madSecurity and GetEffectiveRightsFromAcl

delphi package - easy access to security apis
Post Reply
glob
Posts: 2
Joined: Thu May 13, 2010 2:30 am

madSecurity and GetEffectiveRightsFromAcl

Post by glob »

hello,

i need to determine if the current user can delete a file before attempting to process it.

unfortunately i can't just create then delete a temp file in the directory as the directory is being monitored by shell events, so it looks like i need to play with GetEffectiveRightsFromAcl.

i've found code showing how to do it using jwscl, however i'd prefer to use madSecurity.

here's what i have so far:

Code: Select all

uses madSecurity, AclApi, AccCtrl, ...;

var
  secObj: ISecurityObject;
  dacl: IAcl;
  user: IAccount;
  trustee: _TRUSTEE_A;
  rights: cardinal;
  status: cardinal;
  s: string;
begin
  secObj := FileSecurity('C:\temp\filename.ext');
  dacl := secObj.DAcl;

  user := CurrentUser();
  trustee.pMultipleTrustee := nil;
  trustee.MultipleTrusteeOperation := NO_MULTIPLE_TRUSTEE;
  trustee.TrusteeForm := TRUSTEE_IS_SID;
  trustee.TrusteeType := TRUSTEE_IS_USER;
  trustee.ptstrName := user.PSid;

  status := GetEffectiveRightsFromAcl(dacl.PAcl^, trustee, rights);
  if (status <> ERROR_SUCCESS) then
    raise exception.Create('#' + inttostr(status) + ' ' + SysErrorMessage(status));
end;
this appears to work (it doesn't throw an error!) however i'm not sure how to interpret the returned rights.

as a test i blocked my ability to read the file, and used:

Code: Select all

s := '';
if ((rights and $00010000) <> 0) then
  s := s + 'delete ';
if ((rights and $00020000) <> 0) then
  s := s + 'read_control ';
if ((rights and $00040000) <> 0) then
  s := s + 'write_dac ';
if ((rights and $00080000) <> 0) then
  s := s + 'write_owner ';
if ((rights and $00100000) <> 0) then
  s := s + 'synchronize ';
however this code reports that i have read_control access.

is anyone able to point me in the right direction please?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Looks ok to me on a quick check. FWIW, "READ_CONTROL" means that you can read the file's DACL. It doesn't mean that you can open/read the file itself! There's a different flag for that.
glob
Posts: 2
Joined: Thu May 13, 2010 2:30 am

Post by glob »

madshi wrote:Looks ok to me on a quick check. FWIW, "READ_CONTROL" means that you can read the file's DACL. It doesn't mean that you can open/read the file itself! There's a different flag for that.
ahhh, that's probably where i'm going wrong.

thanks for the reply :)
Post Reply