2020-09-30 16:53:55 +02:00

255 lines
7.9 KiB
C

//-----------------------------------------------------------------------------
// fileperms.h
//-----------------------------------------------------------------------------
#include <aclapi.h>
////////////////////////////////////////////////////////////////
//
// AddPermissionToPath( PATH, ACCOUNT(RID or SAM), PERMISSION, INHERIT, OVERWRITE )
//
// pszPath - Should be the path to the File Object that you
// want to set permissions on. Note: This is not
// setting SHARE permissions, but NTFS file perms.
// (Directories will work as well.)
//
// dwRID - Well-known RID specifying the account you want
// to give access to the file.
// (DOMAIN_ALIAS_RID_ADMINS, for example.)
//
// pszSAM - SAM-Account name specifying the account you want
// to give access to the file.
// (Users.h includes all SBS groups and users.)
//
// nAccess - Specify the File access flags that you want the
// user to have.
// (FILE_ALL_ACCESS is the default.)
//
// bInheritFromParent - Specify whether you want the new ACL
// to inherit the parent settings.
// (TRUE is the default.)
//
// bOverwriteExisting - Specify whether you want the existing
// ACL on the object to remain.
// (FALSE is the default.)
//
// nInheritance = Specify the type of inheritance you
// want.
// ((OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE)
// is the default.)
//
// (NOTE: If you want it to apply to
// directory objects only, use only the
// CONTAINER_INHERIT_ACE.)
//
////////////////////////////////////////////////////////////////
#ifndef _FILEPERMS_H
#define _FILEPERMS_H
inline HRESULT _AddPermissionToPath( LPCTSTR pszPath,
SID* pSID,
UINT nAccess = FILE_ALL_ACCESS,
BOOL bInheritFromParent = TRUE,
BOOL bOverwriteExisting = FALSE,
UINT nInheritance = (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE) )
{
if( !pszPath ) return E_POINTER;
if( !pSID ) return E_POINTER;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pOldAcl = NULL;
PACL pNewAcl = NULL;
DWORD dwError = 0;
DWORD dwOldSize = 0;
DWORD dwNewSize = 0;
ACL_SIZE_INFORMATION pACLSize;
ZeroMemory(&pACLSize, sizeof(ACL_SIZE_INFORMATION));
// Get the current information for the path
dwError = GetNamedSecurityInfo( (LPTSTR)pszPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldAcl, NULL, &pSD );
if( dwError != ERROR_SUCCESS )
{
goto cleanup;
}
// If there was any current information, let's make sure we allocate enough
// size for it when we go to add our new ACE.
if( !bOverwriteExisting && pOldAcl )
{
if (!::GetAclInformation( pOldAcl, &pACLSize, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation ))
{
dwError = GetLastError();
goto cleanup;
}
dwOldSize = pACLSize.AclBytesInUse;
}
dwNewSize = dwOldSize + sizeof(ACL) + sizeof (ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid( pSID );
pNewAcl = (ACL*)malloc(dwNewSize);
if (pNewAcl == NULL)
{
dwError = ERROR_NOT_ENOUGH_MEMORY;
goto cleanup;
}
ZeroMemory( pNewAcl, dwNewSize );
if ( !::InitializeAcl(pNewAcl, dwNewSize, ACL_REVISION) )
{
dwError = GetLastError();
goto cleanup;
}
// Copy existing entries into new DACL.
if( !bOverwriteExisting )
{
for ( DWORD dwCount = 0; dwCount < pACLSize.AceCount; dwCount++ )
{
PACCESS_ALLOWED_ACE pACE = NULL;
// Get the Old ACE
if ( !::GetAce(pOldAcl, dwCount, (void**)&pACE) )
{
ASSERT(FALSE);
continue;
}
if( bInheritFromParent || !(pACE->Header.AceFlags & INHERITED_ACE) )
{
// Add it to the new ACL
if ( !::AddAce(pNewAcl, ACL_REVISION, (DWORD)-1, pACE, pACE->Header.AceSize) )
{
ASSERT(FALSE);
continue;
}
}
}
}
if( !::AddAccessAllowedAceEx(pNewAcl, ACL_REVISION, nInheritance, nAccess, pSID) )
{
dwError = GetLastError();
goto cleanup;
}
SECURITY_INFORMATION siType = DACL_SECURITY_INFORMATION;
siType |= bInheritFromParent ? 0 : PROTECTED_DACL_SECURITY_INFORMATION;
dwError = SetNamedSecurityInfo( (LPTSTR)pszPath, SE_FILE_OBJECT, siType, NULL, NULL, pNewAcl, NULL );
if( dwError != ERROR_SUCCESS )
{
goto cleanup;
}
cleanup:
if ( pNewAcl != NULL )
{
free( pNewAcl );
pNewAcl = NULL;
}
if ( pSD != NULL )
{
LocalFree( pSD );
pSD = NULL;
pOldAcl = NULL;
}
return HRESULT_FROM_WIN32( dwError );
}
//
// Well-Known RID Version
//
inline HRESULT AddPermissionToPath( LPCTSTR pszPath,
DWORD dwRID,
UINT nAccess = FILE_ALL_ACCESS,
BOOL bInheritFromParent = TRUE,
BOOL bOverwriteExisting = FALSE,
UINT nInheritance = (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE) )
{
if( !pszPath ) return E_POINTER;
if( _tcslen(pszPath) == 0 ) return E_INVALIDARG;
PSID psid = NULL;
SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY;
BOOL bRet = AllocateAndInitializeSid( &sia,
2,
SECURITY_BUILTIN_DOMAIN_RID,
dwRID,
0, 0, 0, 0, 0, 0,
&psid);
if( !bRet )
{
return HRESULT_FROM_WIN32( GetLastError() );
}
else if( !psid )
{
return E_FAIL;
}
HRESULT hr = _AddPermissionToPath( pszPath, (SID*)psid, nAccess, bInheritFromParent, bOverwriteExisting, nInheritance );
FreeSid( psid );
return hr;
}
//
// SAM Account version
//
inline HRESULT AddPermissionToPath( LPCTSTR pszPath,
LPCTSTR pszSAM,
UINT nAccess = FILE_ALL_ACCESS,
BOOL bInheritFromParent = TRUE,
BOOL bOverwriteExisting = FALSE,
UINT nInheritance = (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE) )
{
if( !pszPath || !pszSAM ) return E_POINTER;
if( (_tcslen(pszPath) == 0) || (_tcslen(pszSAM) == 0 ) ) return E_INVALIDARG;
HRESULT hr = S_OK;
DWORD dwSize = 0;
DWORD dwDomainSize = 0;
SID_NAME_USE snu;
if( !LookupAccountName(NULL, pszSAM, NULL, &dwSize, NULL, &dwDomainSize, &snu) &&
GetLastError() == ERROR_INSUFFICIENT_BUFFER )
{
SID* psid = (SID*)new BYTE[dwSize];
if( !psid )
{
return E_OUTOFMEMORY;
}
TCHAR* pszDomain = new TCHAR[dwDomainSize];
if( !pszDomain )
{
delete[] psid;
return E_OUTOFMEMORY;
}
if( LookupAccountName(NULL, pszSAM, psid, &dwSize, pszDomain, &dwDomainSize, &snu) )
{
hr = _AddPermissionToPath( pszPath, psid, nAccess, bInheritFromParent, bOverwriteExisting, nInheritance );
}
else
{
hr = HRESULT_FROM_WIN32( GetLastError() );
}
delete[] psid;
delete[] pszDomain;
}
else
{
return E_FAIL;
}
return hr;
}
#endif // _FILEPERMS_H