RE: Creating a directory with security attributes.
From: Steve Friedl [MVP] (Friedl_at_discussions.microsoft.com)
Date: 11/22/04
- Next message: Steve Friedl [MVP]: "RE: Creating a directory with security attributes."
- Previous message: Steve Friedl [MVP]: "RE: Where are NTFS perms stored?"
- In reply to: Kevin Burton: "Creating a directory with security attributes."
- Next in thread: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 21 Nov 2004 20:19:01 -0800
"Kevin Burton" wrote:
> TCHAR * szSD = TEXT("D:") // Discretionary ACL
> TEXT("(D;OICI;GA;;;BG)") // Deny access to built-in guests
> TEXT("(D;OICI;GA;;;AN)") // Deny access to anonymous logon
> TEXT("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to authenticated users
> TEXT("(A;OICI;GA;;;BA)") // Allow full control to administrators
> TEXT("(A;OICI;GA;;;DU)"); // Allow full control to domain users
It seems that the problem is with the "AN" and "DU" tokens that specify
"Anonymous users" and "Domain Users" - I'm not sure why this is the case. You
can see for yourself by making a small test program that comments these lines
out:
When these tokens are converted to the the S-format, it seems to work:
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <sddl.h>
#include <stdio.h>
#include <tchar.h>
int __cdecl _tmain(void)
{
SECURITY_ATTRIBUTES sa;
ZeroMemory(&sa, sizeof sa);
sa.nLength = sizeof sa;
sa.bInheritHandle = FALSE;
const TCHAR * szSD =
_T("D:") // Discretionary ACL
_T("(D;OICI;GA;;;BG)") // Deny access to built-in guests
// _T("(D;OICI;GA;;;AU)") // Deny access to anonymous logon
_T("(A;OICI;GRGWGX;;;AU)") // Allow r/w/x to domain users
_T("(A;OICI;GA;;;BA)") // Allow full control to administrators
// _T("(A;OICI;GA;;;DU)") // Allow full control to domain users
;
if ( ! ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&sa.lpSecurityDescriptor,
NULL) )
{
printf("failed: err#%ld\n", GetLastError() );
}
else
{
printf("created OK\n");
}
return 0;
}
With this more limited string, it works (I figured it out by trial-and-error).
Replacing these tokens for the ACE trustee (ref:
http://msdn.microsoft.com/library/en-us/secauthz/security/sid_strings.asp )
with the S-format seems to help:
// deny access to anonymous logins
> TEXT("(D;OICI;GA;;;AN)") // doesn't seem to work
> TEXT("(D;OICI;GA;;;S-1-5-7)") // seems to work OK
Finding the SID for the domain users is left as an exercise to the reader.
Not sure if this is a bug or not...
Steve
- Next message: Steve Friedl [MVP]: "RE: Creating a directory with security attributes."
- Previous message: Steve Friedl [MVP]: "RE: Where are NTFS perms stored?"
- In reply to: Kevin Burton: "Creating a directory with security attributes."
- Next in thread: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Reply: Kevin Burton: "RE: Creating a directory with security attributes."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
