How change file rigths

delphi package - easy access to security apis
Post Reply
JCorral
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

How change file rigths

Post by JCorral »

Hello,
Are there any example for change ntfs rigths for files, for example

user1: allow read and write and deny delete
user2: allow delete

Thanks
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

madSecurity allows you to manage several different security objects. NTFS rights is just one thing. What you want to do could look like this:

Code: Select all

FileSecurity('c:\blabla').DAcl.SetFileAccess(Account('SomeUser'), true);
This would give write access to the user "SomeUser" to the file or directory "c:\blabla". What you're asking for is a bit more complicated. See here for detailed information from Microsoft:

http://windowssdk.msdn.microsoft.com/en ... 17875.aspx
http://windowssdk.msdn.microsoft.com/en ... 85569.aspx

E.g. to give a user the right for deletion, I think this should do the trick:

Code: Select all

FileSecurity('c:\blabla').DAcl.NewItem(Account('SomeUser'), _DELETE);
In order to block deletion right, you'd probably have to do this:

Code: Select all

FileSecurity('c:\blabla').DAcl.NewItem(Account('SomeUser'), _DELETE, atDenied);
I've not tested this, though, it's just written from the top of my head. Please let me know if you run into any trouble this way. Please also when testing try these things first on a not-so-important test folder/file, so that you don't accidently remove your own access rights, so that Windows doesn't boot correctly, anymore!

Generally, there's an access control list. And you must be careful to not flood this list with too many contradicting items about the same user. So if you want to define access for a specific user, you might want to first delete any items in the ACL for this user by doing this:

Code: Select all

DAcl.DeleteItems(Account('SomeUser'));
JCorral
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

Post by JCorral »

Code: Select all

procedure TForm1.Button1Click(Sender: TObject);
var ISecObj: ISecurityObject;
     IACLObj: Iacl;

begin
     ISecObj:=FileSecurity('c:\xxx.pdf');
     IACLObj:=ISecObj.DAcl;
     IACLObj.DeleteItems(Account('gerardo'));
     ISecObj.DAcl.NewItem(Account('gerardo'), _DELETE, atDenied);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_READ);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_WRITE);
end;

procedure TForm1.Button2Click(Sender: TObject);
var ISecObj: ISecurityObject;
     IACLObj: Iacl;
begin
     ISecObj:=FileSecurity('c:\xxx.pdf');
     IACLObj:=ISecObj.DAcl;
     IACLObj.DeleteItems(Account('gerardo'));
     ISecObj.DAcl.NewItem(Account('gerardo'), _DELETE);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_READ, atDenied);
     ISecObj.DAcl.NewItem(Account('gerardo'), GENERIC_WRITE);
end;
I press button1 all it´s ok, button2 it´s ok too but when I go to security tab in properties for that file I receive a message from windows about "The rigths for file xxx.pdf are not ordered, blablabla......."

I don´t see this message never.


Thanks
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Please don't use "ISecObj.DAcl" three times after each other. Every time ISecObj has to create a new IAcl instance. Instead please use IACLObj all the time. That saves performance. Anyway...

The ACEs (items in the ACLs) need to have a specific order. I think the "deny" items need to come first. So for the "deny" item try this:

Code: Select all

IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ, atDenied));
This adds the "deny" item at the beginning of the ACL, while IAcl.NewItem adds it on the end of the ACL.
JCorral
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

The same message

Post by JCorral »

procedure TForm1.Button1Click(Sender: TObject);
var ISecObj: ISecurityObject;
IACLObj: Iacl;
begin
ISecObj:=FileSecurity('c:\xxx.pdf');
IACLObj:=ISecObj.DAcl;
IACLObj.DeleteItems(Account('gerardo'));
IACLObj.InsertItem(NewAce(Account('gerardo'), _DELETE, atDenied));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_WRITE));
end;

procedure TForm1.Button2Click(Sender: TObject);
var ISecObj: ISecurityObject;
IACLObj: Iacl;
begin
ISecObj:=FileSecurity('c:\xxx.pdf');
IACLObj:=ISecObj.DAcl;
IACLObj.DeleteItems(Account('gerardo'));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_READ, atDenied));
IACLObj.InsertItem(NewAce(Account('gerardo'), _DELETE));
IACLObj.InsertItem(NewAce(Account('gerardo'), GENERIC_WRITE));
end;

I see the same message, in the two buttons
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I think you didn't understand me. The *DENY* item needs to come first. The *ALLOW* items need to come last. So use "InsertItem" for the deny item and use "NewItem" for the other items.
JCorral
Posts: 4
Joined: Fri Nov 03, 2006 7:23 pm

Post by JCorral »

Working.

Thanks a lot :D
Post Reply