I am trying to write a simple function for windows that answers the following question.
Does the user (u) have the rights to file (f)?
There is some combination of R, (GENERIC_READ, GENERIC_WRITE, GENERIC_EXECUTE) / U is not required to log in or clone.
The code I have written is shown below. The application shows that the first UserHasPermission calls.
The access rights backed by GetEffectiveRightsFromAcl are identical to all user / file combinations that I tested ($ 001200A 9). I double checked and $ 001200 is not an indicator of A9 location, where access rights are actually stored.
My question is two times: 1. Is there a better way to do this?
2. Does anyone tell me where I am wrong?
Function UserHasPermission (Appearance: Longword; Out; Promotion: Boolean; Efflen: WideString; Eusername: String; Adaminine: String): Boolean; Var SID: PSID; ACL: PACL; Start SID: = zero; ACL: = zero; Try the result: = GetUserSID (SID, EusserName, adomainnames); Results: = results and GetFileDACL (filename, ACL); Results: = Results and UserHome Promotion (Emission, Hesformation, ACL, SID); Finally settlement (SID); End; End; Function UserHasPermission (Emission: Longword; Out Hespermission: Boolean; AACL: PACL; Euceracid: Psid): Boolean; Var T: Trustee; Rights: ACCESS_MASK; Build Trustworthy SID (@T, AUSARISID); Results: = GetEffectiveRightsFromAcl (AACL, @T, @Rights) = ERROR_SUCCESS; HasPermission: = (rights and affirmation) = exception; End; Function GetUserSID (Outside ASID: PSID; AUserName: WideString; Construction Ademaname: WideString): Boolean; Var NSID, NDOMEN: Longword; Use: SID_NAME_USE; Domain Name: WideString; Start the result: = False; If length (AUserName)> 0 starts when length (adomonym)> 0 then AUserName: = adomineName + '\' + AUserName; // Set the memory requirements NSID: = 0; NDomain: = 0; LookupAccountNameW (ZERO, PWideChar (AUserName), Zero, NSID, Zero, Ndiamen, Usage); // Allocated memory GetMem (ASID, NSID); Setline (domain name, NDOman); Result: = LookupActnameName (Zero, PWEADC, ASID, NSID, PWDER (Domain Name), NDOOMEN, Use); End; End; Function GetFileDACL (Filename: WideString; Out AACL: PACL): Boolean; Var SD: PSACIT descriptor; NSD, NNIED: Longword; Current, Innocent: Longball; GetFileSecurityW (PWideChar (filename), DACL_SECURITY_INFORMATION, Zero, 0, NNeeded); GetMem (SD, NNeeded); Try NSD: = NNeeded; Results: = GetFileSecurityW (PWideChar (filename), DACL_SECURITY_INFORMATION, SD, NSD, NNeeded); Results: = results and GetSecurityDescriptorDacl (SD, current, AACL, default); Results: = Results and current; Finally settlement (SD); End; End;
All of this depends on the ACL, eg if all are given full control, then any use controls absolute control.
The code looks appropriate, and you are using Win32 Security API () to lift heavy loads.
Tip: To test your code, create a very specific ACL (makes it easy), which does not start with a grant, then only involves a different user.
Comments
Post a Comment