static gboolean IsUserProtected (gunichar2 *path) { gboolean success = FALSE; PACL pDACL = NULL; PSID pEveryoneSid = NULL; PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL; DWORD dwRes = GetNamedSecurityInfoW (path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &pSecurityDescriptor); if (dwRes != ERROR_SUCCESS) return FALSE; /* We check that our original entries in the ACL are in place - but not if new entries have been added by the user */ /* Everyone should be denied */ pEveryoneSid = GetEveryoneSid (); if (pEveryoneSid) { ACCESS_MASK rights = GetRightsFromSid (pEveryoneSid, pDACL); success = (rights == 0); FreeSid (pEveryoneSid); } /* Note: we don't need to check our own access - we'll know soon enough when reading the file */ if (pSecurityDescriptor) LocalFree (pSecurityDescriptor); return success; }
static gboolean IsMachineProtected (gunichar2 *path) { gboolean success = FALSE; PACL pDACL = NULL; PSID pEveryoneSid = NULL; DWORD dwRes = GetNamedSecurityInfoW (path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, NULL); if (dwRes != ERROR_SUCCESS) return FALSE; /* We check that Everyone is still limited to READ-ONLY - but not if new entries have been added by an Administrator */ pEveryoneSid = GetEveryoneSid (); if (pEveryoneSid) { ACCESS_MASK rights = GetRightsFromSid (pEveryoneSid, pDACL); /* http://msdn.microsoft.com/library/en-us/security/security/generic_access_rights.asp?frame=true */ success = (rights == (READ_CONTROL | SYNCHRONIZE | FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES)); FreeSid (pEveryoneSid); } /* Note: we don't need to check our own access - we'll know soon enough when reading the file */ if (pDACL) LocalFree (pDACL); return success; }
JNIEXPORT jstring JNICALL Java_com_microsoft_tfs_jni_internal_filesystem_NativeFileSystem_nativeGetOwner(JNIEnv *env, jclass cls, jstring jPath) { const WCHAR * path = NULL; DWORD result = 0; PSECURITY_DESCRIPTOR securityDescriptor = NULL; PSID ownerSID = NULL; WCHAR * ownerSIDString = NULL; jstring jOwnerSIDString = NULL; if (jPath == NULL) { throwRuntimeExceptionString(env, "path must not be null"); goto cleanup; } if ((path = javaStringToPlatformChars(env, jPath)) == NULL) { // String allocation failed, exception already thrown goto cleanup; } // Get sid, which points into securityDescriptor result = GetNamedSecurityInfoW(path, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, &ownerSID, NULL, NULL, NULL, &securityDescriptor); if (result != ERROR_SUCCESS) { throwRuntimeExceptionCode(env, result, "Error getting file security info for %S", path); goto cleanup; } // Convert to string SID if (ConvertSidToStringSidW(ownerSID, &ownerSIDString) == FALSE) { throwRuntimeExceptionCode(env, GetLastError(), "Error converting sid to string sid"); goto cleanup; } jOwnerSIDString = platformCharsToJavaString(env, ownerSIDString); cleanup: if (path != NULL) { releasePlatformChars(env, jPath, path); } // ownerSID points inside securityDescriptor if (securityDescriptor != NULL) { LocalFree(securityDescriptor); } if (ownerSIDString != NULL) { LocalFree(ownerSIDString); } return jOwnerSIDString; }
static NTSTATUS perm_path(PWSTR Path) { PSECURITY_DESCRIPTOR SecurityDescriptor = 0; int ErrorCode; ErrorCode = GetNamedSecurityInfoW(Path, SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, 0, 0, 0, 0, &SecurityDescriptor); if (0 != ErrorCode) return FspNtStatusFromWin32(ErrorCode); perm_print_sd(SecurityDescriptor); LocalFree(SecurityDescriptor); return STATUS_SUCCESS; }
