Programmatic implementation traverse ACL access control List check process access rights

Source: Internet
Author: User
Tags data structures function prototype system log

The friends who read this article need to have a preliminary understanding of the Windows access control model, understand the token (access token), ACLs (Access control list), DACL (Select access Control list), ACE (Access control list items), and the relationship between the noun meanings associated with the access control model, Of course, I will also briefly in the text of the Science of ACM.

The main purpose of this article is to write a win under the local right of the thing, involving the operation of the ACL, previously on the ACL always avoid, the Windows access control model is very complex and headache an API pulls out a bunch of APIs to initialize. After all, it involves the security of user access, it is certainly not possible for programmers to change these mechanisms at will, complex and understandable, with related APIs and structures that are complex, but with few references, the use of some access control-related APIs on MSDN and the descriptions of the structures are vague and have no code examples. This article is also done after reviewing some of the literature in the foreign world plus a test of your own, sending out hopes of helping friends who are involved in this area of programming.

--->> familiar with Windows access control mechanism can skip this paragraph:

Because it's a popular science. Here is a brief introduction to the Windows access Control Model (ACM), don't think I long-winded, know direct pass down. The two most important parts of the ACM are Access tokens (access Token) and security descriptor descriptor. The access token exists in the access principal and the security descriptor is present in the object of access. For example, I go to the rice country, I am the main visitor, the U.S. is the Access object, I hold the visa is access token. The access subject in the system is the process object and all system objects. The access token has a unique identification SID for the current user, and the group uniquely identifies the SID and some permission flags (privilege). The Security Descriptor Table (SD) exists in any object in the Windows system (file, registry, mutex, semaphore, etc.). The SD contains the SID of the object owner, the group SID, and the two very important data structures that select access control lists (DACLs) and system access control lists (SACL), where the SACL involved in the system log are rarely ignored. The DACL contains a single ACE access control portal is also the core of permission access judgments, when a process accesses an object, the object token the process to its own ace, until it is allowed or rejected, and the preceding ACE is superior to the ace behind it. An overall permission check process is shown below:

--->>

The above is a brief introduction of this article is to use the core of the Windows access control model of some knowledge, the following describes how to programmatically implement the traversal ACL to access permissions of the check. This article is mainly about file objects, other types of objects are similar. The two main APIs to use are Getfilesecurity () and AccessCheck (). Getfilesecurity can obtain a security descriptor for the specified file, and AccessCheck can specify the permissions to check, and the function can check the resulting security descriptor with the token of the current process to determine whether the process allows appropriate permissions for the file object. However, these two APIs are not easy to use because they involve the security descriptor table and access token acquisition, and therefore involve a lot of API and some access control knowledge. The following is an introduction to the API to use and then to the overall code. The Getfilesecurity function prototype is as follows:

BOOL WINAPI getfilesecurity (  
  __in          lpctstr lpfilename,  
  __in          security_information Requestedinformation,  
  __out_opt     psecurity_descriptor psecuritydescriptor,  
  __in          DWORD nlength,  
  __out         Lpdword lpnlengthneeded  
);

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.