»áÔ±£º ÃÜÂ룺 ¡¡Ãâ·Ñ×¢²á | Íü¼ÇÃÜÂë | »áÔ±µÇ¼ ÍøÒ³¹¦ÄÜ£º ¼ÓÈëÊÕ²Ø ÉèΪÊ×Ò³ ÍøÕ¾ËÑË÷  
 °²È«¼¼Êõ¼¼ÊõÎĵµ
  ¡¤ °²È«ÅäÖÆ
  ¡¤ ¹¤¾ß½éÉÜ
  ¡¤ ºÚ¿Í½Ìѧ
  ¡¤ ·À»ðǽ
  ¡¤ Â©¶´·ÖÎö
  ¡¤ ÆƽâרÌâ
  ¡¤ ºÚ¿Í±à³Ì
  ¡¤ ÈëÇÖ¼ì²â
 °²È«¼¼ÊõÂÛ̳
  ¡¤ °²È«ÅäÖÆ
  ¡¤ ¹¤¾ß½éÉÜ
  ¡¤ ·À»ðǽ
  ¡¤ ºÚ¿ÍÈëÇÖ
  ¡¤ Â©¶´¼ì²â
  ¡¤ Æƽⷽ·¨
  ¡¤ É±¶¾×¨Çø
 °²È«¼¼Êõ¹¤¾ßÏÂÔØ
  ¡¤ É¨Ã蹤¾ß
  ¡¤ ¹¥»÷³ÌÐò
  ¡¤ ºóÃÅľÂí
  ¡¤ ¾Ü¾ø·þÎñ
  ¡¤ ¿ÚÁîÆƽâ
  ¡¤ ´úÀí³ÌÐò
  ¡¤ ·À»ðǽ
  ¡¤ ¼ÓÃܽâÃÜ
  ¡¤ ÈëÇÖ¼ì²â
  ¡¤ ¹¥·ÀÑÝʾ
¼¼ÊõÎĵµ > VCÎĵµ > ƽ̨SDK
ÒÔ³ÌÐòµÄ·½Ê½²Ù×ÝNTFSµÄÎļþȨÏÞ
·¢±íÈÕÆÚ£º2004-01-29 00:00:00×÷Õߣº³ ³ö´¦£º  

Windows NT/2K/XP°æ±¾µÄ²Ù×÷ϵͳ¶¼Ö§³ÖNTFS¸ñʽµÄÎļþϵͳ£¬ÕâÊÇÒ»¸öÓа²È«ÐÔÖʵÄÎļþϵͳ£¬Äã¿ÉÒÔͨ¹ýWindowsµÄ×ÊÔ´¹ÜÀíÆ÷À´ÉèÖöÔÿ¸öĿ¼ºÍÎļþµÄÓû§·ÃÎÊȨÏÞ¡£ÕâÀïÎҾͲ»¶ÔNTFSµÄ°²È«ÐÔ½øÐн²ÊöÁË£¬ÎÒĬÈÏÄã¶ÔNTFSµÄÎļþĿ¼µÄ°²È«ÉèÖÃÓÐÁËÒ»¶¨µÄÁ˽⡣ÔÚÕâÀÎÒ½«ÏòÄã½éÉÜʹÓÃWindowsµÄAPIº¯ÊýÀ´²Ù×ÝNTFSµÄÎļþȨÏÞ¡£

Ò»¡¢       ÀíÂÛºÍÊõÓï

ÔÚWindows NT/2K?XPϵĶÔÏ󣬲»Ò»¶¨ÊÇÎļþϵͳ£¬»¹ÓÐÆäËüµÄһЩ¶ÔÏó£¬È磺½ø³Ì¡¢ÃüÃû¹ÜµÀ¡¢´òÓ¡»ú¡¢ÍøÂç¹²Ïí¡¢»òÊÇ×¢²á±íµÈµÈ£¬¶¼¿ÉÒÔÉèÖÃÓû§·ÃÎÊȨÏÞ¡£ÔÚWindowsϵͳÖУ¬ÆäÊÇÓÃÒ»¸ö°²È«ÃèÊö·û£¨Security Descriptors£©µÄ½á¹¹À´±£´æÆäȨÏÞµÄÉèÖÃÐÅÏ¢£¬¼ò³ÆΪSD£¬ÆäÔÚWindows SDKÖеĽṹÃûÊÇ¡°SECURITY_DESCRIPTOR¡±£¬ÕâÊÇ°üÀ¨ÁË°²È«ÉèÖÃÐÅÏ¢µÄ½á¹¹Ìå¡£Ò»¸ö°²È«ÃèÊö·û°üº¬ÒÔÏÂÐÅÏ¢£º

Ò»¸ö°²È«±êʶ·û(Security identifiers)£¬Æä±êʶÁ˸ÃÐÅÏ¢ÊÇÄĸö¶ÔÏóµÄ£¬Ò²¾ÍÊÇÓÃÓڼǼ°²È«¶ÔÏóµÄID¡£¼ò³ÆΪ£ºSID¡£

Ò»¸öDACL£¨Discretionary Access Control List£©£¬ÆäÖ¸³öÁËÔÊÐíºÍ¾Ü¾øijÓû§»òÓû§×éµÄ´æÈ¡¿ØÖÆÁÐ±í¡£ µ±Ò»¸ö½ø³ÌÐèÒª·ÃÎÊ°²È«¶ÔÏó£¬ÏµÍ³¾Í»á¼ì²éDACLÀ´¾ö¶¨½ø³ÌµÄ·ÃÎÊȨ¡£Èç¹ûÒ»¸ö¶ÔÏóûÓÐDACL£¬ÄÇô¾ÍÊÇ˵Õâ¸ö¶ÔÏóÊÇÈκÎÈ˶¼¿ÉÒÔÓµÓÐÍêÈ«µÄ·ÃÎÊȨÏÞ¡£

