// // Step 14: Add an Access-allowed ACE to the new DACL // Previous cycle copy all non-inherited and SID is the ACE of other users, the first thing to exit the loop // is joining Our specified ACE. Note First, first dynamically load an API function, if the load is unsuccessful, call the AddaccessAllowedAce function. The previous function is only // of the version after Windows 2000, NT does not, we use the new version of the function, we first check the current system can be loaded in the current system, if it can be used. Using dynamic links // is better than using a static link is that the program is not reported because there is no this API function. // // EX version of the function has a parameter Aceflag (third-person parameter), using this parameter we can set up an // called ace_header structure so that the ACE we set can be used by its subdirectories Inherited, and // The AddAccessAllowedAce function cannot be customized, in the AddaccessAllowedAce function / /, which will set the ACE_HEADER structure to non-inheritance.
// _AddAccessAllowedAceEx = (AddAccessAllowedAceExFnPtr) GetProcAddress (GetModuleHandle (TEXT ( "advapi32.dll")), "AddAccessAllowedAceEx"); if (_AddAccessAllowedAceEx) {if (! _AddAccessAllowedAceEx (pNewACL, ACL_REVISION2, CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE, dwAccessMask, pUserSID)) { _tprintf (TEXT ( "AddAccessAllowedAceEx () failed Error% d / n."), GetLastError ()); __leave; (! AddAccessAllowedAce (pNewACL, ACL_REVISION2, dwAccessMask, pUserSID))}} else {if {_tprintf (TEXT ( "AddAccessAllowedAce () failed. Error% D / N "), getLastError ()); __leave;}} // // Step 15: ACE // if (fdaclpresent &&" inherited from the parent catalog according to the order of the existing ACE Aclinfo.acecount) {for (; currentAcEndex
}}} // // STEP 18: Set the new ACL to the new SD // if (! SetsecurityDescriptordacl (& newsd, true, pnewacl, false) {_tprintf (text ("setsecurityDescriptordApal () failed. Error% d / N "), getLastError ()); __leave;} // // Step 19: Copy the control tag in the old SD to the new SD, we use a API function called // setsecurityDescriptorControl () This function is only existing in the version of // Windows 2000, so we still have to dynamically load it from Advapi32.dll //. If the system does not support this function, then the old SD control is not copied. Labeled.
// _SetSecurityDescriptorControl = (SetSecurityDescriptorControlFnPtr) GetProcAddress (GetModuleHandle (TEXT ( "advapi32.dll")), "SetSecurityDescriptorControl"); if (_SetSecurityDescriptorControl) {SECURITY_DESCRIPTOR_CONTROL controlBitsOfInterest = 0; SECURITY_DESCRIPTOR_CONTROL controlBitsToSet = 0; SECURITY_DESCRIPTOR_CONTROL oldControlBits = 0; DWORD dwRevision = 0 ; (! GetSecurityDescriptorControl (pFileSD, & oldControlBits, & dwRevision)) if {_tprintf (TEXT ( ". GetSecurityDescriptorControl () failed") TEXT ( "Error% d / n"), GetLastError ()); __leave;} if (oldControlBits & SE_DACL_AUTO_INHERITED ) {ControlBitsOfinterest = SE_DACL_AUTO_INHERIT_REQ | SE_DACL_AUTO_INHERITED; ControlBitStoset = ControlBitsofinterest;} else} {ControlBits & SE_DACL_PROTECTED {ControlBitsofinter est = SE_DACL_PROTECTED; controlBitsToSet = controlBitsOfInterest; (! _SetSecurityDescriptorControl (& newSD, controlBitsOfInterest, controlBitsToSet))} if (controlBitsOfInterest) {if {_tprintf (TEXT ( "SetSecurityDescriptorControl () failed.") TEXT ( "Error% d / n"), GetLastError ()); __leave;}}} // // Step 20: Set the new SD settings to the security properties of the file (Qian Mountain Water, finally arrived) // if (!! SetfileSecurity (lpszfilename, secinfo, & newsd) {_tprintf (Text ("
SetFileSecurity () Failed. Error% D / N "), getLastError ()); __leave;} Fresult = true;} __finally {/// step 21: Release the allocated memory, so as to avoid Memory Leak // IF (PUSERSID) myheapfree (pUserSID); if (szDomain) myheapfree (szDomain); if (pFileSD) myheapfree (pFileSD); if (pNewACL) myheapfree (pNewACL);} return fResult;} int _tmain (int argc, TCHAR * argv []) { IF (Argc <3) {_tprintf (Text ("Usage: /"% S / "
Through the above example, I believe that you already know how to operate the NTFS file security attribute, and some API functions need to be introduced.
1. If you want to join an Access-Denied ACE, you can use the addaccessdeniedAce function
2, if you want to delete an Ace, you can use the deleteAce function
3, if you want to check if the ACL you set is legal, you can use the isvalidaCl function, similarly, there is also a function called IsValidSecurityDescriptor for the legal law of SD.
4, Makeabsolutesd and MakeseelfRaSD two functions can be converted in the format of the two SDs.
5. Use SetSecurityDescriptORDACL and SetSecurityDescriptorsaCL to easily set the ACL to SD.
6. Use GetSecurityDescriptordAcl or GetSecurityDescriptorsaCL to easily obtain the ACL structure in SD.
We call a dry and SD / ACL / ACE-related API function as a Low-Level Security Descriptor Functions, and the details are also given to MSDN.
My MSN is haoel@hotmail.com, column at http://www.cbs.net/develop/author/netauthor/haoel/ Welcome everyone to communicate with me.
<- Previous Page
(All rights reserved, please indicate the source and author information when reproduced)