How change file rigths

delphi package - easy access to security apis

How change file rigths

Postby JCorral » Fri Nov 03, 2006 7:27 pm

Hello,
Are there any example for change ntfs rigths for files, for example

user1: allow read and write and deny delete
user2: allow delete

Thanks
JCorral
 
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

Postby madshi » Sat Nov 04, 2006 3:51 pm

madSecurity allows you to manage several different security objects. NTFS rights is just one thing. What you want to do could look like this:

Code: Select all
FileSecurity('c:\blabla').DAcl.SetFileAccess(Account('SomeUser'), true);

This would give write access to the user "SomeUser" to the file or directory "c:\blabla". What you're asking for is a bit more complicated. See here for detailed information from Microsoft:

http://windowssdk.msdn.microsoft.com/en ... 17875.aspx
http://windowssdk.msdn.microsoft.com/en ... 85569.aspx

E.g. to give a user the right for deletion, I think this should do the trick:

Code: Select all
FileSecurity('c:\blabla').DAcl.NewItem(Account('SomeUser'), _DELETE);

In order to block deletion right, you'd probably have to do this:

Code: Select all
FileSecurity('c:\blabla').DAcl.NewItem(Account('SomeUser'), _DELETE, atDenied);

I've not tested this, though, it's just written from the top of my head. Please let me know if you run into any trouble this way. Please also when testing try these things first on a not-so-important test folder/file, so that you don't accidently remove your own access rights, so that Windows doesn't boot correctly, anymore!

Generally, there's an access control list. And you must be careful to not flood this list with too many contradicting items about the same user. So if you want to define access for a specific user, you might want to first delete any items in the ACL for this user by doing this:

Code: Select all
DAcl.DeleteItems(Account('SomeUser'));
madshi
Site Admin
 
Posts: 9545
Joined: Sun Mar 21, 2004 5:25 pm

Postby JCorral » Sun Nov 05, 2006 7:41 pm

Code: Select all
procedure TForm1.Button1Click(Sender: TObject);
var ISecObj: ISecurityObject;
     IACLObj: Iacl;

begin
     ISecObj:=FileSecurity('c:\xxx.pdf');
     IACLObj:=ISecObj.DAcl;
     IACLObj.DeleteItems(Account('gerardo'));
     ISecObj.DAcl.NewItem(Account('gerardo'), _DELETE, atDenied);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_READ);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_WRITE);
end;

procedure TForm1.Button2Click(Sender: TObject);
var ISecObj: ISecurityObject;
     IACLObj: Iacl;
begin
     ISecObj:=FileSecurity('c:\xxx.pdf');
     IACLObj:=ISecObj.DAcl;
     IACLObj.DeleteItems(Account('gerardo'));
     ISecObj.DAcl.NewItem(Account('gerardo'), _DELETE);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_READ, atDenied);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_WRITE);
end;


I press button1 all it´s ok, button2 it´s ok too but when I go to security tab in properties for that file I receive a message from windows about "The rigths for file xxx.pdf are not ordered, blablabla......."

I don´t see this message never.


Thanks
JCorral
 
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

Postby madshi » Mon Nov 06, 2006 8:15 am

Please don't use "ISecObj.DAcl" three times after each other. Every time ISecObj has to create a new IAcl instance. Instead please use IACLObj all the time. That saves performance. Anyway...

The ACEs (items in the ACLs) need to have a specific order. I think the "deny" items need to come first. So for the "deny" item try this:

Code: Select all
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ, atDenied));

This adds the "deny" item at the beginning of the ACL, while IAcl.NewItem adds it on the end of the ACL.
madshi
Site Admin
 
Posts: 9545
Joined: Sun Mar 21, 2004 5:25 pm

The same message

Postby JCorral » Mon Nov 06, 2006 9:28 am

procedure TForm1.Button1Click(Sender: TObject);
var ISecObj: ISecurityObject;
IACLObj: Iacl;
begin
ISecObj:=FileSecurity('c:\xxx.pdf');
IACLObj:=ISecObj.DAcl;
IACLObj.DeleteItems(Account('gerardo'));
IACLObj.InsertItem(NewAce(Account('gerardo'), _DELETE, atDenied));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_WRITE));
end;

procedure TForm1.Button2Click(Sender: TObject);
var ISecObj: ISecurityObject;
IACLObj: Iacl;
begin
ISecObj:=FileSecurity('c:\xxx.pdf');
IACLObj:=ISecObj.DAcl;
IACLObj.DeleteItems(Account('gerardo'));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ, atDenied));
IACLObj.InsertItem(NewAce(Account('gerardo'), _DELETE));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_WRITE));
end;

I see the same message, in the two buttons
JCorral
 
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

Postby madshi » Mon Nov 06, 2006 9:49 am

I think you didn't understand me. The *DENY* item needs to come first. The *ALLOW* items need to come last. So use "InsertItem" for the deny item and use "NewItem" for the other items.
madshi
Site Admin
 
Posts: 9545
Joined: Sun Mar 21, 2004 5:25 pm

Postby JCorral » Mon Nov 06, 2006 11:45 am

Working.

Thanks a lot :D
JCorral
 
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm


Return to madSecurity

Who is online

Users browsing this forum: No registered users and 1 guest