C ++ modify the user access permission program code of a file (folder)

Http://www.cppblog.com/wrhwww/archive/2011/08/23/154117.html

C ++ modify the user access permission program code of a file (folder)

Generally, system files (folders) in Windows only allow restricted accounts to read and not write or modify files. If you want to enable the write operation permission, you need to manually modify the security permissions of the user account of the file (folder) (this operation must be executed under the Administrator account of course). The following program encapsulates this operation:

First let's get an API version:

//

// Enable all operation permissions of an account on a file (folder)

// Pszpath: file (folder) path

// Pszaccount: Account name

//

Bool enablefileaccountprivilege (pctstr pszpath, pctstr pszaccount)

{

Bool bsuccess = true;

PACl pnewdacl = NULL, polddacl = NULL;

Explicit_access EA;

Do

{

// Obtain the DACL list of a file (folder) security object

If (error_success! =: Getnamedsecurityinfo (lptstr) pszpath, se_file_object, dacl_security_information, null, null, & polddacl, null, null ))

{

Bsuccess = false;

Break;

}

// The addaccessallowedace function cannot be used directly here. Because the existing DACL length is fixed, a new DACL object must be created.

// Generate access control information for the specified user account (all access permissions are granted here)

: Buildexplicitaccesswithname (& EA, (lptstr) pszaccount, generic_all, grant_access, sub_containers_and_objects_inherit );

// Create a new ACL object (merge the existing ACL object with the newly generated User Account Access Control Information)

If (error_success! =: Setentriesinacl (1, & EA, polddacl, & pnewdacl ))

{

Bsuccess = false;

Break;

} [Next]

// Set the DACL list of the file (folder) security object

If (error_success! =: Setnamedsecurityinfo (lptstr) pszpath, se_file_object, dacl_security_information, null, null, pnewdacl, null ))

{

Bsuccess = false;

}

} While (false );

// Release resources

If (pnewdacl! = NULL)

: Localfree (pnewdacl );

Return bsuccess;

} ATL encapsulates security operation functions. It is much easier to write with ATL ://

// Enable all operation permissions of an account on a file (folder) (ATL Version)

// Pszpath: file (folder) path

// Pszaccount: Account name

//

Bool atlenablefileaccountprivilege (pctstr pszpath, pctstr pszaccount)

{

Cdacl DACL;

Csid;

// Obtain the user account identifier

If (! Sid. loadaccount (pszaccount ))

{

Return false;

}

// Obtain the DACL of a file (folder)

If (! Atlgetdacl (pszpath, se_file_object, & DACL ))

{

Return false;

}

// Add a new ACE entry in DACL

DACL. addallowedace (SID, generic_all );

// Set the DACL of a file (folder)

Return atlsetdacl (pszpath, se_file_object, DACL )? True: false;

}

Source: http://www.uniuc.com/computer/show-6322-1.html \\\

Control the access permissions of folders through programs.
Bool my_setfoldersecurity (wchar * szpath)
{
Sid_identifier_authority SIA = security_nt_authority;
Psid psidsystem = NULL;
Psid psidadmins = NULL;
Psid psidworld = NULL;
PACl pdacl = NULL;
Explicit_access EA [4];
Security_descriptor secdesc;

Ulong lres = error_success;

_ Try
{
// Create system Sid
If (! Allocateandinitializesid (& sia, 1, security_local_system_rid,
0, 0, 0, 0, 0, 0, 0, & psidsystem ))
{
Lres = getlasterror ();
_ Leave;
}

// Create local administrators alias Sid
If (! Allocateandinitializesid (& sia, 2, security_builtin_domain_rid,
Domain_alias_rid_admins, 0, 0, 0, 0,
0, 0, & psidadmins ))
{
Lres = getlasterror ();
_ Leave;
}

// Create authenticated users well-known group Sid
If (! Allocateandinitializesid (& sia, 1, security_authenticated_user_rid,
0, 0, 0, 0, 0, 0, 0, & psidworld ))
{
Lres = getlasterror ();
_ Leave;
}

// Fill an entry for the system account
EA [0]. grfaccessmode = grant_access;
EA [0]. grfaccesspermissions = file_all_access;
EA [0]. grfinheritance = object_inherit_ace | container_inherit_ace;
EA [0]. Trustee. multipletrusteeoperation = no_multiple_trustee;
EA [0]. Trustee. pmultipletrustee = NULL;
EA [0]. Trustee. trusteeform = trustee_is_sid;
EA [0]. Trustee. trusteetype = trustee_is_well_known_group;
EA [0]. Trustee. ptstrname = (lptstr) psidsystem;