Ò»¸öSACL£¨System Access Control List£©£¬ÆäÖ¸³öÁËÔڸöÔÏóÉϵÄÒ»×é´æÈ¡·½Ê½£¨È磬¶Á¡¢Ð´¡¢ÔËÐеȣ©µÄ´æÈ¡¿ØÖÆȨÏÞϸ½ÚµÄÁÐ±í¡£

»¹ÓÐÆä×ÔÉíµÄһЩ¿ØÖÆλ¡£

DACLºÍSACL¹¹³ÉÁËÕû¸ö´æÈ¡¿ØÖÆÁбíAccess Control List£¬¼ò³ÆACL£¬ACLÖеÄÿһÏÎÒÃǽÐ×öACE£¨Access Control Entry£©£¬ACLÖеÄÿһ¸öACE¡£

ÎÒÃǵijÌÐò²»ÓÃÖ±½Óά»¤SDÕâ¸ö½á¹¹£¬Õâ¸ö½á¹¹ÓÉϵͳά»¤¡£ÎÒÃÇÖ»ÓÃʹÓÃWindows ÌṩµÄÏà¹ØµÄAPIº¯ÊýÀ´È¡µÃ²¢ÉèÖÃSDÖеÄÐÅÏ¢¾ÍÐÐÁË¡£²»¹ýÕâЩAPIº¯ÊýÖ»ÓÐWindows NT/2K/XP²ÅÖ§³Ö¡£

°²È«¶ÔÏóSecurable ObjectÊÇÓµÓÐSDµÄWindowsµÄ¶ÔÏó¡£ËùÓеı»ÃüÃûµÄWindowsµÄ¶ÔÏó¶¼ÊÇ°²È«¶ÔÏó¡£Ò»Ð©Ã»ÓÐÃüÃûµÄ¶ÔÏóÊÇ°²È«¶ÔÏó£¬È磺½ø³ÌºÍỊ̈߳¬Ò²Óа²È«ÃèÊö·ûSD¡£ÔÚ¶Ô´ó¶àÊýµÄ´´½¨°²È«¶ÔÏóµÄ²Ù×÷Öж¼ÐèÒªÄã´«µÝÒ»¸öSDµÄ²ÎÊý£¬È磺CreateFileºÍCreateProcessº¯Êý¡£ÁíÍ⣬Windows»¹ÌṩÁËһϵÁÐÓйذ²È«¶ÔÏóµÄ°²È«ÐÅÏ¢µÄ´æÈ¡º¯Êý£¬ÒÔ¹©ÄãÈ¡µÃ¶ÔÏóÉϵݲȫÉèÖ㬻òÐ޸ĶÔÏóÉϵݲȫÉèÖá£È磺GetNamedSecurityInfo, SetNamedSecurityInfo£¬GetSecurityInfo, SetSecurityInfo¡£

ÏÂͼ˵Ã÷ÁË£¬°²È«¶ÔÏóºÍDACLÒÔ¼°·ÃÎÊÕßÖ®¼äµÄÁªÏµ£¨À´Ô´ÓÚMSDN£©¡£×¢Ò⣬DACL±íÖеÄÿ¸öACEµÄ˳ÐòÊÇÓÐÒâÒåµÄ£¬Èç¹ûÇ°ÃæµÄAllow£¨»òdenied£©ACEͨ¹ýÁË£¬ÄÇô£¬ÏµÍ³¾Í²»»á¼ì²éºóÃæµÄACEÁË¡£

ϵͳ»á°´ÕÕ˳ÐòÒÀ´Î¼ì²éËùÓеÄACE¹æÔò£¬ÈçÏÂÃæµÄÌõ¼þÂú×㣬ÔòÍ˳ö£º

1¡¢ Èç¹ûÒ»¸öAccess-DeniedµÄACEÃ÷ÏԵؾܾøÁËÇëÇóÕß¡£

2¡¢ Èç¹ûijAccess-AllowedµÄACEÃ÷ÏÔµØͬÒâÁËÇëÇóÕß¡£

3¡¢ È«²¿µÄACE¶¼¼ì²éÍêÁË£¬µ«ÊÇûÓÐÒ»ÌõACEÃ÷ÏÔµØÔÊÐí»òÊǾܾøÇëÇóÕߣ¬ÄÇôϵͳ½«Ê¹ÓÃĬÈÏÖµ£¬¾Ü¾øÇëÇóÕߵķÃÎÊ¡£

¸ü¶àµÄÀíÂÛºÍÃèÊö£¬Çë²Î¿´MSDN¡£

¶þ¡¢       ʵ¼ùÓëÀý³Ì

1¡¢  Àý³ÌÒ»£º´´½¨Ò»¸öÓÐȨÏÞÉèÖõÄĿ¼

#include <windows.h>

void main(void)

{

  SECURITY_ATTRIBUTES sa;  //ºÍÎļþÓйصݲȫ½á¹¹

  SECURITY_DESCRIPTOR sd;  //ÉùÃ÷Ò»¸öSD

  BYTE aclBuffer[1024];

  PACL pacl=(PACL)&aclBuffer; //ÉùÃ÷Ò»¸öACL£¬³¤¶ÈÊÇ1024

  BYTE sidBuffer[100];

  PSID psid=(PSID) &sidBuffer;  //ÉùÃ÷Ò»¸öSID£¬³¤¶ÈÊÇ100

  DWORD sidBufferSize = 100;

  char domainBuffer[80];

  DWORD domainBufferSize = 80;

  SID_NAME_USE snu;

  HANDLE file;

  //³õʼ»¯Ò»¸öSD

  InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);

  //³õʼ»¯Ò»¸öACL

  InitializeAcl(pacl, 1024, ACL_REVISION);

  //²éÕÒÒ»¸öÓû§hchen£¬²¢È¡¸ÃÓû§µÄSID

  LookupAccountName(0, "hchen", psid,

      &sidBufferSize, domainBuffer,

      &domainBufferSize, &snu);

  //ÉèÖøÃÓû§µÄAccess-AllowedµÄACE£¬ÆäȨÏÞΪ¡°ËùÓÐȨÏÞ¡±

AddAccessAllowedAce(pacl, ACL_REVISION, GENERIC_ALL, psid);

