应判断standard access rights(16-23bit); 高8位中前四位是设置权限时为简化代码而用的, 设置时自动映射至16-23bit的标准访问权限中,后4位是保留位。The Windows API also defines the following combinations of the standard access rights constants.Constant Meaning STANDARD_RIGHTS_ALL Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access. STANDARD_RIGHTS_EXECUTE Currently defined to equal READ_CONTROL. STANDARD_RIGHTS_READ Currently defined to equal READ_CONTROL. STANDARD_RIGHTS_REQUIRED Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access. STANDARD_RIGHTS_WRITE Currently defined to equal READ_CONTROL.
ret = GetSecurityDescriptorDacl(p->shi502_security_descriptor, &preBool, &pacl, &defaultBool); // p为PSHARE_INFO_502
ACCESS_MASK mask;
TRUSTEE trustee;
LPTSTR groupname = "Administrator";
trustee.pMultipleTrustee = NULL;
trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee.TrusteeForm = TRUSTEE_IS_NAME;
trustee.TrusteeType = TRUSTEE_IS_USER;
trustee.ptstrName = groupname;DWORD dret = GetEffectiveRightsFromAcl(pacl, &trustee, &mask);
if(dret != ERROR_SUCCESS)
return;if(mask & GENERIC_READ)
{
ShowMessage("Administrator has read right");
}似乎感觉没有错误,运行所有函数都返回正确结果....可是与实际情况不符(Administraotor有读权限)
LogonUser需要用户名和密码,这些东西我不太可能知道(一个机器上会有n多用户)
而且模拟了用户以后呢?最主要的问题是我得到的安全描述符如何与权限相对应?
1、调用GetAclInformation获得ACL的Entry个数,
2、再调用GetAce获取每个"access control entry"的指针,(ACCESS_ALLOWED_ACE *), 根据(ACCESS_ALLOWED_ACE *)pACE->mask判断访问权限
3、调用LookupAccountSid(NULL, pACE->SidStart, ...);根据pACE->SidStart查找SID,获取用户及组信息.
非常感谢。我使用了下面的代码:
char Buf[10000];
ret = GetAclInformation(pacl, Buf, 10000, AclSizeInformation);
ACL_SIZE_INFORMATION *pcount;
pcount = (ACL_SIZE_INFORMATION *)Buf;
for(DWORD i=0;i<pcount->AceCount;i++)
{
LPVOID pace;
ret = GetAce(pacl, i, &pace);
if( ((ACCESS_ALLOWED_ACE *)pace)->Mask & GENERIC_WRITE)
{
printf("write right\n");
}
}判断一个ace是否拥有写权限是这样判断吗?
((ACCESS_ALLOWED_ACE *)pace)->Mask & GENERIC_WRITE
可是为什么我获得的所有的Mask的高8位全都是0呢?(我已经给这个目录增加了两个用户拥有写权限)
高8位中前四位是设置权限时为简化代码而用的, 设置时自动映射至16-23bit的标准访问权限中,后4位是保留位。The Windows API also defines the following combinations of the standard access rights constants.Constant Meaning
STANDARD_RIGHTS_ALL Combines DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, and SYNCHRONIZE access.
STANDARD_RIGHTS_EXECUTE Currently defined to equal READ_CONTROL.
STANDARD_RIGHTS_READ Currently defined to equal READ_CONTROL.
STANDARD_RIGHTS_REQUIRED Combines DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER access.
STANDARD_RIGHTS_WRITE Currently defined to equal READ_CONTROL.
非常感谢。
已经解决稍后接贴