Set permissions...

delphi package - easy access to security apis
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Set permissions...

Post by Mark- »

Hello,

I have searched, without joy, for code (using MadSecurity) to set the permissions on one file.
We have one file that is used for licensing. If the user deletes the file (by accident) it causes trouble and takes time to get it replaced.
I want to set permissions on the file, for all groups/user names, to deny all actions except read.
That should prevent deleting the file until ownership is taken, right?

Ideas?

Thanks,

Mark
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

I suppose so. Code should look something like this (written from head, not tested):

Code: Select all

with FileSecurity('c:\someFolder\someFile.dat'), DAcl do
begin
  ProtectedDAcl := false;
  Clear;
  SetFileAccess(Everyone, false);
end;
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

Hello,

Thank you.

You wrote "I suppose so." Do you know of any method to make it harder for a user to delete a file?

I had to add flush to get a change.

with FileSecurity('c:\someFolder\someFile.dat'), DAcl do
begin
ProtectedDAcl := false;
Clear;
SetFileAccess(Everyone, false);
Flush; <---------------
end;

I read that "Deny" permission takes precedence over "Allow" permissions.
How do I enable "Deny" write permission?

Thanks again,

Mark
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

Deny does take precedence over Allow, but if the ACL is empty except for read access, then that's basically the same as Deny. The Deny only helps if somehow new ACL entries are added later on.

Please refer to the documentation about how to add Deny items, if you insist that you want to do that:

http://help.madshi.net/madSecurity.htm

Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

Thanks

> Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.

I concur. The file deletion mistake has only happened with a couple of users but, if I can code something (in my program) to prevent the deletion or at least make it harder to delete the file, it might save some trouble and prevent a little bit of ill will.

As to the permissions, I assume if the user has administrator rights, setting the permissions to only "read and read & execute", has no real power to prevent deletion?

I ask because I have administers rights and a couple of times over the years I had to take ownership of a file to delete it and that is what I am attempting to duplicate with the one file.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

IIRC it doesn't matter whether you're admin or not. If you don't have explicit (either by user name or user group) rights to delete the file, then you can't delete it. Of course as an admin you can take ownership. I don't think you can prevent that, without resorting to those overkill methods.
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

Yeah it appears:

SetFileAccess(Everyone, false);

Adds the group "Everyone" and sets the permissions.
Also the permissions are applied to the "Users" group.
The "Administrators" group is not altered.

I tried:
iso.DAcl.SetFileAccess(Account('Administrators'),false);
iso.DAcl.SetFileAccess(AuthenticatedUsers,false);
iso.DAcl.SetFileAccess(CurrentUser,false);

no joy.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

That's why there's a "Clear" in my original code, which should completely empty the DACL, so that only Everyone is in it afterwards.
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

>That's why there's a "Clear" in my original code, which should completely empty the DACL, so that only Everyone is in it afterwards.

Clear does not delete:

Authenticated users
System
Administrators
Users
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

It's supposed to. In that case I'm not sure what's happening.

In the end madSecurity is really only a wrapper around the win32 APIs. Maybe something weird is going on in the depths of the win32 APIs, I don't really know. You did do the "ProtectedDAcl := false", too, didn't you?
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

>You did do the "ProtectedDAcl := false", too, didn't you?

Yes.

Clear does delete some other groups, just not the listed four.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

Well, I don't know why. Maybe they are inherited from the parent folder somehow? But I thought that ProtectedDAcl would take care of that.
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

I did a test.

ShowMessage(IntToStr(iso.DAcl.ItemCount)); <---- shows 4
iso.DAcl.Clear;
iso.DAcl.Flush;
ShowMessage(IntToStr(iso.DAcl.ItemCount)); <---- shows 0

But the four are not deleted from the file.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Post by madshi »

Then they're probably inherited from the parent folder. Maybe it would make sense to use a Deny ACE, after all. Might be easier than trying to find the parent who inherited those remaining entries.
Mark-
Posts: 20
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Post by Mark- »

More testing

iso.DAcl.Deallocate;

Does clear out all groups and the icon for the file actually changes to have a little lock in the bottom left corner.

Then

iso.DAcl.SetFileAccess(Everyone,false);

Adds just the one group.

Not sure how to test if I can delete the file because I created the file and can delete it.
Post Reply