//°ÑACLÉèÖõ½SDÖÐ

  SetSecurityDescriptorDacl(&sd, TRUE, pacl, FALSE);

  

  //°ÑSD·Åµ½Îļþ°²È«½á¹¹SAÖÐ

  sa.nLength = sizeof(SECURITY_ATTRIBUTES);

  sa.bInheritHandle = FALSE;

  sa.lpSecurityDescriptor = &sd;

  

  //´´½¨Îļþ

  file = CreateFile("c:\\testfile",

    0, 0, &sa, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, 0);

  CloseHandle(file);

}

Õâ¸öÀý×ÓÎÒÊÇ´ÓÍøÉÏÕÒÀ´µÄ£¬¸ÄÁ˸ġ£ÆäÖÐʹÓõ½µÄ¹Ø¼üµÄAPIº¯Êý£¬ÎÒ¶¼°ÑÆä¼Ó´ÖÁË¡£´Ó³ÌÐòÖÐÎÒÃÇ¿ÉÒÔ¿´µ½£¬ÎÒÃÇÏȳõʼ»¯ÁËÒ»¸öSDºÍÒ»¸öACL£¬È»ºóµ÷ÓÃLookupAccountNameÈ¡µÃÓû§µÄSID£¬È»ºóͨ¹ýÕâ¸öSID£¬¶ÔACLÖмÓÈëÒ»¸öÓÐÔÊÐí·ÃÎÊȨÏÞµÄACE£¬È»ºóÔÙ°ÑÕû¸öACLÉèÖõ½SDÖС£×îºó£¬×éÖ¯Îļþ°²È«ÃèÊöµÄSA½á¹¹£¬²¢µ÷ÓÃCreateFile´´½¨Îļþ¡£Èç¹ûÄãµÄ²Ù×÷ϵͳÊÇNTFS£¬ÄÇô£¬Äã¿ÉÒÔ¿´µ½Äã´´½¨³öÀ´µÄÎļþµÄ°²È«ÊôÐÔµÄÑù×Ó£º

Õâ¸ö³ÌÐòÖ¼ÔÚ˵Ã÷ÈçºÎÉú³ÉÒ»¸öеÄSDºÍACLµÄÓ÷¨£¬ÆäÓÐËĸöµØ·½µÄ²»×ãºÍ²»Ç壺

1¡¢ ¶ÔÓÚACLºÍSIDµÄÉùÃ÷²ÉÓÃÁËÓ²±àÂëµÄ·½Ê½Ö¸¶¨Æ䳤¶È¡£

2¡¢ ¶ÔÓÚAPIº¯Êý£¬Ã»Óгö´í´¦Àí¡£

3¡¢ Ã»ÓÐ˵Ã÷ÈçºÎÐÞ¸ÄÒÑÓÐÎļþ»òĿ¼µÄ°²È«ÉèÖá£

4¡¢ Ã»ÓÐ˵Ã÷°²È«ÉèÖõļ̳ÐÐÔ¡£

¶ÔÓÚÕâЩÎÒ½«ÔÚϸöÀý³ÌÖн²Êö¡£

2¡¢  Àý³Ì¶þ¡¢ÎªÄ¿Â¼Ôö¼ÓÒ»¸ö°²È«ÉèÖÃÏî

ÔÚÎÒ°ÑÕâ¸öÀý³ÌÐòÀý³öÀ´ÒÔÇ°£¬ÇëÔÊÐíÎÒ¶à˵һÏ¡£

1¡¢  ¶ÔÓÚÎļþ¡¢Ä¿Â¼¡¢ÃüÁî¹ÜµÀ£¬ÎÒÃDz»Ò»¶¨ÒªÊ¹ÓÃGetNamedSecurityInfoºÍSetNamedSecurityInfoº¯Êý£¬ÎÒÃÇ¿ÉÒÔʹÓÃÆäרÓú¯ÊýGetFileSecurityºÍSetFileSecurityº¯ÊýÀ´È¡µÃ»òÉèÖÃÎļþ¶ÔÏóµÄSD£¬ÒÔÉèÖÃÆä·ÃÎÊȨÏÞ¡£ÐèҪʹÓÃÕâÁ½¸öº¯Êý²¢²»ÈÝÒ×£¬ÕýÈçÇ°ÃæÎÒÃÇËù˵µÄ£¬ÎÒÃÇ»¹ÐèÒª´¦ÀíSD²ÎÊý£¬Òª´¦ÀíSD£¬¾ÍÐèÒª´¦ÀíDACLºÍACE£¬ÒÔ¼°Óû§µÄÏà¹ØSID£¬ÓÚÊÇ£¬Ò»ÏµÍ³Áеĺ¯Êý¾Í±»ÕâÁ½¸öº¯Êý´ø³öÀ´ÁË¡£

2¡¢  ¶ÔÓÚÉÏÒ»¸öÀý×ÓÖеÄʹÓÃÓ²±àÂëÖ¸¶¨SIDµÄ´¦Àí·½·¨ÊÇ¡£µ÷ÓÃLookupAccountNameº¯Êýʱ£¬ÏÈ°ÑSID£¬DomainÃûµÄ²ÎÊý´«Îª¿ÕNULL£¬ÓÚÊÇLookupAccountName»á·µ»ØÓû§µÄSIDµÄ³¤¶ÈºÍDomainÃûµÄ³¤¶È£¬ÓÚÊÇÄã¿ÉÒÔ¸ù¾ÝÕâ¸ö³¤¶È·ÖÅäÄڴ棬ȻºóÔٴε÷ÓÃLookupAccountNameº¯Êý¡£ÓÚÊǾͿÉÒÔ´ïµ½µ½Ì¬·ÖÅäÄÚ´æµÄЧ¹û¡£¶ÔÓÚACLÒ²Ò»Ñù¡£

