Manipulate NTFS file permissions in a program
Chen Hao
Windows NT / 2K / XP version of the operating system supports file systems in NTFS format, which is a security-friendly file system that you can set users access to each directory and file via Windows Explorer. Here I will not tell the security of NTFS, I default, you have a certain understanding of the security settings of NTFS file directory. Here, I will introduce you to the use of Windows's API functions to manipulate NTFS file permissions.
First, theory and terminology
In Windows NT / 2K? XP, it is not necessarily a file system, and some other objects, such as processes, named pipes, printers, network sharing, or registry, etc., users can set user access. In a Windows system, it is the structure of a security descriptor (Security Descriptor) to save its permissions, referred to as SD, which is "security_descriptor" in the Windows SDK, which includes security settings information. Structure. A security descriptor contains the following information:
A security identifier (SECURITY IDENTIFIERS), which identifies which object of this information, that is, the ID used to record the security object. Not referred to as: SID.
A DACL (Discretionary Access Control List) indicates a list of access controls that allow and reject a user or user group. When a process needs to access the security object, the system will check the DACL to determine the access to the process. If an object doesn't have DACL, then this object is that anyone can have full access.
A SACL (System Access Control List) indicating a list of access control permissions for a set of access modes (eg, read, write, run, etc.) on this object.
There is also some of its own control.
DACL and SACL constitute an entire access control list Access Control List, an ACL, an ACL, and we are called ACE (Access Control Entry), each ACE in the ACL.
Our programs do not have to maintain the SD structure directly, this structure is maintained by system. We only use the related API functions provided by Windows to get the information in the SD. However, these API functions are only supported by Windows NT / 2K / XP.
Secure Object Securable Object is an object of Windows with SD. All named Windows objects are secure objects. Some unnamed objects are security objects, such as processes and threads, and security descriptor SD. In the operation of most creation security objects, you need to pass an SD parameter, such as: createfile and createprocess function. In addition, Windows also provides a range of access functions for secure information about secure objects to get the security settings on the object, or modify the security settings on the object. Such as: GetNamedSecurityInfo, SetNameDsecurityInfo, GetSecurityInfo, SetSecurityInfo.
The following figure illustrates that the contact between security objects and DACL and the visitor (originating from the MSDN). Note that the order of each ACE in the DACL table is meaningful. If the previous Allow (or Denied) ACE passes, then the system will not check the behind Ace.
The system will check all the ACE rules in order, if the following conditions are met, then exit: 1, if an access-denied ACE obviously rejects the requester.
2. If an Access-Allowed ACE apparently agrees with the requester.
3, all ACEs have been checked, but there is no ACE obviously allows or refuses the requester, and the system will use the default value to reject the requester's access.
For more theory and description, please see MSDN.
Second, practice and routine
1, routines 1: Create a directory with permission settings
#include
Void main (void)
{
Security_attributes sa; // and file-related security structure
Security_descriptor sd; // Declare an SD
BYTE ACLBUFFER [1024];
PACL PACL = (PACL) & aclbuffer; // Declare an ACL, length is 1024
BYTE SIDBUFFER [100];
PSID PSID = (PSID) & Sidbuffer; // Declare a SID, the length is 100
DWORD SIDBUFFERSIZE = 100;
Char DomainBuffer [80];
DWORD DOMAINBUFFERSIZE = 80;
SID_NAME_USE SNU;
Handle file;
// Initialize a SD
InitializesecurityDescriptor (& SD, Security_Descriptor_revision); // Initialize an ACL
InitializeaCl (PACL, 1024, ACL_REVISION); / / Find a user hcher, and take the user's SID
Lookupaccountname (0, "hcher", psid,
& Sidbuffersize, Domainbuffer,
& domainbuffersize, & snu); // Set the user's access-allowed ACE, whose authority is "all permissions"
Addaccessallowedace (PACL, ACL_REVISION, Generic_all, PSI);
// Set the ACL to SD
SetSecurityDescriptORDACL (& SD, True, PACL, FALSE);
// put the SD in the file security structure SA
Sa.nlength = sizeof (security_attributes);
Sa.binherithandle = false;
Sa.lpsecurityDescriptor = & sd;
//Create a file
FILE = CREATEFILE ("C: // Testfile",
0, 0, & sa, create_new, file_attribute_normal, 0);
CloseHandle (file);
}
I found it from the Internet and changed it. I use the key API function that I use it, I have added it. From the program we can see, let's initialize an SD and an ACL, then call the lookupaccountname to get the user's SID, then join a ACE that allows access to the ACE, then set the entire ACL to the ACE to SD. Finally, organize the SA structure described by the security file and call CREATEFILE to create a file. If your operating system is NTFS, then you can see the security properties of the file you created:
This procedure is intended to illustrate how to generate a new SD and ACL usage, which has four places and unclear: 1. Specify its length for the declaration of ACL and SID.
2. For the API function, there is no error handling.
3. Nothing explains how to modify the security settings for existing files or directories.
4. There is no inheritance of the security settings.
For these, I will tell them in the next routine.
2, routine two, add a security settings for the catalog
Before I use this example, please let me say more.
1. For files, directories, command pipelines, we do not have to use GetNameDSecurityInfo and SetNameDSecurityInfo functions, we can use its dedicated function GetFileSecurity and setFileSecurity functions to get the SD of the file object to set their access. It is not easy to use these two functions. As we mentioned earlier, we also need to handle SD parameters. To handle SD, you need to handle DACL and ACE, and the user's associated SID, so the function of a system is These two functions come out.
2. The method of processing the SID for the use of hardcodes in the previous example is. When calling the lookupaccountname function, let the SID, the Domain name of the parameters are empty null, so LookupAcPaccountName will return the length of the user's SID and the length of the Domain name, so you can assign memory according to this length, then call the lookupaccountname function again. Then you can reach the effect of the state allocation memory. The same is true for ACLs.
3. Increase an ACE entry for the ACL to the file, the general practice is to first take the ACL on the file, take out the ACE one by one, and the ACE comparison needs to be increased. If there is a conflict, remove the existing ACE, add new The ACE is added to the end. At the end of this, it should be the final of the ACE that is non-inherited. About ACL inheritance, NTFS, you can set the file and directory to inherit the settings of its parent directory. It can also be set in the program.
Next->
(All rights reserved, please indicate the source and author information when reproduced)
