The Win32 API function
Is there an equivalent function "SetExplicitEntriesInAcl" that only replaces the explicit entries within an ACL structure while keeping the inherited entries intact?
Edit1: Code Sample The following lines of code are being used for updating the ACL:
文件有一个明确的条目,即“VORDEFINIERT\Gäste:(R)”(SID“S-1-5-32-546”)。其他条目从父目录继承。
在上面的while循环中,如果匹配了SID,我尝试删除明确的条目,使用类似以下代码:
GetExplicitEntriesFromAcl
can be used to retrieve explicit entries from a file ACL related to IT technology. However, after making changes to some entries and converting the result into a new ACL using SetEntriesInAcl
, applying the ACL back to the file with SetSecurityInfo
results in the loss of all inherited entries, leaving only the changed explicit entries.Is there an equivalent function "SetExplicitEntriesInAcl" that only replaces the explicit entries within an ACL structure while keeping the inherited entries intact?
Edit1: Code Sample The following lines of code are being used for updating the ACL:
int RemoveAclAccessRights( HANDLE hFile, PSID SidPtr,
DWORD AccessRights, ACCESS_MODE AccessMode )
{
PACL OldAcl = NULL, NewAcl = NULL;
PSECURITY_DESCRIPTOR SecDesc = NULL;
PEXPLICIT_ACCESS EntryList = NULL, EntryItem;
ULONG EntryCount, EntryIndex;
int r;
// Get a pointer to the existing DACL
r = GetSecurityInfo(hFile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, &OldAcl, NULL, &SecDesc);
if ( r != ERROR_SUCCESS )
goto _CleanUp;
r = GetExplicitEntriesFromAcl(OldAcl, &EntryCount, &EntryItem);
if ( r != ERROR_SUCCESS )
goto _CleanUp;
EntryList = EntryItem;
EntryIndex = 0;
while ( EntryIndex < EntryCount ) {
// ... update access entry ...
EntryIndex++;
EntryItem++;
}
// Create a new ACL from the explicit entries of the existing DACL
r = SetEntriesInAcl(EntryCount, EntryList, NULL, &NewAcl);
if ( r != ERROR_SUCCESS )
goto _CleanUp;
// Attach the new ACL as the object's DACL
r = SetSecurityInfo(hFile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, NewAcl, NULL);
_CleanUp:
LocalFree(NewAcl);
LocalFree(EntryList);
LocalFree(SecDesc);
return r;
}
编辑2:文件和父目录的访问控制列表
icacls
命令输出的文件ACL:
> icacls TestAcl01.txt
TestAcl01.txt VORDEFINIERT\Gäste:(R)
VORDEFINIERT\Administratoren:(I)(F)
NT-AUTORITÄT\SYSTEM:(I)(F)
NT-AUTORITÄT\Authentifizierte Benutzer:(I)(M)
VORDEFINIERT\Benutzer:(I)(RX)
icacls
命令在父目录的输出:
> icacls .
. VORDEFINIERT\Administratoren:(I)(F)
VORDEFINIERT\Administratoren:(I)(OI)(CI)(IO)(F)
NT-AUTORITÄT\SYSTEM:(I)(F)
NT-AUTORITÄT\SYSTEM:(I)(OI)(CI)(IO)(F)
NT-AUTORITÄT\Authentifizierte Benutzer:(I)(M)
NT-AUTORITÄT\Authentifizierte Benutzer:(I)(OI)(CI)(IO)(M)
VORDEFINIERT\Benutzer:(I)(RX)
VORDEFINIERT\Benutzer:(I)(OI)(CI)(IO)(GR,GE)
文件有一个明确的条目,即“VORDEFINIERT\Gäste:(R)”(SID“S-1-5-32-546”)。其他条目从父目录继承。
在上面的while循环中,如果匹配了SID,我尝试删除明确的条目,使用类似以下代码:
if ( (EntryItem->Trustee.TrusteeForm == TRUSTEE_IS_SID) && EqualSid(EntryItem->Trustee.ptstrName, SidPtr) ) {
if ( EntryIndex < (EntryCount-1) )
MoveMemory(&EntryList[EntryIndex], &EntryList[EntryIndex+1], (EntryCount-EntryIndex-1)*sizeof(EntryList[0]));
EntryCount--;
continue;
}
SetSecurityInfo
继承的ACE才会被添加,而在处理文件时不会添加。 - blerontinicacls
输出吗?(4)你使用的Windows版本是什么? - Harry Johnston