3¡¢  ¶ÔÓÚ¸øÎļþµÄACLÖÐÔö¼ÓÒ»¸öACEÌõÄ¿£¬Ò»°ãµÄ×ö·¨ÊÇÏÈÈ¡³öÎļþÉϵÄACL£¬ÖðÌõÈ¡³öACE£¬ºÍÏÖÐèÒªÔö¼ÓµÄACE±È½Ï£¬Èç¹ûÓгåÍ»£¬Ôòɾ³ýÒÑÓеÄACE£¬°ÑмӵÄACEÌíÖõ½×îºó¡£ÕâÀïµÄ×îºó£¬Ó¦¸ÃÊǷǼ̳жøÀ´µÄACEµÄ×îºó¡£¹ØÓÚACL¼Ì³Ð£¬NTFSÖУ¬Äã¿ÉÒÔÉèÖÃÎļþºÍĿ¼ÊÇ·ñ¼Ì³ÐÓÚÆ丸Ŀ¼µÄÉèÖá£ÔÚ³ÌÐòÖÐͬÑù¿ÉÒÔÉèÖá£

»¹ÊÇÇë¿´Àý³Ì£¬Õâ¸ö³ÌÐò±È½Ï³¤£¬À´Ô´ÓÚMSDN£¬ÎÒ×öÁËÒ»µãµãÐ޸ģ¬²¢°Ñ×Ô¼ºµÄÀí½â¼ÓÔÚ×¢ÊÍÖУ¬ËùÒÔ£¬Çë×¢Òâ´úÂëÖеÄ×¢ÊÍ£º

#include <windows.h>

#include <tchar.h>

#include <stdio.h>

//ʹÓÃWindowsµÄHeapAllocº¯Êý½øÐж¯Ì¬ÄÚ´æ·ÖÅä

#define myheapalloc(x) (HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, x))

#define myheapfree(x) (HeapFree(GetProcessHeap(), 0, x))

typedef BOOL (WINAPI *SetSecurityDescriptorControlFnPtr)(

  IN PSECURITY_DESCRIPTOR pSecurityDescriptor,

  IN SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,

  IN SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet);

typedef BOOL (WINAPI *AddAccessAllowedAceExFnPtr)(

 PACL pAcl,

 DWORD dwAceRevision,

 DWORD AceFlags,

 DWORD AccessMask,

 PSID pSid

);

BOOL AddAccessRights(TCHAR *lpszFileName, TCHAR *lpszAccountName,

   DWORD dwAccessMask) {

  // ÉùÃ÷SID±äÁ¿

  SID_NAME_USE  snuType;

  // ÉùÃ÷ºÍLookupAccountNameÏà¹ØµÄ±äÁ¿£¨×¢Ò⣬ȫΪ0£¬ÒªÔÚ³ÌÐòÖж¯Ì¬·ÖÅ䣩

  TCHAR *    szDomain    = NULL;

  DWORD     cbDomain    = 0;

  LPVOID     pUserSID    = NULL;

  DWORD     cbUserSID   = 0;

  // ºÍÎļþÏà¹ØµÄ°²È«ÃèÊö·û SD µÄ±äÁ¿

  PSECURITY_DESCRIPTOR pFileSD = NULL;   // ½á¹¹±äÁ¿

  DWORD     cbFileSD    = 0;    // SDµÄsize

  // Ò»¸öеÄSDµÄ±äÁ¿£¬ÓÃÓÚ¹¹ÔìеÄACL£¨°ÑÒÑÓеÄACLºÍÐèҪмӵÄACLÕûºÏÆðÀ´£©

  SECURITY_DESCRIPTOR newSD;

  // ºÍACL Ïà¹ØµÄ±äÁ¿

  PACL      pACL      = NULL;

  BOOL      fDaclPresent;

  BOOL      fDaclDefaulted;

  ACL_SIZE_INFORMATION AclInfo;

  // Ò»¸öÐ嵀 ACL ±äÁ¿

  PACL      pNewACL    = NULL; //½á¹¹Ö¸Õë±äÁ¿

  DWORD     cbNewACL    = 0;   //ACLµÄsize

  // Ò»¸öÁÙʱʹÓÃµÄ ACE ±äÁ¿

  LPVOID     pTempAce    = NULL;

  UINT      CurrentAceIndex = 0; //ACEÔÚACLÖеÄλÖÃ

  UINT      newAceIndex = 0; //ÐÂÌíµÄACEÔÚACLÖеÄλÖÃ

  //APIº¯ÊýµÄ·µ»ØÖµ£¬¼ÙÉèËùÓеĺ¯Êý¶¼·µ»Øʧ°Ü¡£

  BOOL      fResult;

  BOOL      fAPISuccess;

  SECURITY_INFORMATION secInfo = DACL_SECURITY_INFORMATION;

  // ÏÂÃæµÄÁ½¸öº¯ÊýÊÇеÄAPIº¯Êý£¬½öÔÚWindows 2000ÒÔÉÏ°æ±¾µÄ²Ù×÷ϵͳ֧³Ö¡£

  // Ôڴ˽«´ÓAdvapi32.dllÎļþÖж¯Ì¬ÔØÈë¡£Èç¹ûÄãʹÓÃVC++ 6.0±àÒë³ÌÐò£¬¶øÇÒÄãÏë

  // ʹÓÃÕâÁ½¸öº¯ÊýµÄ¾²Ì¬Á´½Ó¡£ÔòÇëΪÄãµÄ±àÒë¼ÓÉÏ£º/D_WIN32_WINNT=0x0500

  // µÄ±àÒë²ÎÊý¡£²¢ÇÒÈ·±£ÄãµÄSDKµÄÍ·ÎļþºÍlibÎļþÊÇ×îеġ£

  SetSecurityDescriptorControlFnPtr _SetSecurityDescriptorControl = NULL;

  AddAccessAllowedAceExFnPtr _AddAccessAllowedAceEx = NULL;

