Page 1 of 1

How change file rigths

Posted: Fri Nov 03, 2006 7:27 pm
by JCorral
Hello,
Are there any example for change ntfs rigths for files, for example

user1: allow read and write and deny delete
user2: allow delete

Thanks

Posted: Sat Nov 04, 2006 3:51 pm
by madshi
madSecurity allows you to manage several different security objects. NTFS rights is just one thing. What you want to do could look like this:

Code: Select all

FileSecurity('c:\blabla').DAcl.SetFileAccess(Account('SomeUser'), true);
This would give write access to the user "SomeUser" to the file or directory "c:\blabla". What you're asking for is a bit more complicated. See here for detailed information from Microsoft:

http://windowssdk.msdn.microsoft.com/en ... 17875.aspx
http://windowssdk.msdn.microsoft.com/en ... 85569.aspx

E.g. to give a user the right for deletion, I think this should do the trick:

Code: Select all

FileSecurity('c:\blabla').DAcl.NewItem(Account('SomeUser'), _DELETE);
In order to block deletion right, you'd probably have to do this:

Code: Select all

FileSecurity('c:\blabla').DAcl.NewItem(Account('SomeUser'), _DELETE, atDenied);
I've not tested this, though, it's just written from the top of my head. Please let me know if you run into any trouble this way. Please also when testing try these things first on a not-so-important test folder/file, so that you don't accidently remove your own access rights, so that Windows doesn't boot correctly, anymore!

Generally, there's an access control list. And you must be careful to not flood this list with too many contradicting items about the same user. So if you want to define access for a specific user, you might want to first delete any items in the ACL for this user by doing this:

Code: Select all

DAcl.DeleteItems(Account('SomeUser'));

Posted: Sun Nov 05, 2006 7:41 pm
by JCorral

Code: Select all

procedure TForm1.Button1Click(Sender: TObject);
var ISecObj: ISecurityObject;
     IACLObj: Iacl;

begin
     ISecObj:=FileSecurity('c:\xxx.pdf');
     IACLObj:=ISecObj.DAcl;
     IACLObj.DeleteItems(Account('gerardo'));
     ISecObj.DAcl.NewItem(Account('gerardo'), _DELETE, atDenied);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_READ);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_WRITE);
end;

procedure TForm1.Button2Click(Sender: TObject);
var ISecObj: ISecurityObject;
     IACLObj: Iacl;
begin
     ISecObj:=FileSecurity('c:\xxx.pdf');
     IACLObj:=ISecObj.DAcl;
     IACLObj.DeleteItems(Account('gerardo'));
     ISecObj.DAcl.NewItem(Account('gerardo'), _DELETE);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_READ, atDenied);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_WRITE);
end;
I press button1 all it´s ok, button2 it´s ok too but when I go to security tab in properties for that file I receive a message from windows about "The rigths for file xxx.pdf are not ordered, blablabla......."

I don´t see this message never.


Thanks

Posted: Mon Nov 06, 2006 8:15 am
by madshi
Please don't use "ISecObj.DAcl" three times after each other. Every time ISecObj has to create a new IAcl instance. Instead please use IACLObj all the time. That saves performance. Anyway...

The ACEs (items in the ACLs) need to have a specific order. I think the "deny" items need to come first. So for the "deny" item try this:

Code: Select all

IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ, atDenied));
This adds the "deny" item at the beginning of the ACL, while IAcl.NewItem adds it on the end of the ACL.

The same message

Posted: Mon Nov 06, 2006 9:28 am
by JCorral
procedure TForm1.Button1Click(Sender: TObject);
var ISecObj: ISecurityObject;
IACLObj: Iacl;
begin
ISecObj:=FileSecurity('c:\xxx.pdf');
IACLObj:=ISecObj.DAcl;
IACLObj.DeleteItems(Account('gerardo'));
IACLObj.InsertItem(NewAce(Account('gerardo'), _DELETE, atDenied));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_WRITE));
end;

procedure TForm1.Button2Click(Sender: TObject);
var ISecObj: ISecurityObject;
IACLObj: Iacl;
begin
ISecObj:=FileSecurity('c:\xxx.pdf');
IACLObj:=ISecObj.DAcl;
IACLObj.DeleteItems(Account('gerardo'));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ, atDenied));
IACLObj.InsertItem(NewAce(Account('gerardo'), _DELETE));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_WRITE));
end;

I see the same message, in the two buttons

Posted: Mon Nov 06, 2006 9:49 am
by madshi
I think you didn't understand me. The *DENY* item needs to come first. The *ALLOW* items need to come last. So use "InsertItem" for the deny item and use "NewItem" for the other items.

Posted: Mon Nov 06, 2006 11:45 am
by JCorral
Working.

Thanks a lot :D