Tuesday, 2 August 2011

How to programmatically set access rights on a file (Windows)

Object access control is part of Windows security. Each securable object has its name, type (file, directory, process, event, semaphore, mutex, timer, registry key,...) and security descriptor which contains information about its:
  • owner
  • group
  • ACLs (Access Control Lists) - one instance of each type of ACLs:
    • DACL (Discretionary Access Control List) - specifies the access particular users or groups can have to the object
    • SACL (System Access Control List) - controls the logging of attempts to access the object
ACL is a set of Access Control Entries (ACEs). ACE contains set of structures that specify access rights for  trustee where trustee (user or group) is identified by its Security IDentifier (SID).

If we want to change access right for particular user on some object we need to:
  1. identify object for which we want to set permission (by its name and type)
  2. get object's current DACL (use GetNamedSecurityInfo)
  3. identify user (by its name or SID); identify rights
  4. create new ACE, stating user and its rights (instantiate EXPLICIT_ACCESS structure)
  5. merge new ACE to existing DACL in order to get a new DACL (use SetEntriesInAcl)
  6. attach new DACL to the object (use SetNamedSecurityInfo)
MSDN article "Modifying the ACLs of an Object in C++" shows implementation of these steps within function  AddAceToObjectsSecurityDescriptor. For example, if we want to set read and execute rights for IUSR user on some file which path is in pszPath, we can call this function with following paramethers:

DWORD dwRes = AddAceToObjectsSecurityDescriptor(
pszPath,
SE_FILE_OBJECT,
"IUSR",
TRUSTEE_IS_NAME,
STANDARD_RIGHTS_READ | STANDARD_RIGHTS_EXECUTE,
GRANT_ACCESS,
NO_INHERITANCE);

1 comment:

micheal pan said...

BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast 
you can be to get the new PROGRAMMED blank ATM card that is capable of
hacking into any ATM machine,anywhere in the world. I got to know about 
this BLANK ATM CARD when I was searching for job online about a month 
ago..It has really changed my life for good and now I can say I'm rich and 
I can never be poor again. The least money I get in a day with it is about 
$50,000.(fifty thousand USD) Every now and then I keeping pumping money 
into my account. Though is illegal,there is no risk of being caught 
,because it has been programmed in such a way that it is not traceable,it 
also has a technique that makes it impossible for the CCTVs to detect 
you..For details on how to get yours today, email the hackers on : (
atmmachinehackers1@gmail.com ). Tell your 
loved once too, and start to live large. That's the simple testimony of how 
my life changed for good...Love you all ...the email address again is ;
atmmachinehackers1@gmail.com