Discussion:
Change permissions of a file
(too old to reply)
zandr5
2008-10-28 14:41:24 UTC
Permalink
Hi,

I need to programmatically change permissions of a file in the following
way:
1) Remove user X permissions;
2) Add CREATOR_OWNER's permissions (inherited from parent directory) to user
Y.

What's the best way to do that?
Thank you.
--
zandr.
Jialiang Ge [MSFT]
2008-10-29 08:57:15 UTC
Permalink
Good morning Zandr, welcome to Microsoft Newsgroup Support service! My name
is Jialiang Ge [MSFT]. It's my pleasure to work with you on this issue.

In order to programmatically change a file's permission setting, the native
APIs GetNamedSecurityInfo, SetEntriesInAcl and SetNamedSecurityInfo will
be helpful. If you are writing .NET code, the .NET class FileSecurity
provided by .NET class library exposes an easier interface to programming
against the file permission.

1) Remove user X permissions;

================
Native C++ solution:
http://msdn.microsoft.com/en-us/library/aa379283(VS.85).aspx
I find this example for your reference. The function
"AddAceToObjectsSecurityDescriptor" can be used to add or remove a user to
the file's ACL (Access Control List). For example,

PSID pSIDEveryone = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,
&pSIDEveryone);
AddAceToObjectsSecurityDescriptor(L"D:\\Permission\\test.txt",
SE_FILE_OBJECT, (LPTSTR) pSIDEveryone, TRUSTEE_IS_SID,
GENERIC_READ, REVOKE_ACCESS, NO_INHERITANCE);

This piece of code removes the user "Everyone" from the permission list of
file "D:\Permission\test.txt".

Inside AddAceToObjectsSecurityDescriptor, it basically does three things:

a. get the security info of the target file (GetNamedSecurityInfo)
b. update the security info according to our parameters (SetEntriesInAcl)
c. set the updated security info to the target file (SetNamedSecurityInfo)

================
.NET solution:

How to: Add or Remove Access Control List Entries
http://msdn.microsoft.com/en-us/library/ms229078.aspx

public static void RemoveFileSecurity(string fileName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the
// current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);

// Remove the FileSystemAccessRule from the security settings.
fSecurity.RemoveAccessRule(new FileSystemAccessRule(account,
rights, controlType));

// Set the new access settings.
File.SetAccessControl(fileName, fSecurity);
}

Inside RemoveFileSecurity, it does almost the same thing as
AddAceToObjectsSecurityDescriptor:

a. get the security info of the target file (File.GetAccessControl)
b. update the security info according to our parameters
(fSecurity.RemoveAccessRule)
c. set the updated security info to the target file (File.SetAccessControl)

2) Add CREATOR_OWNER's permissions (inherited from parent directory) to
user Y.

The basic idea of implementing this is similar to the first request. I
think that we would need to modify AddAceToObjectsSecurityDescriptor based
on this logic:

a. get the security info of the target file (GetNamedSecurityInfo)
- no change

b. get the CREATOR_OWNER's EXPLICIT_ACCESS from the security info
The API GetExplicitEntriesFromAcl will be helpful
http://msdn.microsoft.com/en-us/library/aa446638(VS.85).aspx

c. duplicate the EXPLICIT_ACCESS value of CREATOR_OWNER to the user Y.
New a EXPLICIT_ACCESS for the user Y, and copy CREATOR_OWNER's
EXPLICIT_ACCESS to it.

b. update the security info for user Y (SetEntriesInAcl)
- no change

e. set the updated security info to the target file (SetNamedSecurityInfo)
- no change

Additional Materials that may be helpful to you:

Understanding Windows File And Registry Permissions
http://msdn.microsoft.com/en-us/magazine/cc982153.aspx

The Windows Access Control Model
http://www.codeproject.com/KB/winsdk/accessctrl1.asp
http://www.codeproject.com/KB/winsdk/accessctrl2.asp
http://www.codeproject.com/KB/winsdk/accessctrl3.asp
http://www.codeproject.com/KB/winsdk/accessctrl4.asp

Please let me know whether the above info is helpful to you or not. I will
be more than happy to be of more assistances.