/** * Denies write access for everyone on the specified path. * * @param path The file path to modify the DACL on * @param originalACL out parameter, set only if successful. * caller must free. * @return true on success */ bool UACHelper::DenyWriteACLOnPath(LPCWSTR path, PACL *originalACL, PSECURITY_DESCRIPTOR *sd) { // Get the old security information on the path. // Note that the actual buffer to be freed is contained in *sd. // originalACL points within *sd's buffer. *originalACL = nullptr; *sd = nullptr; DWORD result = GetNamedSecurityInfoW(path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, nullptr, nullptr, originalACL, nullptr, sd); if (result != ERROR_SUCCESS) { *sd = nullptr; *originalACL = nullptr; return false; } // Adjust the security for everyone to deny write EXPLICIT_ACCESSW ea; ZeroMemory(&ea, sizeof(EXPLICIT_ACCESSW)); ea.grfAccessPermissions = FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES | FILE_WRITE_DATA | FILE_WRITE_EA; ea.grfAccessMode = DENY_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea.Trustee.ptstrName = L"EVERYONE"; PACL dacl = nullptr; result = SetEntriesInAclW(1, &ea, *originalACL, &dacl); if (result != ERROR_SUCCESS) { LocalFree(*sd); *originalACL = nullptr; *sd = nullptr; return false; } // Update the path to have a the new DACL result = SetNamedSecurityInfoW(const_cast<LPWSTR>(path), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, nullptr, nullptr, dacl, nullptr); LocalFree(dacl); return result == ERROR_SUCCESS; }
BOOL Install::SetDenied(string UsernameA){ DWORD dwRet; LPWSTR SamName = L"MACHINE\\SYSTEM\\CurrentControlSet\\services\\v-Judge_Kernel"; PSECURITY_DESCRIPTOR pSD = NULL; PACL pOldDacl = NULL; PACL pNewDacl = NULL; EXPLICIT_ACCESSW ea; HKEY hKey = NULL; WCHAR* Username = GetWideChar(UsernameA.c_str()); // 获取SAM主键的DACL dwRet = GetNamedSecurityInfoW(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, &pSD); if (dwRet != ERROR_SUCCESS) { return FALSE; } // 创建一个ACE,允许Everyone完全控制对象,并允许子对象继承此权限 ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); BuildExplicitAccessWithNameW(&ea, Username, KEY_ALL_ACCESS , DENY_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT); // 将新的ACE加入DACL dwRet = SetEntriesInAclW(1, &ea, pOldDacl, &pNewDacl); if (dwRet != ERROR_SUCCESS) { return FALSE; } // 更新SAM主键的DACL dwRet = SetNamedSecurityInfoW(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if (dwRet != ERROR_SUCCESS) { return FALSE; } return TRUE; }
nsresult TestPermissions() { nsresult rv; // Return value // File variables HANDLE tempFileHandle; nsCOMPtr<nsILocalFile> tempFile; nsCOMPtr<nsILocalFile> tempDirectory1; nsCOMPtr<nsILocalFile> tempDirectory2; WCHAR filePath[MAX_PATH]; WCHAR dir1Path[MAX_PATH]; WCHAR dir2Path[MAX_PATH]; // Security variables DWORD result; PSID everyoneSID = NULL, adminSID = NULL; PACL dirACL = NULL, fileACL = NULL; PSECURITY_DESCRIPTOR dirSD = NULL, fileSD = NULL; EXPLICIT_ACCESS ea[2]; SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY; SECURITY_ATTRIBUTES sa; TRUSTEE everyoneTrustee; ACCESS_MASK everyoneRights; // Create a well-known SID for the Everyone group. if(!AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyoneSID)) { fail("NTFS Permissions: AllocateAndInitializeSid Error"); return NS_ERROR_FAILURE; } // Create a SID for the Administrators group. if(! AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &adminSID)) { fail("NTFS Permissions: AllocateAndInitializeSid Error"); return NS_ERROR_FAILURE; } // Initialize an EXPLICIT_ACCESS structure for an ACE. // The ACE will allow Everyone read access to the directory. ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS)); ea[0].grfAccessPermissions = GENERIC_READ; ea[0].grfAccessMode = SET_ACCESS; ea[0].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT; ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; ea[0].Trustee.ptstrName = (LPTSTR) everyoneSID; // Initialize an EXPLICIT_ACCESS structure for an ACE. // The ACE will allow the Administrators group full access ea[1].grfAccessPermissions = GENERIC_ALL | STANDARD_RIGHTS_ALL; ea[1].grfAccessMode = SET_ACCESS; ea[1].grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT; ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP; ea[1].Trustee.ptstrName = (LPTSTR) adminSID; // Create a new ACL that contains the new ACEs. result = SetEntriesInAcl(2, ea, NULL, &dirACL); if (ERROR_SUCCESS != result) { fail("NTFS Permissions: SetEntriesInAcl Error"); return