Set permissions...

delphi package - easy access to security apis

Set permissions...

Postby Mark- » Tue May 17, 2016 4:22 pm

Hello,

I have searched, without joy, for code (using MadSecurity) to set the permissions on one file.
We have one file that is used for licensing. If the user deletes the file (by accident) it causes trouble and takes time to get it replaced.
I want to set permissions on the file, for all groups/user names, to deny all actions except read.
That should prevent deleting the file until ownership is taken, right?

Ideas?

Thanks,

Mark
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 4:35 pm

I suppose so. Code should look something like this (written from head, not tested):

Code: Select all
with FileSecurity('c:\someFolder\someFile.dat'), DAcl do
begin
  ProtectedDAcl := false;
  Clear;
  SetFileAccess(Everyone, false);
end;
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 5:23 pm

Hello,

Thank you.

You wrote "I suppose so." Do you know of any method to make it harder for a user to delete a file?

I had to add flush to get a change.

with FileSecurity('c:\someFolder\someFile.dat'), DAcl do
begin
ProtectedDAcl := false;
Clear;
SetFileAccess(Everyone, false);
Flush; <---------------
end;

I read that "Deny" permission takes precedence over "Allow" permissions.
How do I enable "Deny" write permission?

Thanks again,

Mark
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 5:27 pm

Deny does take precedence over Allow, but if the ACL is empty except for read access, then that's basically the same as Deny. The Deny only helps if somehow new ACL entries are added later on.

Please refer to the documentation about how to add Deny items, if you insist that you want to do that:

http://help.madshi.net/madSecurity.htm

Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 5:41 pm

Thanks

> Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.

I concur. The file deletion mistake has only happened with a couple of users but, if I can code something (in my program) to prevent the deletion or at least make it harder to delete the file, it might save some trouble and prevent a little bit of ill will.

As to the permissions, I assume if the user has administrator rights, setting the permissions to only "read and read & execute", has no real power to prevent deletion?

I ask because I have administers rights and a couple of times over the years I had to take ownership of a file to delete it and that is what I am attempting to duplicate with the one file.
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 5:49 pm

IIRC it doesn't matter whether you're admin or not. If you don't have explicit (either by user name or user group) rights to delete the file, then you can't delete it. Of course as an admin you can take ownership. I don't think you can prevent that, without resorting to those overkill methods.
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 6:08 pm

Yeah it appears:

SetFileAccess(Everyone, false);

Adds the group "Everyone" and sets the permissions.
Also the permissions are applied to the "Users" group.
The "Administrators" group is not altered.

I tried:
iso.DAcl.SetFileAccess(Account('Administrators'),false);
iso.DAcl.SetFileAccess(AuthenticatedUsers,false);
iso.DAcl.SetFileAccess(CurrentUser,false);

no joy.
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 6:12 pm

That's why there's a "Clear" in my original code, which should completely empty the DACL, so that only Everyone is in it afterwards.
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 6:20 pm

>That's why there's a "Clear" in my original code, which should completely empty the DACL, so that only Everyone is in it afterwards.

Clear does not delete:

Authenticated users
System
Administrators
Users
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 6:23 pm

It's supposed to. In that case I'm not sure what's happening.

In the end madSecurity is really only a wrapper around the win32 APIs. Maybe something weird is going on in the depths of the win32 APIs, I don't really know. You did do the "ProtectedDAcl := false", too, didn't you?
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 6:28 pm

>You did do the "ProtectedDAcl := false", too, didn't you?

Yes.

Clear does delete some other groups, just not the listed four.
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 6:32 pm

Well, I don't know why. Maybe they are inherited from the parent folder somehow? But I thought that ProtectedDAcl would take care of that.
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 6:33 pm

I did a test.

ShowMessage(IntToStr(iso.DAcl.ItemCount)); <---- shows 4
iso.DAcl.Clear;
iso.DAcl.Flush;
ShowMessage(IntToStr(iso.DAcl.ItemCount)); <---- shows 0

But the four are not deleted from the file.
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Re: Set permissions...

Postby madshi » Tue May 17, 2016 6:41 pm

Then they're probably inherited from the parent folder. Maybe it would make sense to use a Deny ACE, after all. Might be easier than trying to find the parent who inherited those remaining entries.
madshi
Site Admin
 
Posts: 9618
Joined: Sun Mar 21, 2004 5:25 pm

Re: Set permissions...

Postby Mark- » Tue May 17, 2016 6:47 pm

More testing

iso.DAcl.Deallocate;

Does clear out all groups and the icon for the file actually changes to have a little lock in the bottom left corner.

Then

iso.DAcl.SetFileAccess(Everyone,false);

Adds just the one group.

Not sure how to test if I can delete the file because I created the file and can delete it.
Mark-
 
Posts: 13
Joined: Sat May 24, 2014 4:51 pm

Next

Return to madSecurity

Who is online

Users browsing this forum: No registered users and 2 guests