  __try {

   //

   // STEP 1: ͨ¹ýÓû§ÃûÈ¡µÃSID

   //   ÔÚÕâÒ»²½ÖÐLookupAccountNameº¯Êý±»µ÷ÓÃÁËÁ½´Î£¬µÚÒ»´ÎÊÇÈ¡³öËùÐèÒª

   // µÄÄÚ´æµÄ´óС£¬È»ºó£¬½øÐÐÄÚ´æ·ÖÅä¡£µÚ¶þ´Îµ÷ÓòÅÊÇÈ¡µÃÁËÓû§µÄÕÊ»§ÐÅÏ¢¡£

   // LookupAccountNameͬÑù¿ÉÒÔÈ¡µÃÓòÓû§»òÊÇÓû§×éµÄÐÅÏ¢¡££¨Çë²Î¿´MSDN£©

   //

   fAPISuccess = LookupAccountName(NULL, lpszAccountName,

      pUserSID, &cbUserSID, szDomain, &cbDomain, &snuType);

   // ÒÔÉϵ÷ÓÃAPI»áʧ°Ü£¬Ê§°ÜÔ­ÒòÊÇÄÚ´æ²»×ã¡£²¢°ÑËùÐèÒªµÄÄÚ´æ´óС´«³ö¡£

   // ÏÂÃæÊÇ´¦Àí·ÇÄÚ´æ²»×ãµÄ´íÎó¡£

   if (fAPISuccess)

     __leave;

   else if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {

     _tprintf(TEXT("LookupAccountName() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   pUserSID = myheapalloc(cbUserSID);

   if (!pUserSID) {

     _tprintf(TEXT("HeapAlloc() failed. Error %d\n"), GetLastError());

     __leave;

   }

   szDomain = (TCHAR *) myheapalloc(cbDomain * sizeof(TCHAR));

   if (!szDomain) {

     _tprintf(TEXT("HeapAlloc() failed. Error %d\n"), GetLastError());

     __leave;

   }

   fAPISuccess = LookupAccountName(NULL, lpszAccountName,

      pUserSID, &cbUserSID, szDomain, &cbDomain, &snuType);

   if (!fAPISuccess) {

     _tprintf(TEXT("LookupAccountName() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   //

   // STEP 2: È¡µÃÎļþ£¨Ä¿Â¼£©Ïà¹ØµÄ°²È«ÃèÊö·ûSD

   //   ʹÓÃGetFileSecurityº¯ÊýÈ¡µÃÒ»·ÝÎļþSDµÄ¿½±´£¬Í¬Ñù£¬Õâ¸öº¯ÊýÒ²

    // ÊDZ»µ÷ÓÃÁ½´Î£¬µÚÒ»´ÎͬÑùÊÇÈ¡SDµÄÄڴ泤¶È¡£×¢Ò⣬SDÓÐÁ½ÖÖ¸ñʽ£º×ÔÏà¹ØµÄ

    // £¨self-relative£©ºÍ ÍêÈ«µÄ£¨absolute£©£¬GetFileSecurityÖ»ÄÜÈ¡µ½¡°×Ô

    // Ïà¹ØµÄ¡±£¬¶øSetFileSecurityÔòÐèÒªÍêÈ«µÄ¡£Õâ¾ÍÊÇΪʲôÐèÒªÒ»¸öеÄSD£¬

    // ¶ø²»ÊÇÖ±½ÓÔÚGetFileSecurity·µ»ØµÄSDÉϽøÐÐÐ޸ġ£ÒòΪ¡°×ÔÏà¹ØµÄ¡±ÐÅÏ¢

    // ÊDz»ÍêÕûµÄ¡£

   fAPISuccess = GetFileSecurity(lpszFileName,

      secInfo, pFileSD, 0, &cbFileSD);

   // ÒÔÉϵ÷ÓÃAPI»áʧ°Ü£¬Ê§°ÜÔ­ÒòÊÇÄÚ´æ²»×ã¡£²¢°ÑËùÐèÒªµÄÄÚ´æ´óС´«³ö¡£

   // ÏÂÃæÊÇ´¦Àí·ÇÄÚ´æ²»×ãµÄ´íÎó¡£

   if (fAPISuccess)

     __leave;

   else if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {

     _tprintf(TEXT("GetFileSecurity() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   pFileSD = myheapalloc(cbFileSD);

   if (!pFileSD) {

     _tprintf(TEXT("HeapAlloc() failed. Error %d\n"), GetLastError());

     __leave;

   }

   fAPISuccess = GetFileSecurity(lpszFileName,

      secInfo, pFileSD, cbFileSD, &cbFileSD);

   if (!fAPISuccess) {

     _tprintf(TEXT("GetFileSecurity() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   //

   // STEP 3: ³õʼ»¯Ò»¸öеÄSD

   //

   if (!InitializeSecurityDescriptor(&newSD,

      SECURITY_DESCRIPTOR_REVISION)) {

     _tprintf(TEXT("InitializeSecurityDescriptor() failed.")

      TEXT("Error %d\n"), GetLastError());

     __leave;

   }

   //

   // STEP 4: ´ÓGetFileSecurity ·µ»ØµÄSDÖÐÈ¡DACL

   //

   if (!GetSecurityDescriptorDacl(pFileSD, &fDaclPresent, &pACL,

      &fDaclDefaulted)) {

     _tprintf(TEXT("GetSecurityDescriptorDacl() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   //

   // STEP 5: È¡ DACLµÄÄÚ´æsize

   //   GetAclInformation¿ÉÒÔÌṩDACLµÄÄÚ´æ´óС¡£Ö»´«ÈëÒ»¸öÀàÐÍΪ

   // ACL_SIZE_INFORMATIONµÄstructureµÄ²ÎÊý£¬ÐèDACLµÄÐÅÏ¢£¬ÊÇΪÁË

   // ·½±ãÎÒÃDZéÀúÆäÖеÄACE¡£

   AclInfo.AceCount = 0; // Assume NULL DACL.

