-
Hi
WINAPI schrieb:
Doch dann hauts mir den Hacken "Berechtigung übergeordneter Objekte auf untergeordnete Objekte, sofern anwendbar, vererben" hinein! wie kann ich verhindern das das Passiert?
Dass kannst Du indem DU dein (String-Security-Deskriptor) so anpasst :
D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;WD)
folglich :
ConvertStringSecurityDescriptorToSecurityDescriptor(D:P(A;CIOI;GA;;;SY)(A;CIOI;GA;;;WD) ,SDDL_REVISION_1 ,&(SA->lpSecurityDescriptor) ,NULL);
wobei das "P" für (SDDL_PROTECTED -> The SE_DACL_PROTECTED flag is set) steht.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379570%28v=vs.85%29.aspx
Kannst Du Dir auch mal zu gemüte führen:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379582%28v=vs.85%29.aspx
Dass bewirkt im Grunde das gleiche, wenn du es richtig anwendest.
SetSecurityDescriptorControl( &SecDesc, SE_DACL_PROTECTED, SE_DACL_PROTECTED );
Denn Benutzer JEDER würde ich anschliessend mit sowas entfernen :
int main(){
...
...
AddAceToFileWithUseralias("DATA" ,"WD" ,GENERIC_ALL ,REVOKE_ACCESS ,SUB_CONTAINERS_AND_OBJECTS_INHERIT);
...
...
return 0;
}
DWORD AddAceToObjectsSecurityDescriptor(
char *objectname,
SE_OBJECT_TYPE ObjectType,
char *trustee,
TRUSTEE_FORM TrusteeForm,
DWORD dwAccessRights,
ACCESS_MODE AccessMode,
DWORD dwInheritance
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
if(NULL == objectname) {
return ERROR_INVALID_PARAMETER;
}
// Get a pointer to the existing DACL.
dwRes = GetNamedSecurityInfo(objectname, ObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, &pSD);
if(ERROR_SUCCESS != dwRes) {
goto Cleanup;
}
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea ,sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = trustee;
// Create a new ACL that merges the new ACE
// into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if(ERROR_SUCCESS != dwRes) {
goto Cleanup;
}
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(objectname ,ObjectType ,DACL_SECURITY_INFORMATION ,NULL ,NULL ,pNewDACL ,NULL);
if(ERROR_SUCCESS != dwRes) {
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
DWORD AddAceToFileWithUseralias(char *nameofobject ,char *SDDLuseralias ,ACCESS_MASK access_mask ,ACCESS_MODE access_mode ,DWORD inheritance)
{
DWORD rc = 0;
PSID sid = NULL;
if( ConvertStringSidToSid(SDDLuseralias ,&sid ) == 0 ) {
return 0;
}
rc = AddAceToObjectsSecurityDescriptor(
nameofobject, // name of object
SE_FILE_OBJECT, // type of object
sid, // trustee for new ACE
TRUSTEE_IS_SID, // format of trustee structure
access_mask, // access mask for new ACE
access_mode, // type of ACE
inheritance // inheritance flags for new ACE -
);
if(sid != NULL) {
LocalFree((HLOCAL) sid);
}
return rc;
}