Have a very nice day!

Regards,
Jialiang Ge (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
zandr5
2008-10-29 10:48:32 UTC
Permalink
Hi Jialiang,

Thank you for thorough explanation.
Good luck.
--
zandr.
Post by Jialiang Ge [MSFT]
Good morning Zandr, welcome to Microsoft Newsgroup Support service! My name
is Jialiang Ge [MSFT]. It's my pleasure to work with you on this issue.
In order to programmatically change a file's permission setting, the native
APIs GetNamedSecurityInfo, SetEntriesInAcl and SetNamedSecurityInfo will
be helpful. If you are writing .NET code, the .NET class FileSecurity
provided by .NET class library exposes an easier interface to programming
against the file permission.
1) Remove user X permissions;
================
http://msdn.microsoft.com/en-us/library/aa379283(VS.85).aspx
I find this example for your reference. The function
"AddAceToObjectsSecurityDescriptor" can be used to add or remove a user to
the file's ACL (Access Control List). For example,
PSID pSIDEveryone = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,
&pSIDEveryone);
AddAceToObjectsSecurityDescriptor(L"D:\\Permission\\test.txt",
SE_FILE_OBJECT, (LPTSTR) pSIDEveryone, TRUSTEE_IS_SID,
GENERIC_READ, REVOKE_ACCESS, NO_INHERITANCE);
This piece of code removes the user "Everyone" from the permission list of
file "D:\Permission\test.txt".
a. get the security info of the target file (GetNamedSecurityInfo)
b. update the security info according to our parameters (SetEntriesInAcl)
c. set the updated security info to the target file
(SetNamedSecurityInfo)
Post by Jialiang Ge [MSFT]
================
How to: Add or Remove Access Control List Entries
http://msdn.microsoft.com/en-us/library/ms229078.aspx
public static void RemoveFileSecurity(string fileName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the
// current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Remove the FileSystemAccessRule from the security settings.
fSecurity.RemoveAccessRule(new FileSystemAccessRule(account,
rights, controlType));
// Set the new access settings.
File.SetAccessControl(fileName, fSecurity);
}
Inside RemoveFileSecurity, it does almost the same thing as
a. get the security info of the target file (File.GetAccessControl)
b. update the security info according to our parameters
(fSecurity.RemoveAccessRule)
c. set the updated security info to the target file
(File.SetAccessControl)
Post by Jialiang Ge [MSFT]
2) Add CREATOR_OWNER's permissions (inherited from parent directory) to
user Y.
The basic idea of implementing this is similar to the first request. I
think that we would need to modify AddAceToObjectsSecurityDescriptor based
a. get the security info of the target file (GetNamedSecurityInfo)
- no change
b. get the CREATOR_OWNER's EXPLICIT_ACCESS from the security info
The API GetExplicitEntriesFromAcl will be helpful
http://msdn.microsoft.com/en-us/library/aa446638(VS.85).aspx
c. duplicate the EXPLICIT_ACCESS value of CREATOR_OWNER to the user Y.
New a EXPLICIT_ACCESS for the user Y, and copy CREATOR_OWNER's
EXPLICIT_ACCESS to it.
b. update the security info for user Y (SetEntriesInAcl)
- no change
e. set the updated security info to the target file
(SetNamedSecurityInfo)
Post by Jialiang Ge [MSFT]
- no change
Understanding Windows File And Registry Permissions
http://msdn.microsoft.com/en-us/magazine/cc982153.aspx
The Windows Access Control Model
http://www.codeproject.com/KB/winsdk/accessctrl1.asp
http://www.codeproject.com/KB/winsdk/accessctrl2.asp
http://www.codeproject.com/KB/winsdk/accessctrl3.asp
http://www.codeproject.com/KB/winsdk/accessctrl4.asp
Please let me know whether the above info is helpful to you or not. I will
be more than happy to be of more assistances.
Have a very nice day!
Regards,
Microsoft Online Community Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jialiang Ge [MSFT]
2008-10-30 09:18:07 UTC
Permalink
You are welcome, zandr. -- Jialiang Ge
a***@gmail.com
2013-01-24 10:43:51 UTC
Permalink
Post by Jialiang Ge [MSFT]
You are welcome, zandr. -- Jialiang Ge
Hello Jialiang,