   AclInfo.AclBytesFree = 0;

   AclInfo.AclBytesInUse = sizeof(ACL);

   if (pACL == NULL)

     fDaclPresent = FALSE;

   // Èç¹ûDACL²»Îª¿Õ£¬ÔòÈ¡ÆäÐÅÏ¢¡££¨´ó¶àÊýÇé¿öÏ¡°×Ô¹ØÁª¡±µÄDACLΪ¿Õ£©

   if (fDaclPresent) {      

     if (!GetAclInformation(pACL, &AclInfo,

        sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) {

      _tprintf(TEXT("GetAclInformation() failed. Error %d\n"),

         GetLastError());

      __leave;

     }

   }

   //

   // STEP 6: ¼ÆËãеÄACLµÄsize

   //  ¼ÆËãµÄ¹«Ê½ÊÇ£ºÔ­ÓеÄDACLµÄsize¼ÓÉÏÐèÒªÌí¼ÓµÄÒ»¸öACEµÄsize£¬ÒÔ

   // ¼°¼ÓÉÏÒ»¸öºÍACEÏà¹ØµÄSIDµÄsize£¬×îºó¼õÈ¥Á½¸ö×Ö½ÚÒÔ»ñµÃ¾«È·µÄ´óС¡£

   cbNewACL = AclInfo.AclBytesInUse + sizeof(ACCESS_ALLOWED_ACE)

      + GetLengthSid(pUserSID) - sizeof(DWORD);

   //

   // STEP 7: ΪеÄACL·ÖÅäÄÚ´æ

   //

   pNewACL = (PACL) myheapalloc(cbNewACL);

   if (!pNewACL) {

     _tprintf(TEXT("HeapAlloc() failed. Error %d\n"), GetLastError());

     __leave;

   }

   //

   // STEP 8: ³õʼ»¯ÐµÄACL½á¹¹

   //

   if (!InitializeAcl(pNewACL, cbNewACL, ACL_REVISION2)) {

     _tprintf(TEXT("InitializeAcl() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   //

   // STEP 9 Èç¹ûÎļþ£¨Ä¿Â¼£© DACL ÓÐÊý¾Ý£¬¿½±´ÆäÖеÄACEµ½ÐµÄDACLÖÐ

   //

   //   ÏÂÃæµÄ´úÂë¼ÙÉèÊ×Ïȼì²éÖ¸¶¨Îļþ£¨Ä¿Â¼£©ÊÇ·ñ´æÔÚµÄDACL£¬Èç¹ûÓеĻ°£¬

   // ÄÇô¾Í¿½±´ËùÓеÄACEµ½ÐµÄDACL½á¹¹ÖУ¬ÎÒÃÇ¿ÉÒÔ¿´µ½Æä±éÀúµÄ·½·¨ÊDzÉÓÃ

   // ACL_SIZE_INFORMATION½á¹¹ÖеÄAceCount³ÉÔ±À´Íê³ÉµÄ¡£ÔÚÕâ¸öÑ­»·ÖУ¬

   // »á°´ÕÕĬÈϵÄACEµÄ˳ÐòÀ´½øÐп½±´£¨ACEÔÚACLÖеÄ˳ÐòÊǺܹؼüµÄ£©£¬ÔÚ¿½

   // ±´¹ý³ÌÖУ¬ÏÈ¿½±´·Ç¼Ì³ÐµÄACE£¨ÎÒÃÇÖªµÀACE»á´ÓÉϲãĿ¼Öм̳ÐÏÂÀ´£©

   //

   newAceIndex = 0;

   if (fDaclPresent && AclInfo.AceCount) {

     for (CurrentAceIndex = 0;

        CurrentAceIndex < AclInfo.AceCount;

        CurrentAceIndex++) {

      //

      // STEP 10: ´ÓDACLÖÐÈ¡ACE

      //

      if (!GetAce(pACL, CurrentAceIndex, &pTempAce)) {

        _tprintf(TEXT("GetAce() failed. Error %d\n"),

           GetLastError());

        __leave;

      }

      //

      // STEP 11: ¼ì²éÊÇ·ñÊǷǼ̳еÄACE

      //   Èç¹ûµ±Ç°µÄACEÊÇÒ»¸ö´Ó¸¸Ä¿Â¼¼Ì³ÐÀ´µÄACE£¬ÄÇô¾ÍÍ˳öÑ­»·¡£

      // ÒòΪ£¬¼Ì³ÐµÄACE×ÜÊÇÔڷǼ̳еÄACEÖ®ºó£¬¶øÎÒÃÇËùÒªÌí¼ÓµÄACE

      // Ó¦¸ÃÔÚÒÑÓеķǼ̳еÄACEÖ®ºó£¬ËùÓеļ̳еÄACE֮ǰ¡£Í˳öÑ­»·

      // ÕýÊÇΪÁËÒªÌí¼ÓÒ»¸öеÄACEµ½ÐµÄDACLÖУ¬Õâºó£¬ÎÒÃÇÔٰѼ̳еÄ

      // ACE¿½±´µ½ÐµÄDACLÖС£

      //

      if (((ACCESS_ALLOWED_ACE *)pTempAce)->Header.AceFlags

        & INHERITED_ACE)

        break;

      //

      // STEP 12: ¼ì²éÒª¿½±´µÄACEµÄSIDÊÇ·ñºÍÐèÒª¼ÓÈëµÄACEµÄSIDÒ»Ñù£¬

      // Èç¹ûÒ»Ñù£¬ÄÇô¾ÍÓ¦¸Ã·ÏµôÒÑ´æÔÚµÄACE£¬Ò²¾ÍÊÇ˵£¬Í¬Ò»¸öÓû§µÄ´æÈ¡

      // ȨÏÞµÄÉèÖõÄACE£¬ÔÚDACLÖÐÓ¦¸ÃΨһ¡£ÕâÔÚÀÌø¹ý¶ÔͬһÓû§ÒÑÉèÖÃ

      // Á˵ÄACE£¬½öÊÇ¿½±´ÆäËüÓû§µÄACE¡£

      //

      if (EqualSid(pUserSID,

        &(((ACCESS_ALLOWED_ACE *)pTempAce)->SidStart)))

        continue;

