如何创build具有授予所有人的所有权限的目录

我需要以编程方式创build一个授予“完全控制”组“Everyone”的目录。 如果我使用

CreateDirectory(path, NULL); 

根据Win32 SDK 文档 ,这将创build一个从其父目录inheritance的目录。 我不想inheritance父目录的访问权限,我需要确保“Everyone”完全控制目录。

显然,这将需要用适当的安全描述符来设置SECURITY_ATTRIBUTES结构。 我怎么做?

这是一种似乎可行的技术:

 SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY; PSID everyone_sid = NULL; AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyone_sid); EXPLICIT_ACCESS ea; ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SPECIFIC_RIGHTS_ALL | STANDARD_RIGHTS_ALL; ea.grfAccessMode = SET_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; ea.Trustee.ptstrName = (LPWSTR)everyone_sid; PACL acl = NULL; SetEntriesInAcl(1, &ea, NULL, &acl); PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE); SECURITY_ATTRIBUTES sa; sa.nLength = sizeof(SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = sd; sa.bInheritHandle = FALSE; CreateDirectory(path, &sa); FreeSid(everyone_sid); LocalFree(sd); LocalFree(acl); 

请注意,这个示例代码完全没有错误检查 – 你必须自己提供。

我更喜欢下面的代码片段,因为它创建了一个继承默认权限的文件夹 – 这似乎是正确的做法 – 其他软件/用户可能已经在某个目录上为合法原因设置了特定的可继承权限 – 然后添加了完全控制显式访问条目为内置的“用户”组。

 BOOL CreateDirectoryWithUserFullControlACL(LPCTSTR lpPath) { if(!CreateDirectory(lpPath,NULL)) return FALSE; HANDLE hDir = CreateFile(lpPath,READ_CONTROL|WRITE_DAC,0,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL); if(hDir == INVALID_HANDLE_VALUE) return FALSE; ACL* pOldDACL; SECURITY_DESCRIPTOR* pSD = NULL; GetSecurityInfo(hDir, SE_FILE_OBJECT , DACL_SECURITY_INFORMATION,NULL, NULL, &pOldDACL, NULL, (void**)&pSD); PSID pSid = NULL; SID_IDENTIFIER_AUTHORITY authNt = SECURITY_NT_AUTHORITY; AllocateAndInitializeSid(&authNt,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_USERS,0,0,0,0,0,0,&pSid); EXPLICIT_ACCESS ea={0}; ea.grfAccessMode = GRANT_ACCESS; ea.grfAccessPermissions = GENERIC_ALL; ea.grfInheritance = CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE; ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea.Trustee.TrusteeForm = TRUSTEE_IS_SID; ea.Trustee.ptstrName = (LPTSTR)pSid; ACL* pNewDACL = 0; DWORD err = SetEntriesInAcl(1,&ea,pOldDACL,&pNewDACL); if(pNewDACL) SetSecurityInfo(hDir,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL, NULL, pNewDACL, NULL); FreeSid(pSid); LocalFree(pNewDACL); LocalFree(pSD); LocalFree(pOldDACL); CloseHandle(hDir); return TRUE; } 

看看你是否可以使用SetSecurityInfo()

在可选的pDacl参数的描述中:

…如果SecurityInfo参数的值包含DACL-SECURITY-INFORMATION标志,并且此参数的值设置为NULL,则将对所有人授予对该对象的完全访问权限。