C
chaehorim
Hello, everyone.
I made a program about giving a folder and file access and deny right
for User.
It runs well in windows 2003 server, but not in windows XP.
I really have no idea what's the problem.
What I think is windows XP and windows 2003 server should control ACL
in same way.
The main Function AddAceToObjectsSecurityDescriptor is from msdn.
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
) ;
void main(int argc,
char *argv[])
{
LPTSTR pszObjName = "abc";
PSID PUser;
PUser = GetSid(_T("wonder"));
// GetSid is so
ACCESS_MODE option = SET_ACCESS;
DWORD AccessMask = GENERIC_ALL;
int access_right = 1;
if (access_right == READ) {
option = SET_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
option = DENY_ACCESS;
AccessMask = FILE_WRITE_DATA;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
AccessMask = FILE_APPEND_DATA;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
AccessMask = FILE_WRITE_EA;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
AccessMask = FILE_WRITE_ATTRIBUTES;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
}
else if (access_right == FULL) {
option = SET_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
}
else if (access_right == NONE) {
option = REVOKE_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
option = DENY_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
}
else {
printf("WRONG INPUT right");
}
}
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
(SUB_CONTAINERS_AND_OBJECTS_INHERIT, NO_INHERITANCE)
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;
// Get a pointer to the existing DACL.
dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;
// Create a new ACL that merges the new ACE
// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
Can Anyone tell me which part of code has problem?
I appriciate any idea or opnion in solving the problem.
Thanks.
Chaehorim
Software Engineering Lab
ChungNam National University
I made a program about giving a folder and file access and deny right
for User.
It runs well in windows 2003 server, but not in windows XP.
I really have no idea what's the problem.
What I think is windows XP and windows 2003 server should control ACL
in same way.
The main Function AddAceToObjectsSecurityDescriptor is from msdn.
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
) ;
void main(int argc,
char *argv[])
{
LPTSTR pszObjName = "abc";
PSID PUser;
PUser = GetSid(_T("wonder"));
// GetSid is so
ACCESS_MODE option = SET_ACCESS;
DWORD AccessMask = GENERIC_ALL;
int access_right = 1;
if (access_right == READ) {
option = SET_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
option = DENY_ACCESS;
AccessMask = FILE_WRITE_DATA;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
AccessMask = FILE_APPEND_DATA;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
AccessMask = FILE_WRITE_EA;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
AccessMask = FILE_WRITE_ATTRIBUTES;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
}
else if (access_right == FULL) {
option = SET_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
}
else if (access_right == NONE) {
option = REVOKE_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
option = DENY_ACCESS;
AccessMask = GENERIC_ALL;
AddAceToObjectsSecurityDescriptor(pszObjName, SE_FILE_OBJECT,
(LPSTR)PUser ,TRUSTEE_IS_SID, AccessMask, option
,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
}
else {
printf("WRONG INPUT right");
}
}
DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
(SUB_CONTAINERS_AND_OBJECTS_INHERIT, NO_INHERITANCE)
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;
// Get a pointer to the existing DACL.
dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;
// Create a new ACL that merges the new ACE
// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
Can Anyone tell me which part of code has problem?
I appriciate any idea or opnion in solving the problem.
Thanks.
Chaehorim
Software Engineering Lab
ChungNam National University