Re: User access rights within process on Vista
- From: "Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
- Date: Fri, 29 Feb 2008 12:17:39 -0500
Milan,
Oh. I think we understand each other now.
You want to do it based on an object name and type (there are 13 types, of
which you commonly use 2). Now everything you said makes sense to me.
Sorry, I just thought it would be a good idea for us to understand one
another.
Paul
"Milan Tomes" <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:FE6F54CA-21C5-4682-A15A-F8D00A13E92A@xxxxxxxxxxxxxxxx
Hi Paul,
I understand what you want to tell me, but there is one fact I can't
overlook. I don't need a function that looks only into registry and
another
for files etc... I want a function that can look into registry/files/dirs
etc. with one piece of code. You offered me a good idea, but not usable in
this case. I still want to write a function that can look on more
different
types of secured objects.
Thanks Milan
"Paul Baker [MVP, Windows - SDK]" wrote:
Milan,
AccessCheck is usually used for custom implementation of ACLs like when
you
call OpenPrinter for a server and there is a hard-coded ACL, since a
server is not a kernel secured object.
A registry key is kernel secured so RegOpenKeyEx will work for you.
Paul
"Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
wrote
in message news:%235TOgxteIHA.1184@xxxxxxxxxxxxxxxxxxxxxxx
Milan,
Nope, we're still misunderstanding each other.
The good and simple way = use RegOpenKeyEx with KEY_CREATE_SUB_KEY.
This
does NOT actually change anything, just looks.
The good and hard way = use AccessCheck.
The poor way = use RegCreateKey. This WOULD actually create a key.
Paul
"Milan Tomes" <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:948ACE20-7672-4271-9689-3C42C81836E6@xxxxxxxxxxxxxxxx
You got it - I'll not use that poor programming style so I want to
know
how
to use AccessCheck function. :)
It's not about registry only, but I need it to check access rights to
dirs,
files etc... If it will be for registry only I'll use that "poor" way,
but
it's not.
"Paul Baker [MVP, Windows - SDK]" wrote:
One of us is certainly not understanding the other.
It seems to me that using RegOpenKeyEx on the parent key with
KEY_CREATE_SUB_KEY will tell you if you have access to create a
subkey
without creating anything and with far less complexity. You can do
this
during startup. Of course, there is always a chance that something
will
have
changed by the time you actually want to create the subkey, but
that's
fine
and that's what you want.
I do agree that *creating* a key, file, directory, etc. simply to
check
access is poor programming style.
Paul
"Milan Tomes" <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E29F9B3F-36A5-47E1-8497-A414B705CD2F@xxxxxxxxxxxxxxxx
I've already solved it using some other API functions (not
AccessCheck)
and I
want to use this function. My code is accepting user rights
modification,
but
I guess AccessCheck function will provide up-to-date functionality
so
I
really want to use this function.
And in response to your question "Why not" I'll tell - I already
told
enough
informations why I don't want use this style of programming. I need
to
check
access rights to registry (file, dir etc.) without trying to write
some
value
& test result. I want to read access rights and enable/disable some
functions
in my program. Thats it. Can/want you still help me ?
But I guess you didn't understand me - my program will not let user
do
something and then get him a message like "You haven't enough
access
rightsto
do this", but I want to check access rights in startup phase of my
application & disable functions that user can't do.
Milan Tomes
"Chris Becke" wrote:
Why not? Testing abstract access rights doesnt really help you as
it
is
technically possible for the permissions on each of those entities
to
be
individually modified.
A simple single test will merely provide a hint that the operation
you
want
to do later, may or may not fail.
Now, waiting for the user to try and do an operation before you
tell
them
that the operation can't be done is - in some books - bad UI
design.
So the option is to - up front - open the various parent resources
that
you
may wish to create sub resources within - specifying the access
flags
requesting child creation rights. If those fail - any one of
them -
disable
the admin ui and run in viewer mode.
Chris.
"Milan Tomes" <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:FB8EE439-08F6-41EC-A70A-2596F522AA72@xxxxxxxxxxxxxxxx
Hi Paul,
it's not only about registry. I need to know access rights to
registry,
files, directories etc...
Trying to make that action & test result for something like
ERROR_ACCESS_DENIED isn't acceptable for me.
"Paul Baker [MVP, Windows - SDK]" wrote:
Oh, you want to know if you can create a key.
In that case, you use RegOpenKeyEx to try to open the parent
key
with
KEY_CREATE_SUB_KEY access.
Paul
"Paul Baker [MVP, Windows - SDK]"
<paulrichardbaker@xxxxxxxxxxxxxxxx>
wrote
in message news:OIEzKQKeIHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
If you try to open it and it fails with ERROR_ACCESS_DENIED,
you
do
not
have access and you can go ahead and disable stuff.
