c - What is the counterpart to the GetExplicitEntriesFromAcl() Win32 API function? -
the getexplicitentriesfromacl win32 api function allows retrieve explicit entries of file acl. when change entries, convert result new acl using setentriesinacl , apply acl file setsecurityinfo inherited entries seem lost , (changed) explicit entries left.
is there counterpart function "setexplicitentriesinacl" replaces explicit entries within acl structure , keeps inherited entries intact?
edit1: code sample
i'm using code similar following lines acl update:
int removeaclaccessrights( handle hfile, psid sidptr, dword accessrights, access_mode accessmode ) { pacl oldacl = null, newacl = null; psecurity_descriptor secdesc = null; pexplicit_access entrylist = null, entryitem; ulong entrycount, entryindex; int r; // pointer existing dacl r = getsecurityinfo(hfile, se_file_object, dacl_security_information, null, null, &oldacl, null, &secdesc); if ( r != error_success ) goto _cleanup; r = getexplicitentriesfromacl(oldacl, &entrycount, &entryitem); if ( r != error_success ) goto _cleanup; entrylist = entryitem; entryindex = 0; while ( entryindex < entrycount ) { // ... update access entry ... entryindex++; entryitem++; } // create new acl explicit entries of existing dacl r = setentriesinacl(entrycount, entrylist, null, &newacl); if ( r != error_success ) goto _cleanup; // attach new acl object's dacl r = setsecurityinfo(hfile, se_file_object, dacl_security_information, null, null, newacl, null); _cleanup: localfree(newacl); localfree(entrylist); localfree(secdesc); return r; } edit2: acls of file , parent directory
output of icacls on file:
> icacls testacl01.txt testacl01.txt vordefiniert\gäste:(r) vordefiniert\administratoren:(i)(f) nt-autoritÄt\system:(i)(f) nt-autoritÄt\authentifizierte benutzer:(i)(m) vordefiniert\benutzer:(i)(rx) output of icacls on parent directory:
> icacls . . vordefiniert\administratoren:(i)(f) vordefiniert\administratoren:(i)(oi)(ci)(io)(f) nt-autoritÄt\system:(i)(f) nt-autoritÄt\system:(i)(oi)(ci)(io)(f) nt-autoritÄt\authentifizierte benutzer:(i)(m) nt-autoritÄt\authentifizierte benutzer:(i)(oi)(ci)(io)(m) vordefiniert\benutzer:(i)(rx) vordefiniert\benutzer:(i)(oi)(ci)(io)(gr,ge) the file has 1 explicit entry "vordefiniert\gäste:(r)" (sid "s-1-5-32-546"). other entries inherited parent directory.
in while loop above trying delete explicit entry if matches sid using code like
if ( (entryitem->trustee.trusteeform == trustee_is_sid) && equalsid(entryitem->trustee.ptstrname, sidptr) ) { if ( entryindex < (entrycount-1) ) movememory(&entrylist[entryindex], &entrylist[entryindex+1], (entrycount-entryindex-1)*sizeof(entrylist[0])); entrycount--; continue; }
given information in latest edit, can replicate problem. occurs in case when removing of explicit entries dacl.
it turns out there's nasty (and undocumented, far can see) catch in setentriesinacl: if pass zero-length array, silently returns null new acl rather returning empty acl might reasonably expect.
the documentation setsecurityinfo explains happens in case:
if value of securityinfo parameter includes dacl_security_information flag , value of parameter set null, full access object granted everyone.
that implicitly removes inherited permissions (which redundant anyway).
one way fix problem:
acl empty_acl; if (!initializeacl(&empty_acl, sizeof(empty_acl), acl_revision)) goto _cleanup; // create new acl explicit entries of existing dacl r = setentriesinacl(entrycount, entrylist, &empty_acl, &newacl); if ( r != error_success ) goto _cleanup; 
Comments
Post a Comment