windows 如何创建授予所有人所有权限的目录
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/690780/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to create directory with all rights granted to everyone
提问by Jeff Stong
I need to programmatically create a directory that grants "Full Control" to the group "Everyone". If I use
我需要以编程方式创建一个目录,将“完全控制”授予“所有人”组。如果我使用
CreateDirectory(path, NULL);
This will, according to the Win32 SDK documentation, create a directory that inherits from its parent directory. I do not want to inherit the access rights of the parent directory I need to ensure that "Everyone" has full control over the directory.
根据 Win32 SDK文档,这将创建一个从其父目录继承的目录。我不想继承父目录的访问权限,我需要确保“每个人”都可以完全控制目录。
Obviously, this will require setting up the SECURITY_ATTRIBUTESstructure with the appropriate security descriptor. How do I do that?
显然,这需要SECURITY_ATTRIBUTES使用适当的安全描述符来设置结构。我怎么做?
回答by Jeff Stong
Here's one technique that seems to work:
这是一种似乎有效的技术:
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
PSID everyone_sid = NULL;
AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0, &everyone_sid);
EXPLICIT_ACCESS ea;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SPECIFIC_RIGHTS_ALL | STANDARD_RIGHTS_ALL;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName = (LPWSTR)everyone_sid;
PACL acl = NULL;
SetEntriesInAcl(1, &ea, NULL, &acl);
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = sd;
sa.bInheritHandle = FALSE;
CreateDirectory(path, &sa);
FreeSid(everyone_sid);
LocalFree(sd);
LocalFree(acl);
Note that this sample code has absolutely no error checking -- you'll have to supply that yourself.
请注意,此示例代码绝对没有错误检查——您必须自己提供。
回答by Chris Becke
I prefer the following code snippet as it creates a folder inheriting default rights - which seems the right thing to do - other software / the user might have setup specific inheritable rights on a directory for a legitimate reason - then adds a Full Control explicit access entry for the built in "Users" group.
我更喜欢以下代码片段,因为它创建了一个继承默认权限的文件夹 - 这似乎是正确的做法 - 其他软件/用户可能出于合法原因在目录上设置了特定的可继承权限 - 然后添加了一个完全控制显式访问条目对于内置的“用户”组。
BOOL CreateDirectoryWithUserFullControlACL(LPCTSTR lpPath)
{
if(!CreateDirectory(lpPath,NULL))
return FALSE;
HANDLE hDir = CreateFile(lpPath,READ_CONTROL|WRITE_DAC,0,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL);
if(hDir == INVALID_HANDLE_VALUE)
return FALSE;
ACL* pOldDACL;
SECURITY_DESCRIPTOR* pSD = NULL;
GetSecurityInfo(hDir, SE_FILE_OBJECT , DACL_SECURITY_INFORMATION,NULL, NULL, &pOldDACL, NULL, (void**)&pSD);
PSID pSid = NULL;
SID_IDENTIFIER_AUTHORITY authNt = SECURITY_NT_AUTHORITY;
AllocateAndInitializeSid(&authNt,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_USERS,0,0,0,0,0,0,&pSid);
EXPLICIT_ACCESS ea={0};
ea.grfAccessMode = GRANT_ACCESS;
ea.grfAccessPermissions = GENERIC_ALL;
ea.grfInheritance = CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE;
ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.ptstrName = (LPTSTR)pSid;
ACL* pNewDACL = 0;
DWORD err = SetEntriesInAcl(1,&ea,pOldDACL,&pNewDACL);
if(pNewDACL)
SetSecurityInfo(hDir,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL, NULL, pNewDACL, NULL);
FreeSid(pSid);
LocalFree(pNewDACL);
LocalFree(pSD);
LocalFree(pOldDACL);
CloseHandle(hDir);
return TRUE;
}
回答by JeffH
See if you can use SetSecurityInfo()
看看是否可以使用SetSecurityInfo()
In the description of the optional pDaclargument:
在可选pDacl参数的描述中:
... If the value of the SecurityInfo parameter includes the DACL-SECURITY-INFORMATION flag and the value of this parameter is set to NULL, full access to the object is granted to everyone.
... 如果 SecurityInfo 参数的值包括 DACL-SECURITY-INFORMATION 标志并且此参数的值设置为 NULL,则授予每个人对该对象的完全访问权限。