Your post is very helpful, however I am trying with below code to set permissions for shared directory access control over the network, but its now working:

#ifndef UNICODE
#define UNICODE
#endif
#include <windows.h>
#include <winError.h>
#include <aclapi.h>
#include <stdio.h>
#include <lm.h>
#include <string>
#pragma comment(lib, "Netapi32.lib")


DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;

if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;

// Get a pointer to the existing DACL.

dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}

// Initialize an EXPLICIT_ACCESS structure for the new ACE.

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;

// Create a new ACL that merges the new ACE
// into the existing DACL.

dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}

// Attach the new ACL as the object's DACL.

dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}

Cleanup:

if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);

return dwRes;
}


void main()
{
DWORD dwRes;


PSID pSIDEveryone = NULL;

SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;

AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,&pSIDEveryone);

AddAceToObjectsSecurityDescriptor(L"C:\\abcd",
SE_FILE_OBJECT,
(LPTSTR) pSIDEveryone,
TRUSTEE_IS_SID,
GENERIC_READ,
GRANT_ACCESS,
NO_INHERITANCE);

return;
}


This does create "everyone" in security tab of directory, but I need to control access of network share..

Please help.

Thanks
Anku Gupta
a***@gmail.com
2013-01-24 10:44:49 UTC
Permalink
More message actions
2 minutes (16:13)
Post by Jialiang Ge [MSFT]
You are welcome, zandr. -- Jialiang Ge
Hello Jialiang,

Your post is very helpful, however I am trying with below code to set permissions for shared directory access control over the network, but its now working:

#ifndef UNICODE
#define UNICODE
#endif
#include <windows.h>
#include <winError.h>
#include <aclapi.h>
#include <stdio.h>
#include <lm.h>
#include <string>
#pragma comment(lib, "Netapi32.lib")


DWORD AddAceToObjectsSecurityDescriptor (
LPTSTR pszObjName, // name of object
SE_OBJECT_TYPE ObjectType, // type of object
LPTSTR pszTrustee, // trustee for new ACE
TRUSTEE_FORM TrusteeForm, // format of trustee structure
DWORD dwAccessRights, // access mask for new ACE
ACCESS_MODE AccessMode, // type of ACE
DWORD dwInheritance // inheritance flags for new ACE
)
{
DWORD dwRes = 0;
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;

if (NULL == pszObjName)
return ERROR_INVALID_PARAMETER;

// Get a pointer to the existing DACL.

dwRes = GetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, &pSD);
if (ERROR_SUCCESS != dwRes) {
printf( "GetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}

// Initialize an EXPLICIT_ACCESS structure for the new ACE.

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = dwAccessRights;
ea.grfAccessMode = AccessMode;
ea.grfInheritance= dwInheritance;
ea.Trustee.TrusteeForm = TrusteeForm;
ea.Trustee.ptstrName = pszTrustee;

// Create a new ACL that merges the new ACE
// into the existing DACL.

dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetEntriesInAcl Error %u\n", dwRes );
goto Cleanup;
}

// Attach the new ACL as the object's DACL.

dwRes = SetNamedSecurityInfo(pszObjName, ObjectType,
DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL);
if (ERROR_SUCCESS != dwRes) {
printf( "SetNamedSecurityInfo Error %u\n", dwRes );
goto Cleanup;
}

Cleanup:

if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);

return dwRes;
}


void main()
{
DWORD dwRes;


PSID pSIDEveryone = NULL;

SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;

AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,&pSIDEveryone);

AddAceToObjectsSecurityDescriptor(L"C:\\abcd",
SE_FILE_OBJECT,
(LPTSTR) pSIDEveryone,
TRUSTEE_IS_SID,
GENERIC_READ,
GRANT_ACCESS,
NO_INHERITANCE);

return;
}


This does create "everyone" in security tab of directory, but I need to control access of network share..

Please help.

Thanks

Loading...