Paul
"Milan Tomes" <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:61DD7D81-C9F9-49CE-9C56-93D65CDF136B@xxxxxxxxxxxxxxxx
Paul,
I really need to know if my application have rights for
creating
specific
key in the registry (eg. HKU\.DEFAULT\Software) because if
not
I'll
disable
some functions in my application. Is a bit more complex
problem,
but I
still
need to know if I have that rights.
"Paul Baker [MVP, Windows - SDK]" wrote:
Milan,
I haven't used AccessCheck myself in a long time. I am
still
not
understanding why you don't call RegOpenKey. If it returns
True,
the
access
you requested was granted and it opened the key. If it
returns
False,
it
did
not open the key. If GetLastError returns
ERROR_ACCESS_DENIED,
the
reason it
did not open the key was that that the access you requested
was
not
granted.
Is that different from what you need to know?
Or, do you simply want to know if the process is running
elevated?
I
think
you can call GetTokenInformation with TokenElevation for
that.
The
MSDN
documentation say it requires Windows Server 2008 but I
would
be
suprised if
that's true.
Paul
"Milan Tomes" <MilanTomes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
message
news:9153C533-3227-4305-9FAB-BED6F7A3761A@xxxxxxxxxxxxxxxx
For now I've solved my problem with following function.
That
only
problem
was
in a processing group SIDs where I've not tested
SE_GROUP_USE_FOR_DENY_ONLY
attribute. If you still have any opinion / advice how to
use
AccessCheck
I'll
appreciate it.
function GetNTAccessRights(AObject: PChar; AObjectType:
SE_OBJECT_TYPE):
ACCESS_MASK;
procedure ApplyAllowMask(Mask: ACCESS_MASK; var Result:
ACCESS_MASK);
begin
Result := Result or Mask;
end;
procedure ApplyDenyMask(Ace: TAce; var Result:
ACCESS_MASK);
var
Mask: ACCESS_MASK;
i: byte;
BoolArray: TBooleanArray;
begin
case Ace.AceType of
ACCESS_ALLOWED_ACE_TYPE: Mask :=
Ace.AccessAllowedAce.Mask;
ACCESS_DENIED_ACE_TYPE: Mask :=
Ace.AccessDeniedAce.Mask;
else
exit;
end;
BitsToBooleans(Mask, BoolArray, true);
for i := 0 to 31 do
if BoolArray[i] then
ClearBit(Integer(Result), i);
end;
procedure ProcessAce(Ace: TAce; var Result:
ACCESS_MASK);
begin
case Ace.AceType of
ACCESS_ALLOWED_ACE_TYPE:
ApplyAllowMask(Ace.AccessAllowedAce.Mask,
Result);
ACCESS_DENIED_ACE_TYPE: ApplyDenyMask(Ace, Result);
end;
end;
var
SD: Pointer;
DACL: PACL;
Err: Cardinal;
GetNamedSecurityInfo: TGetNamedSecurityInfoProc;
DllHnd: HModule;
Token: THandle;
BufferLength: DWORD;
GroupsTokenInfo: PTokenGroups;
UserTokenInfo: PTokenUser;
Ace: PAce;
AceIndex: word;
AceSid: PSid;
i: cardinal;
begin
Result := $FFFFFFFF;
if not isWinNT then
exit;
DllHnd := 0;
Token := INVALID_HANDLE_VALUE;
UserTokenInfo := nil;
GroupsTokenInfo := nil;
try
Result := 0;
//Dynamicky nalinkuj potrebne funkce
DllHnd := LoadLibrary('ADVAPI32.DLL');
if DllHnd = 0 then
raise EG3OSError.Create('Nelze naèíst knihovnu
AdvApi32.dll
!!!');
@GetNamedSecurityInfo := GetProcAddress(DllHnd,
'GetNamedSecurityInfoA');
//Zjisti token
if not OpenProcessToken(GetCurrentProcess,
TOKEN_QUERY,
Token)
then
raise EG3OSError.Create('Nastala chyba pøi
zjis?ování
pøístupových
práv k objektu ' + AObject + ' (OpenProcessToken) !!!');
//Zjisti SID vlastnika procesu
if not GetTokenInformation(Token, TokenUser, nil, 0,
BufferLength)
then
begin
Err := GetLastError;
if Err <> ERROR_INSUFFICIENT_BUFFER then
raise EG3OSError.CreateCode('Nastala chyba pøi
zjis?ování
.
- References:
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- From: Chris Becke
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Paul Baker [MVP, Windows - SDK]
- Re: User access rights within process on Vista
- From: Milan Tomes
- Re: User access rights within process on Vista
- Prev by Date: Re: User access rights within process on Vista
- Next by Date: Can't set a DACL on a folder that was NULLed.
- Previous by thread: Re: User access rights within process on Vista
- Next by thread: Importing a PFX using CNG APIS on Vista
- Index(es):
Relevant Pages
|
