Good morning Zandr, welcome to Microsoft Newsgroup Support service! My name
is Jialiang Ge [MSFT]. It's my pleasure to work with you on this issue.
In order to programmatically change a file's permission setting, the native
APIs GetNamedSecurityInfo, SetEntriesInAcl and SetNamedSecurityInfo will
be helpful. If you are writing .NET code, the .NET class FileSecurity
provided by .NET class library exposes an easier interface to programming
against the file permission.
1) Remove user X permissions;
================
Native C++ solution:
http://msdn.microsoft.com/en-us/library/aa379283(VS.85).aspx
I find this example for your reference. The function
"AddAceToObjectsSecurityDescriptor" can be used to add or remove a user to
the file's ACL (Access Control List). For example,
PSID pSIDEveryone = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0,
&pSIDEveryone);
AddAceToObjectsSecurityDescriptor(L"D:\\Permission\\test.txt",
SE_FILE_OBJECT, (LPTSTR) pSIDEveryone, TRUSTEE_IS_SID,
GENERIC_READ, REVOKE_ACCESS, NO_INHERITANCE);
This piece of code removes the user "Everyone" from the permission list of
file "D:\Permission\test.txt".
Inside AddAceToObjectsSecurityDescriptor, it basically does three things:
a. get the security info of the target file (GetNamedSecurityInfo)
b. update the security info according to our parameters (SetEntriesInAcl)
c. set the updated security info to the target file (SetNamedSecurityInfo)
================
.NET solution:
How to: Add or Remove Access Control List Entries
http://msdn.microsoft.com/en-us/library/ms229078.aspx
public static void RemoveFileSecurity(string fileName, string account,
FileSystemRights rights, AccessControlType controlType)
{
// Get a FileSecurity object that represents the
// current security settings.
FileSecurity fSecurity = File.GetAccessControl(fileName);
// Remove the FileSystemAccessRule from the security settings.
fSecurity.RemoveAccessRule(new FileSystemAccessRule(account,
rights, controlType));
// Set the new access settings.
File.SetAccessControl(fileName, fSecurity);
}
Inside RemoveFileSecurity, it does almost the same thing as
AddAceToObjectsSecurityDescriptor:
a. get the security info of the target file (File.GetAccessControl)
b. update the security info according to our parameters
(fSecurity.RemoveAccessRule)
c. set the updated security info to the target file (File.SetAccessControl)
2) Add CREATOR_OWNER's permissions (inherited from parent directory) to
user Y.
The basic idea of implementing this is similar to the first request. I
think that we would need to modify AddAceToObjectsSecurityDescriptor based
on this logic:
a. get the security info of the target file (GetNamedSecurityInfo)
- no change
b. get the CREATOR_OWNER's EXPLICIT_ACCESS from the security info
The API GetExplicitEntriesFromAcl will be helpful
http://msdn.microsoft.com/en-us/library/aa446638(VS.85).aspx
c. duplicate the EXPLICIT_ACCESS value of CREATOR_OWNER to the user Y.
New a EXPLICIT_ACCESS for the user Y, and copy CREATOR_OWNER's
EXPLICIT_ACCESS to it.
b. update the security info for user Y (SetEntriesInAcl)
- no change
e. set the updated security info to the target file (SetNamedSecurityInfo)
- no change
Additional Materials that may be helpful to you:
Understanding Windows File And Registry Permissions
http://msdn.microsoft.com/en-us/magazine/cc982153.aspx
The Windows Access Control Model
http://www.codeproject.com/KB/winsdk/accessctrl1.asp
http://www.codeproject.com/KB/winsdk/accessctrl2.asp
http://www.codeproject.com/KB/winsdk/accessctrl3.asp
http://www.codeproject.com/KB/winsdk/accessctrl4.asp
Please let me know whether the above info is helpful to you or not. I will
be more than happy to be of more assistances.
Have a very nice day!
Regards,
Jialiang Ge (***@online.microsoft.com, remove 'online.')
Microsoft Online Community Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
***@microsoft.com.
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.