      //

      // STEP 13: °ÑACE¼ÓÈ뵽еÄDACLÖÐ

      //  ÏÂÃæµÄ´úÂëÖУ¬×¢Òâ AddAce º¯ÊýµÄµÚÈý¸ö²ÎÊý£¬Õâ¸ö²ÎÊýµÄÒâ˼ÊÇ

      // ACLÖеÄË÷ÒýÖµ£¬ÒâΪҪ°ÑACE¼Óµ½Ä³Ë÷ÒýλÖÃÖ®ºó£¬²ÎÊýMAXDWORDµÄ

       // Òâ˼ÊÇÈ·±£µ±Ç°µÄACEÊDZ»¼ÓÈëµ½×îºóµÄλÖá£

      //

      if (!AddAce(pNewACL, ACL_REVISION, MAXDWORD, pTempAce,

         ((PACE_HEADER) pTempAce)->AceSize)) {

        _tprintf(TEXT("AddAce() failed. Error %d\n"),

           GetLastError());

        __leave;

      }

      newAceIndex++;

     }

   }

  //

  // STEP 14: °ÑÒ»¸ö access-allowed µÄACE ¼ÓÈ뵽еÄDACLÖÐ

  //   Ç°ÃæµÄÑ­»·¿½±´ÁËËùÓеķǼ̳ÐÇÒSIDΪÆäËüÓû§µÄACE£¬Í˳öÑ­»·µÄµÚÒ»¼þÊÂ

  // ¾ÍÊǼÓÈëÎÒÃÇÖ¸¶¨µÄACE¡£Çë×¢ÒâÊ×ÏÈÏȶ¯Ì¬×°ÔØÁËÒ»¸öAddAccessAllowedAceEx

  // µÄAPIº¯Êý£¬Èç¹û×°Ôز»³É¹¦£¬¾Íµ÷ÓÃAddAccessAllowedAceº¯Êý¡£Ç°Ò»¸öº¯Êý½ö

  // ÔÚWindows 2000ÒÔºóµÄ°æ±¾Ö§³Ö£¬NTÔòûÓУ¬ÎÒÃÇΪÁËʹÓÃа汾µÄº¯Êý£¬ÎÒÃÇÊ×

  // ÏÈÏȼì²éһϵ±Ç°ÏµÍ³Öпɲ»¿ÉÒÔ×°ÔØÕâ¸öº¯Êý£¬Èç¹û¿ÉÒÔÔò¾ÍʹÓá£Ê¹Óö¯Ì¬Á´½Ó

  // ±ÈʹÓþ²Ì¬Á´½ÓµÄºÃ´¦ÊÇ£¬³ÌÐòÔËÐÐʱ²»»áÒòΪûÓÐÕâ¸öAPIº¯Êý¶ø±¨´í¡£

  //

  // Ex°æµÄº¯Êý¶à³öÁËÒ»¸ö²ÎÊýAceFlag£¨µÚÈýÈ˲ÎÊý£©£¬ÓÃÕâ¸ö²ÎÊýÎÒÃÇ¿ÉÒÔÀ´ÉèÖÃÒ»

  // ¸ö½ÐACE_HEADERµÄ½á¹¹£¬ÒÔ±ãÈÃÎÒÃÇËùÉèÖõÄACE¿ÉÒÔ±»Æä×ÓĿ¼Ëù¼Ì³ÐÏÂÈ¥£¬¶ø

  // AddAccessAllowedAceº¯Êý²»Äܶ¨ÖÆÕâ¸ö²ÎÊý£¬ÔÚAddAccessAllowedAceº¯Êý

  // ÖУ¬Æä»á°ÑACE_HEADERÕâ¸ö½á¹¹ÉèÖóɷǼ̳еġ£

  //

   _AddAccessAllowedAceEx = (AddAccessAllowedAceExFnPtr)

      GetProcAddress(GetModuleHandle(TEXT("advapi32.dll")),

      "AddAccessAllowedAceEx");

   if (_AddAccessAllowedAceEx) {

      if (!_AddAccessAllowedAceEx(pNewACL, ACL_REVISION2,

       CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE ,

        dwAccessMask, pUserSID)) {

       _tprintf(TEXT("AddAccessAllowedAceEx() failed. Error %d\n"),

          GetLastError());

       __leave;

     }

   }else{

     if (!AddAccessAllowedAce(pNewACL, ACL_REVISION2,

        dwAccessMask, pUserSID)) {

       _tprintf(TEXT("AddAccessAllowedAce() failed. Error %d\n"),

          GetLastError());

       __leave;

     }

   }

   //

   // STEP 15: °´ÕÕÒÑ´æÔÚµÄACEµÄ˳Ðò¿½±´´Ó¸¸Ä¿Â¼¼Ì³Ð¶øÀ´µÄACE

   //

   if (fDaclPresent && AclInfo.AceCount) {

     for (;

       CurrentAceIndex < AclInfo.AceCount;

       CurrentAceIndex++) {

      //

      // STEP 16: ´ÓÎļþ£¨Ä¿Â¼£©µÄDACLÖмÌÐøÈ¡ACE

      //

      if (!GetAce(pACL, CurrentAceIndex, &pTempAce)) {

        _tprintf(TEXT("GetAce() failed. Error %d\n"),

           GetLastError());

        __leave;

      }

      //

      // STEP 17: °ÑACE¼ÓÈ뵽еÄDACLÖÐ

      //

      if (!AddAce(pNewACL, ACL_REVISION, MAXDWORD, pTempAce,

         ((PACE_HEADER) pTempAce)->AceSize)) {

        _tprintf(TEXT("AddAce() failed. Error %d\n"),

           GetLastError());

        __leave;

      }

     }

   }

   //

   // STEP 18: °ÑеÄACLÉèÖõ½ÐµÄSDÖÐ

   //

   if (!SetSecurityDescriptorDacl(&newSD, TRUE, pNewACL,

      FALSE)) {

     _tprintf(TEXT("SetSecurityDescriptorDacl() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   //

