I have searched, without joy, for code (using MadSecurity) to set the permissions on one file.
We have one file that is used for licensing. If the user deletes the file (by accident) it causes trouble and takes time to get it replaced.
I want to set permissions on the file, for all groups/user names, to deny all actions except read.
That should prevent deleting the file until ownership is taken, right?
You wrote "I suppose so." Do you know of any method to make it harder for a user to delete a file?
I had to add flush to get a change.
with FileSecurity('c:\someFolder\someFile.dat'), DAcl do
ProtectedDAcl := false;
I read that "Deny" permission takes precedence over "Allow" permissions.
How do I enable "Deny" write permission?
Please refer to the documentation about how to add Deny items, if you insist that you want to do that:
Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.
> Of course there are other alternatives, from API hooking to writing kernel mode file system filter drivers. But that sounds like overkill to me.
I concur. The file deletion mistake has only happened with a couple of users but, if I can code something (in my program) to prevent the deletion or at least make it harder to delete the file, it might save some trouble and prevent a little bit of ill will.
As to the permissions, I assume if the user has administrator rights, setting the permissions to only "read and read & execute", has no real power to prevent deletion?
I ask because I have administers rights and a couple of times over the years I had to take ownership of a file to delete it and that is what I am attempting to duplicate with the one file.
Adds the group "Everyone" and sets the permissions.
Also the permissions are applied to the "Users" group.
The "Administrators" group is not altered.
In the end madSecurity is really only a wrapper around the win32 APIs. Maybe something weird is going on in the depths of the win32 APIs, I don't really know. You did do the "ProtectedDAcl := false", too, didn't you?
Does clear out all groups and the icon for the file actually changes to have a little lock in the bottom left corner.
Adds just the one group.
Not sure how to test if I can delete the file because I created the file and can delete it.