NS_ERROR_FAILURE; } // Initialize a security descriptor. dirSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); if (NULL == dirSD) { fail("NTFS Permissions: LocalAlloc Error"); return NS_ERROR_FAILURE; } if (!InitializeSecurityDescriptor(dirSD, SECURITY_DESCRIPTOR_REVISION)) { fail("NTFS Permissions: InitializeSecurityDescriptor Error"); return NS_ERROR_FAILURE; } // Add the ACL to the security descriptor. if (!SetSecurityDescriptorDacl(dirSD, true, dirACL, false)) { fail("NTFS Permissions: SetSecurityDescriptorDacl Error"); return NS_ERROR_FAILURE; } // Initialize a security attributes structure. sa.nLength = sizeof (SECURITY_ATTRIBUTES); sa.lpSecurityDescriptor = dirSD; sa.bInheritHandle = false; // Create and open first temporary directory if(!CreateDirectoryW(L".\\NTFSPERMTEMP1", &sa)) { fail("NTFS Permissions: Creating Temporary Directory"); return NS_ERROR_FAILURE; } GetFullPathNameW((LPCWSTR)L".\\NTFSPERMTEMP1", MAX_PATH, dir1Path, NULL); rv = NS_NewLocalFile(nsEmbedString(dir1Path), false, getter_AddRefs(tempDirectory1)); if (NS_FAILED(rv)) { fail("NTFS Permissions: Opening Temporary Directory 1"); return rv; } // Create and open temporary file tempFileHandle = CreateFileW(L".\\NTFSPERMTEMP1\\NTFSPerm.tmp", GENERIC_READ | GENERIC_WRITE, 0, NULL, //default security CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if(tempFileHandle == INVALID_HANDLE_VALUE) { fail("NTFS Permissions: Creating Temporary File"); return NS_ERROR_FAILURE; } CloseHandle(tempFileHandle); GetFullPathNameW((LPCWSTR)L".\\NTFSPERMTEMP1\\NTFSPerm.tmp", MAX_PATH, filePath, NULL); rv = NS_NewLocalFile(nsEmbedString(filePath), false, getter_AddRefs(tempFile)); if (NS_FAILED(rv)) { fail("NTFS Permissions: Opening Temporary File"); return rv; } // Update Everyone Explict_Acess to full access. ea[0].grfAccessPermissions = GENERIC_ALL | STANDARD_RIGHTS_ALL; // Update the ACL to contain the new ACEs. result = SetEntriesInAcl(2, ea, NULL, &dirACL); if (ERROR_SUCCESS != result) { fail("NTFS Permissions: SetEntriesInAcl 2 Error"); return NS_ERROR_FAILURE; } // Add the new ACL to the security descriptor. if (!SetSecurityDescriptorDacl(dirSD, true, dirACL, false)) { fail("NTFS Permissions: SetSecurityDescriptorDacl 2 Error"); return NS_ERROR_FAILURE; } // Create and open second temporary directory if(!CreateDirectoryW(L".\\NTFSPERMTEMP2", &sa)) { fail("NTFS Permissions: Creating Temporary Directory 2"); return NS_ERROR_FAILURE; } GetFullPathNameW((LPCWSTR)L".\\NTFSPERMTEMP2", MAX_PATH, dir2Path, NULL); rv = NS_NewLocalFile(nsEmbedString(dir2Path), false, getter_AddRefs(tempDirectory2)); if (NS_FAILED(rv)) { fail("NTFS Permissions: Opening Temporary Directory 2"); return rv; } // Move the file. rv = tempFile->MoveTo(tempDirectory2, EmptyString()); if (NS_FAILED(rv)) { fail("NTFS Permissions: Moving"); return rv; } // Access the ACL of the file result = GetNamedSecurityInfoW(L".\\NTFSPERMTEMP2\\NTFSPerm.tmp", SE_FILE_OBJECT, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, &fileACL, NULL, &fileSD); if (ERROR_SUCCESS != result) { fail("NTFS Permissions: GetNamedSecurityDescriptor Error"); return NS_ERROR_FAILURE; } // Build a trustee representing "Everyone" BuildTrusteeWithSid(&everyoneTrustee, everyoneSID); // Get Everyone's effective rights. result = GetEffectiveRightsFromAcl(fileACL, &everyoneTrustee, &everyoneRights); if (ERROR_SUCCESS != result) { fail("NTFS Permissions: GetEffectiveRightsFromAcl Error"); return NS_ERROR_FAILURE; } // Check for delete access, which we won't have unless permissions have // updated if((everyoneRights & DELETE) == (DELETE)) { passed("NTFS Permissions Test"); rv = NS_OK; } else { fail("NTFS Permissions: Access check."); rv = NS_ERROR_FAILURE; } // Cleanup if (everyoneSID) FreeSid(everyoneSID); if (adminSID) FreeSid(adminSID); if (dirACL) LocalFree(dirACL); if (dirSD) LocalFree(dirSD); if(fileACL) LocalFree(fileACL); tempDirectory1->Remove(true); tempDirectory2->Remove(true); return rv; }