Windows System Programming Third Edition [Electronic resources] نسخه متنی

Example: Changing File Permissions

Program 15-5 completes the collection of file security functions. This function, ChangeFilePermissions, replaces the existing security descriptor with a new one, preserving the user and group SIDs but creating a new discretionary ACL.

Program 15-5. ChangeFilePermissions: Changing Security Attributes

BOOL ChangeFilePermissions (DWORD fPm, LPCTSTR FNm, LPDWORD AceMsk)
/* Change permissions in existing file. Group is left unchanged. */
{
TCHAR UsrNm [ACCT_NAME_SIZE], GrpNm [ACCT_NAME_SIZE];
LPSECURITY_ATTRIBUTES pSA;
PSECURITY_DESCRIPTOR pSD = NULL;
HANDLE hSecHeap;
if (_taccess (FNm, 0) != 0) return FALSE;
ReadFilePermissions (FNm, UsrNm, GrpNm);
pSA = InitializeUnixSA (fPm, UsrNm, GrpNm, AceMsk, &hSecHeap);
pSD = pSA->lpSecurityDescriptor;
SetFileSecurity (FileName, DACL_SECURITY_INFORMATION, pSD);
HeapDestroy (hSecHeap);
return TRUE;
}

Comments on the File Permissions

When you're running these programs, it is interesting to monitor the file system using the Windows Explorer. This utility cannot interpret the access-denied ACEs and will not be able to display the permissions. The Windows NT 4.0 Explorer will generate an exception on encountering an access-denied ACE.

Using the access-denied ACEs is necessary, however, to emulate the UNIX semantics. If they are omitted, the Windows Explorer can view the permissions. A collection of permissions set with, for example, 0446 would then allow the user and group members to write to the file because Everyone can write to the file. UNIX, however, does not act this way; it prevents the user and group members from writing to the file.

Also observe what happens when you try to create a secured file on a diskette or other FAT file system and when you run the program under Windows 9x.