我正在开发一个 cpp 程序,为给定文件夹设置 SACL 属性。
我的表演方式是
我的问题是程序不检查 SACL 是否已设置
我尝试使用 GetAuditedPermissionsFromAcl() 函数获取Everyone组的AccessRights,但生成的访问权限(成功和失败)与我在创建 ExplicitAccess 对象时使用的 DWORD 值不匹配,并且仅使用 AccessRights 我就可以'检查子文件夹和文件是否继承SACL
我还尝试使用 GetExplicitEntriesFromAcl() 函数从 sacl 读取 Explicit_Access 对象,但我不知道如何遍历显式条目数组并检查它们
有没有简单的方法来检查文件夹是否启用了 SACL 策略?
#include <windows.h>
#include <stdio.h>
#include <AccCtrl.h>
#include <AclAPI.h>
#include <string>
#include <sddl.h>
#include <algorithm>
#include <iostream>
static PSTR WINAPI SIDToName(PSID lpSID);
static BOOL UpProcessPriority() {
HANDLE h_token_handle = nullptr;
TOKEN_PRIVILEGES token_privileges;
BOOL result = FALSE;
result =
OpenProcessToken(GetCurrentProcess(),
static_cast<unsigned>(TOKEN_QUERY) |
static_cast<unsigned>(TOKEN_ADJUST_PRIVILEGES),
&h_token_handle);
if (result != 0) {
result = LookupPrivilegeValueW(nullptr, SE_SECURITY_NAME,
&token_privileges.Privileges[0].Luid);
if (result != 0) {
token_privileges.PrivilegeCount = 1;
token_privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
result = AdjustTokenPrivileges(
h_token_handle, FALSE, &token_privileges, 0, nullptr, nullptr);
}
}
if (h_token_handle != nullptr) {
CloseHandle(h_token_handle);
}
return result;
}
int main(int argc, char *argv[])
{
UpProcessPriority();
SECURITY_INFORMATION requestedInfo = DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION;
PSECURITY_DESCRIPTOR pSecDes = NULL; DWORD secSize = 0;
/*CHAR filePath[MAX_PATH] = "C:\\Program Files\\zsw";*/
CHAR filePath[MAX_PATH] = "C:\\Program Files\\";
if (!GetFileSecurityA(filePath, requestedInfo, pSecDes, secSize, &secSize))
{
pSecDes = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, secSize);
if (!GetFileSecurityA(filePath, requestedInfo, pSecDes, secSize, &secSize)) {
std::cout << GetLastError() << std::endl;
}
}
SECURITY_DESCRIPTOR_CONTROL pControl; DWORD revision;
if (GetSecurityDescriptorControl(pSecDes, &pControl, &revision))
{
if ((pControl & SE_DACL_PROTECTED) == SE_DACL_PROTECTED) {
std::cout << "DACL: can not use, disable " << std::endl;
}
else {
std::cout << "DACL: can use, enable" << std::endl;
}
if ((pControl & SE_SACL_PROTECTED) == SE_SACL_PROTECTED) {
std::cout << "SACL: can not use, disable" << std::endl;
}
else {
std::cout << "SACL: can use, enable" << std::endl;
}
}
return 0;
}
PSTR WINAPI SIDToName(PSID lpSID)
{
LPSTR userName = NULL; LPSTR domainName = NULL; DWORD nameSize = 0; DWORD domainSize = 0; SID_NAME_USE peUse;
if (!LookupAccountSidA(NULL, lpSID, userName, &nameSize, domainName, &domainSize, &peUse))
{
userName = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, nameSize);
domainName = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, domainSize);
if (!LookupAccountSidA(NULL, lpSID, userName, &nameSize, domainName, &domainSize, &peUse))
std::cout << GetLastError() << std::endl;
}
return userName;
}