i've got a strange problem: if i have a file with accessrights 'everyone=read&execute' and i add an entry with full access for my current user, and then remove the entry for my user, i can still modify and delete the file... why that? the windows permissions dialog then just shows 'everyone=read&execute' and nothing more...
This time I could reproduce the behaviour again: I changed the permissions of a directory (Let's call it root directory) and its subfolders and files from Everyone=Read+Execute to Everyone=Read+Execute and Me=FullControl. After that, I opened a programming project within this root directory and coded a while. Then I closed my IDE and changed the permissions back (for all objects within the root, and the root itself). When using the file properties dialog, the permissions only showed Everyone=Read+Execute for the root directory and all of the subfolders and files, but I was still able to rename files and folders within the root. After a reboot, I could not rename the files and folders anymore.
Is there any explication for this?
Should I post some code of my application?
The following procedure add's the 'full control' permission to the object specified by O (O is a string, identifying a file or folder) after removing all previous permissions for the specified user. There is an outer procedure (around this one) that loops through folders, subfolders and files and calls AddPermission for every single file, folder and subfolder.
Code: Select all
procedure AddPermission; begin with FileSecurity (O) do begin if not Owner.IsEqual (CurrentUser) then begin Owner := CurrentUser; end; DAcl.DeleteItems (Account (fAccountName)); DAcl.NewItem (Account (fAccountName), $D0000000, atAllowed, [afObjectInherit, afContainerInherit]); DAcl.Flush; if not Success then begin Err := true; end; end; end;
Code: Select all
procedure RemovePermission; begin with FileSecurity (O) do begin if not Owner.IsEqual (CurrentUser) then begin Owner := CurrentUser; end; DAcl.DeleteItems (Account (fAccountName)); DAcl.Flush; if not Success then begin Err := true; end; end; end;
Code: Select all
procedure EnableAllPrivileges; type TTokenPrivileges = record PrivilegeCount: DWord; Privileges: array [0..MaxInt shr 4 - 1] of TLUIDAndAttributes; end; var c1, c2: dword; i1: integer; ptp: ^TTokenPrivileges; backup, restore: int64; begin if OpenProcessToken (windows.GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, c1) then try c2 := 0; GetTokenInformation (c1, TokenPrivileges, nil, 0, c2); if c2 <> 0 then begin ptp := pointer (LocalAlloc (LPTR, c2 * 2)); if GetTokenInformation (c1, TokenPrivileges, ptp, c2 * 2, c2) then begin // enabling backup/restore privileges breaks Explorer's Samba support if not LookupPrivilegeValue (nil, pchar ('SeBackupPrivilege'), backup) then backup := 0; if not LookupPrivilegeValue (nil, pchar ('SeRestorePrivilege'), restore) then restore := 0; for i1 := 0 to integer (ptp^.PrivilegeCount) - 1 do if (ptp^.Privileges [i1].Luid <> backup ) and (ptp^.Privileges [i1].Luid <> restore) then ptp^.Privileges [i1].Attributes := ptp^.Privileges [i1].Attributes or SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges (c1, false, PTokenPrivileges(ptp)^, c2, PTokenPrivileges (nil)^, cardinal (pointer (nil)^)); end; LocalFree (DWord (ptp)); end; finally CloseHandle (c1) end; end;