PDA

View Full Version : SetFileSecurity() works on W2K but not Win2003



peterbi
07-29-2004, 12:38 PM
Hi,

I am trying to port an old existing c++ program (dll) to my package, the dll export some functions to setup file securities. I created the package and tested it. the problem is that the file security setup works fine on W2K but not on Windows Server 2003. I don't know much about file security setups and I want to know if there is any thing that I need to configure on Win2003 to make it work.

Here is the main function in c++ that setup file security (permission):
--------------------------------------------------------------
static
DWORD SetAccessPermission(LPCTSTR lpObjectName, LPCTSTR lpszLocalGroup, LPCTSTR lpszLocalGroup2, BOOL bDirectoryAccess, BOOL bReadEveryoneAccess)
{
DWORD dwRes;
PACL pOldDACL, pNewDACL;
EXPLICIT_ACCESS ea;

TCHAR szObjectName[MAX_PATH];
TCHAR szGroupName[MAX_PATH];
TCHAR szAdministratorsGroupName[MAX_PATH];
TCHAR szEveryoneGroupName[MAX_PATH];

if (lpObjectName == NULL)
return ERROR_INVALID_PARAMETER;

_tcscpy(szObjectName, lpObjectName);

if (!GetLocalAdministratorsGroupName(szAdministratorsGroupName))
goto Cleanup;
if (!GetEveryoneGroupName(szEveryoneGroupName))
goto Cleanup;

// initialize an EXPLICIT_ACCESS structure to allow access
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

// Get rid of the default access permission and give full control access to "System" account
pOldDACL = NULL;
dwRes = MyAddEntryToDACL(&ea, pOldDACL, &pNewDACL, _T("SYSTEM"), GENERIC_ALL, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
if (dwRes != ERROR_SUCCESS)
goto Cleanup;

// Get rid of the default access permission and give full control access to "Administrators" group
if (pOldDACL != NULL) LocalFree((HLOCAL) pOldDACL);
pOldDACL = pNewDACL;
dwRes = MyAddEntryToDACL(&ea, pOldDACL, &pNewDACL, szAdministratorsGroupName, GENERIC_ALL, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
if (dwRes != ERROR_SUCCESS)
goto Cleanup;

// Give full control access to user group passed in as szGroupName
if ((lpszLocalGroup) && (_tcslen(lpszLocalGroup) > 0)) {
_tcscpy(szGroupName, lpszLocalGroup);
if (pOldDACL != NULL) LocalFree((HLOCAL) pOldDACL);
pOldDACL = pNewDACL;
dwRes = MyAddEntryToDACL(&ea, pOldDACL, &pNewDACL, szGroupName, GENERIC_ALL, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
if (dwRes != ERROR_SUCCESS)
goto Cleanup;
}

// Give full control access to user group passed in as szGroupName2
if ((lpszLocalGroup2) && (_tcslen(lpszLocalGroup2) > 0)) {
_tcscpy(szGroupName, lpszLocalGroup2);
if (pOldDACL != NULL) LocalFree((HLOCAL) pOldDACL);
pOldDACL = pNewDACL;
dwRes = MyAddEntryToDACL(&ea, pOldDACL, &pNewDACL, szGroupName, GENERIC_ALL, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
if (dwRes != ERROR_SUCCESS)
goto Cleanup;
}


if (bDirectoryAccess) {
// Give execute access to everyone
if (pOldDACL != NULL) LocalFree((HLOCAL) pOldDACL);
pOldDACL = pNewDACL;
dwRes = MyAddEntryToDACL(&ea, pOldDACL, &pNewDACL, szEveryoneGroupName, GENERIC_EXECUTE | GENERIC_READ, SUB_CONTAINERS_ONLY_INHERIT);
if (dwRes != ERROR_SUCCESS)
goto Cleanup;
}

if (bReadEveryoneAccess) {
// Give read access to everyone
if (pOldDACL != NULL) LocalFree((HLOCAL) pOldDACL);
pOldDACL = pNewDACL;
dwRes = MyAddEntryToDACL(&ea, pOldDACL, &pNewDACL, szEveryoneGroupName, GENERIC_READ, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
if (dwRes != ERROR_SUCCESS)
goto Cleanup;
}

// attach the new ACL as the object’s DACL
dwRes = SetNamedSecurityInfo(
szObjectName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION, // We want to set explicit permissions, don't inherit
NULL,
NULL,
pNewDACL,
NULL);

// free the buffers returned by SetEntriesInAcl
// and GetNamedSecurityInfo

Cleanup:
if(pOldDACL != NULL)
LocalFree((HLOCAL) pOldDACL);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);

return dwRes;
}
------------------------------------------------

Is there anything changed on DACL between W2K and Win2003?

Thanks,
Peter