Object access control is part of Windows security. Each securable object has its name, type (file, directory, process, event, semaphore, mutex, timer, registry key,...) and security descriptor which contains information about its:
- owner
- group
- ACLs (Access Control Lists) - one instance of each type of ACLs:
- DACL (Discretionary Access Control List) - specifies the access particular users or groups can have to the object
- SACL (System Access Control List) - controls the logging of attempts to access the object
If we want to change access right for particular user on some object we need to:
- identify object for which we want to set permission (by its name and type)
- get object's current DACL (use GetNamedSecurityInfo)
- identify user (by its name or SID); identify rights
- create new ACE, stating user and its rights (instantiate EXPLICIT_ACCESS structure)
- merge new ACE to existing DACL in order to get a new DACL (use SetEntriesInAcl)
- attach new DACL to the object (use SetNamedSecurityInfo)
DWORD dwRes = AddAceToObjectsSecurityDescriptor(
pszPath,
SE_FILE_OBJECT,
"IUSR",
TRUSTEE_IS_NAME,
STANDARD_RIGHTS_READ | STANDARD_RIGHTS_EXECUTE,
GRANT_ACCESS,
NO_INHERITANCE);
No comments:
Post a Comment