   // STEP 19: °ÑÀϵÄSDÖеĿØÖƱê¼ÇÔÙ¿½±´µ½ÐµÄSDÖУ¬ÎÒÃÇʹÓõÄÊÇÒ»¸ö½Ð

   // SetSecurityDescriptorControl() µÄAPIº¯Êý£¬Õâ¸öº¯ÊýͬÑùÖ»´æÔÚÓÚ

   // Windows 2000ÒÔºóµÄ°æ±¾ÖУ¬ËùÒÔÎÒÃÇ»¹ÊÇÒª¶¯Ì¬µØ°ÑÆä´Óadvapi32.dll

   // ÖÐÔØÈ룬Èç¹ûϵͳ²»Ö§³ÖÕâ¸öº¯Êý£¬ÄǾͲ»¿½±´ÀϵÄSDµÄ¿ØÖƱê¼ÇÁË¡£

   //

   _SetSecurityDescriptorControl =(SetSecurityDescriptorControlFnPtr)

      GetProcAddress(GetModuleHandle(TEXT("advapi32.dll")),

      "SetSecurityDescriptorControl");

   if (_SetSecurityDescriptorControl) {

     SECURITY_DESCRIPTOR_CONTROL controlBitsOfInterest = 0;

     SECURITY_DESCRIPTOR_CONTROL controlBitsToSet = 0;

     SECURITY_DESCRIPTOR_CONTROL oldControlBits = 0;

     DWORD dwRevision = 0;

     if (!GetSecurityDescriptorControl(pFileSD, &oldControlBits,

      &dwRevision)) {

      _tprintf(TEXT("GetSecurityDescriptorControl() failed.")

         TEXT("Error %d\n"), GetLastError());

      __leave;

     }

     if (oldControlBits & SE_DACL_AUTO_INHERITED) {

      controlBitsOfInterest =

        SE_DACL_AUTO_INHERIT_REQ |

        SE_DACL_AUTO_INHERITED ;

      controlBitsToSet = controlBitsOfInterest;

     }

     else if (oldControlBits & SE_DACL_PROTECTED) {

      controlBitsOfInterest = SE_DACL_PROTECTED;

      controlBitsToSet = controlBitsOfInterest;

     }    

     if (controlBitsOfInterest) {

      if (!_SetSecurityDescriptorControl(&newSD,

        controlBitsOfInterest,

        controlBitsToSet)) {

        _tprintf(TEXT("SetSecurityDescriptorControl() failed.")

           TEXT("Error %d\n"), GetLastError());

        __leave;

      }

     }

   }

   //

   // STEP 20: °ÑеÄSDÉèÖÃÉèÖõ½ÎļþµÄ°²È«ÊôÐÔÖУ¨Ç§É½ÍòË®°¡£¬ÖÕÓÚµ½ÁË£©

   //

   if (!SetFileSecurity(lpszFileName, secInfo,

      &newSD)) {

     _tprintf(TEXT("SetFileSecurity() failed. Error %d\n"),

        GetLastError());

     __leave;

   }

   fResult = TRUE;

  } __finally {

   //

   // STEP 21: ÊÍ·ÅÒÑ·ÖÅäµÄÄڴ棬ÒÔÃâMemory Leak

   //

   if (pUserSID) myheapfree(pUserSID);

   if (szDomain) myheapfree(szDomain);

   if (pFileSD) myheapfree(pFileSD);

   if (pNewACL) myheapfree(pNewACL);

  }

  return fResult;

}

--------------------------------------------------------------------------------

int _tmain(int argc, TCHAR *argv[]) {

  if (argc < 3) {

   _tprintf(TEXT("usage: \"%s\" <FileName> <AccountName>\n"), argv[0]);

   return 1;

  }

  // argv[1] ¨C Îļþ£¨Ä¿Â¼£©Ãû

  // argv[2] ¨C Óû§£¨×飩Ãû

  // GENERIC_ALL±íʾËùÓеÄȨÏÞ£¬ÆäÊÇһϵÁеÄNTFSȨÏ޵Ļò

  //   NTFSµÄÎļþȨÏÞºÜϸ£¬»¹Çë²Î¿´MSDN¡£

  if (!AddAccessRights(argv[1], argv[2], GENERIC_ALL)) {

   _tprintf(TEXT("AddAccessRights() failed.\n"));

   return 1;

  }

  else {

   _tprintf(TEXT("AddAccessRights() succeeded.\n"));

   return 0;

  }

}

Èý¡¢       һЩÏà¹ØµÄAPIº¯Êý

ͨ¹ýÒÔÉϵÄʾÀý£¬ÏàÐÅÄãÒÑÖªµÀÈçºÎ²Ù×÷NTFSÎļþ°²È«ÊôÐÔÁË£¬»¹ÓÐһЩAPIº¯ÊýÐèÒª½éÉÜһϡ£

1¡¢ Èç¹ûÄãÒª¼ÓÈëÒ»¸öAccess-Denied µÄACE£¬Äã¿ÉÒÔʹÓÃAddAccessDeniedAceº¯Êý

2¡¢ Èç¹ûÄãҪɾ³ýÒ»¸öACE£¬Äã¿ÉÒÔʹÓÃDeleteAceº¯Êý

3¡¢ Èç¹ûÄãÒª¼ì²éÄãËùÉèÖõÄACLÊÇ·ñºÏ·¨£¬Äã¿ÉÒÔʹÓÃIsValidAclº¯Êý£¬Í¬Ñù£¬¶ÔÓÚSDµÄºÏ·¨Ò²ÓÐÒ»¸ö½ÐIsValidSecurityDescriptorµÄº¯Êý

¹ØÓÚÎÒÃÇ / ¸øÎÒÁôÑÔ / °æȨ¾Ù±¨ / Òâ¼û½¨Òé / ÍøÕ¾±à³ÌQQȺ   
Copyright ©2003- 2024 Lihuasoft.net webmaster(at)lihuasoft.net ¼ÓÔØʱ¼ä 0.00181