调用mfc或sdk中的哪个函数或方法可以生成与原文件具有相同的安全属性。就是win2k里,察看文件属性使, 安全那一栏, 显示该文件可以授权哪些人使用,
比如原文件除了administrator, SYSTEM, administrators等还有一个asp_net 账户, 但是用mfc里的函数生成一个原文件的复件, 其他安全属性还有, 但是asp_net就没了, 主要是这个文件要进行网络传输, 所以, 应该用什么函数或方法
才能使新文件具有与原文件相同的安全属性?
谢谢!
比如原文件除了administrator, SYSTEM, administrators等还有一个asp_net 账户, 但是用mfc里的函数生成一个原文件的复件, 其他安全属性还有, 但是asp_net就没了, 主要是这个文件要进行网络传输, 所以, 应该用什么函数或方法
才能使新文件具有与原文件相同的安全属性?
谢谢!
看的msdn晕了, 被sid, acl等等搞糊涂了, 谢了一些代码, 调用上面两个func也出错,sid和acl应该怎么生成,然后被GetNamedSecurityInfo填充
thx, 我头晕 @_@
CreateACLinWin2k.cpp
*/#define _WIN32_WINNT 0x0500#include <windows.h>
#include <sddl.h>void main() {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
char *szSD = "D:" // DACL
"(D;OICI;GA;;;BG)" // Deny Guests
"(A;OICI;GA;;;SY)" // Allow SYSTEM Full Control
"(A;OICI;GA;;;BA)" // Allow Admins Full Control
"(A;OICI;GRGWGX;;;IU)"; // Allow Interactive Users RWX if (ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL)) { if (!CreateDirectory("C:\\MyDir", &sa )) {
DWORD err = GetLastError();
} LocalFree(sa.lpSecurityDescriptor);
}
}/*
CreateACLwithATL.cpp
*/#include <atlsecurity.h>
#include <iostream>using namespace std;void main(){ try {
// The user accounts
CSid sidBlake("Northwindtraders\\blake");
CSid sidAdmin("BUILTIN\\administrators");
CSid sidGuests("Guests"); // Create the ACL and populate with ACEs.
// Note the deny ACE is placed before the allow ACEs.
CDacl dacl;
dacl.AddDeniedAce(sidGuests, GENERIC_ALL);
dacl.AddAllowedAce(sidBlake, GENERIC_READ);
dacl.AddAllowedAce(sidAdmin, GENERIC_ALL); // Create the security descriptor and attributes.
CSecurityDesc sd;
sd.SetDacl(dacl);
CSecurityAttributes sa(sd); // Create the directory with the security attributes.
if (CreateDirectory("c:\\MyTestDir", &sa))
cout << "Directory created!" << endl; } catch(CAtlException e) {
cerr << "Error, application failed with error "
<< hex << (HRESULT)e << endl;
}
}
CreateACLinWinNT.cpp
*/#include <windows.h>
#include <stdio.h>
#include <aclapi.h>void main() {
PSID pEveryoneSID = NULL, pAdminSID = NULL, pNetworkSID = NULL;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL; // ACL will contain three ACEs:
// Network (Deny Access)
// Everyone (Read)
// Admin (Full Control)
try {
const int NUM_ACES = 3;
EXPLICIT_ACCESS ea[NUM_ACES];
ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS)); // Create a well-known SID for the Network logon group.
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthNT, 1,
SECURITY_NETWORK_RID,
0, 0, 0, 0, 0, 0, 0,
&pNetworkSID) )
throw GetLastError(); ea[0].grfAccessPermissions = GENERIC_ALL;
ea[0].grfAccessMode = DENY_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pNetworkSID; // Create a well-known SID for the Everyone group.
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID) )
throw GetLastError(); ea[1].grfAccessPermissions = GENERIC_READ;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pEveryoneSID; // Create a SID for the BUILTIN\Administrators group.
if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID) )
throw GetLastError(); ea[2].grfAccessPermissions = GENERIC_ALL;
ea[2].grfAccessMode = SET_ACCESS;
ea[2].grfInheritance= NO_INHERITANCE;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[2].Trustee.ptstrName = (LPTSTR) pAdminSID; // Create a new ACL with the three ACEs.
if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
ea,
NULL,
&pACL))
throw GetLastError(); // Initialize a security descriptor.
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSD == NULL)
throw GetLastError(); if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
throw GetLastError(); // Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // fDaclPresent flag
pACL,
FALSE)) {
throw GetLastError();
} else {
SECURITY_ATTRIBUTES SA;
SA.nLength = sizeof(SECURITY_ATTRIBUTES);
SA.bInheritHandle = FALSE;
SA.lpSecurityDescriptor = pSD; if (!CreateDirectory("C:\\Program Files\\MyStuff", &SA))
throw GetLastError();
} // End try
} catch(...) {
// Error condition
} if (pSD)
LocalFree(pSD); if (pACL)
LocalFree(pACL); // Call FreeSID for each SID allocated by AllocateAndInitializeSID.
if (pEveryoneSID)
FreeSid(pEveryoneSID); if (pNetworkSID)
FreeSid(pNetworkSID); if (pAdminSID)
FreeSid(pAdminSID);
}
如果要生成一个aspnet的账户, 应该"(A;OICI;GRGWGX;;;XX) 在XX处填入什么呢?还有如果加入Everyone 那么要添加什么呢。我没查到相应的设置文档。
谢谢
aspnet的sid, 因为文件要被asp.net服务器访问, 但是生成的文件(服务器端)不具有这个属性, Everyone可以但是降低了安全性。
谢谢