// Fill an entry entries for the administrators alias
EA [1]. grfaccessmode = grant_access;
EA [1]. grfaccesspermissions = file_all_access;
EA [1]. grfinheritance = object_inherit_ace | container_inherit_ace;
EA [1]. Trustee. multipletrusteeoperation = no_multiple_trustee;
EA [1]. Trustee. pmultipletrustee = NULL;
EA [1]. Trustee. trusteeform = trustee_is_sid;
EA [1]. Trustee. trusteetype = trustee_is_alias;
EA [1]. Trustee. ptstrname = (lptstr) psidadmins;

// Fill an entry for the authenticated users well-known group
EA [2]. grfaccessmode = grant_access;
EA [2]. grfaccesspermissions = file_generic_read | file_generic_write;
EA [2]. grfinheritance = object_inherit_ace | container_inherit_ace;
EA [2]. Trustee. multipletrusteeoperation = no_multiple_trustee;
EA [2]. Trustee. pmultipletrustee = NULL;
EA [2]. Trustee. trusteeform = trustee_is_sid;
EA [2]. Trustee. trusteetype = trustee_is_well_known_group;
EA [2]. Trustee. ptstrname = (lptstr) psidworld;

// Create a DACL
Lres = setentriesinacl (3, EA, null, & pdacl );
If (lres! = Error_success)
_ Leave;

// Initialize Security Descriptor
If (! Initializesecuritydescriptor (& secdesc, security_descriptor_revision ))
_ Leave;

If (! Setsecuritydescriptordacl (& secdesc, true, pdacl, false ))
_ Leave;

// Assign security descriptor to the key
// Lres = regsetkeysecurity (hkey, dacl_security_information, & secdesc );

Lres = sr_setfilesecurityrecursive (szpath, dacl_security_information, & secdesc );

// Lres = setfilesecurity (szpath, dacl_security_information, & secdesc );

}
_ Finally
{
If (psidsystem! = NULL)
Freesid (psidsystem );
If (psidadmins! = NULL)
Freesid (psidadmins );
If (psidworld! = NULL)
Freesid (psidworld );
If (pdacl! = NULL)
Localfree (hlocal) pdacl );
}

Setlasterror (lres );
Return lres! = Error_success;
}

Command what is yours
Conquer what is not

========================================================== ============================
I solved the problem and found it in msdn.
(From msdn)

# DEFINE _ win32_winnt 0x0500

# Include <windows. h>
# Include <SDDL. h>
# Include <stdio. h>

Bool createmydacl (security_attributes *);

Void main ()
{
Security_attributes SA;

SA. nlength = sizeof (security_attributes );
SA. binherithandle = false;

// Call function to set the DACL. the DACL
// Is set in the security_attributes
// Lpsecuritydescriptor member.
If (! Createmydacl (& SA ))
{
// Error encountered; generate message and exit.
Printf ("failed createmydacl \ n ");
Exit (1 );
}

// Use the updated security_attributes to specify
// Security attributes for securable objects.
// This example uses security attributes
// Creation of a new directory.
If (0 = createdirectory (text ("C: \ myfolder"), & SA ))
{
// Error encountered; generate message and exit.
Printf ("failed createdirectory \ n ");
Exit (1 );
}

// Free the memory allocated for the security_descriptor.
If (null! = Localfree (SA. lpsecuritydescriptor ))
{
// Error encountered; generate message and exit.
Printf ("failed localfree \ n ");
Exit (1 );
}
}

Bool createmydacl (security_attributes * PSA)
{
Tchar * szsd = text ("D:") // discretionary ACL
Text ("(D; oici; GA; BG)") // deny access to built-in guests
Text ("(D; oici; GA; An)") // deny access to Anonymous Logon
Text ("(A; oici; grgwgx; Au)") // allow read/write/execute to authenticated users

Text ("(A; oici; GA; BA)"); // allow full control to administrators

If (null = psa)
Return false;

Return convertstringsecuritydescriptortosecuritydescriptor (
Szsd,
Sddl_revision_1,
& (PSA-> lpsecuritydescriptor ),
Null );
}