cbNewSize);
for each pAce in pOldDacl // GetAce(pOldDacl)
    AddAce(pNewDacl, pAce);
AddAce(pNewDacl, the ACE that you want to add); // or use specialized functions like AddAccessAllowedAce, etc
SetSecurityDescriptorDacl(pSecurityDescriptor, pNewDacl);

Microsoft KB has an article.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文