2007. november 4., vasárnap

Work with file security descriptors


Problem/Question/Abstract:

I want to be able to store a file and its security decriptor, then reload it later. I have been able to use GetFileSecurity and GetSecurityDescriptorOwner, but I don't understand how to translate this information into a transportable format, store it in a remote table, then retrieve it and rebuild the correct description?

Answer:

Below is code I have used to convert to a Self Relative SD:

{ ... }
if Assigned(SD) then
begin
  lpdwAbsoluteSecurityDescriptorSize := 0;
  lpdwDaclSize := 0;
  lpdwSaclSize := 0;
  lpdwOwnerSize := 0;
  lpdwPrimaryGroupSize := 0;
  MakeAbsoluteSD(SD,
    AbsoluteSID, lpdwAbsoluteSecurityDescriptorSize,
    pDacl^, lpdwDaclSize,
    pSacl^, lpdwSaclSize,
    pOwner, lpdwOwnerSize,
    pPrimaryGroup, lpdwPrimaryGroupSize);
  GetMem(AbsoluteSID, lpdwAbsoluteSecurityDescriptorSize);
  GetMem(pDacl, lpdwDaclSize);
  GetMem(pSacl, lpdwSaclSize);
  GetMem(pOwner, lpdwOwnerSize);
  GetMem(pPrimaryGroup, lpdwPrimaryGroupSize);
  try
    if not MakeAbsoluteSD(SD, AbsoluteSID, lpdwAbsoluteSecurityDescriptorSize,
      pDacl^, lpdwDaclSize, pSacl^, lpdwSaclSize, pOwner, lpdwOwnerSize,
      pPrimaryGroup, lpdwPrimaryGroupSize) then
      raise Exception.create(LastErrorMessage);
    lpdwBufferLength := 0;
    MakeSelfRelativeSD(AbsoluteSID, RelativeSID, lpdwBufferLength);
    GetMem(RelativeSID, lpdwBufferLength);
    if not MakeSelfRelativeSD(AbsoluteSID, RelativeSID, lpdwBufferLength) then
      raise Exception.create(LastErrorMessage);
  finally
    FreeMem(AbsoluteSID, lpdwAbsoluteSecurityDescriptorSize);
    FreeMem(pSacl, lpdwSaclSize);
    FreeMem(pOwner, lpdwOwnerSize);
    FreeMem(pPrimaryGroup, lpdwPrimaryGroupSize);
  end;
end;
{ ... }

For Windows 2000 and up: Retrieve only those parts of the security descriptor you need to persist through GetFileSecurity, convert it to a string using ConvertSecurityDescriptorToStringSecurityDescriptor. To restore the decriptor use ConvertStringSecurityDescriptorToSecurityDesciptor and SetFileSecurity.
Bejegyezte: Bob dátum: 15:00
Címkék:

Nincsenek megjegyzések:

Megjegyzés küldése

Feliratkozás: Megjegyzések küldése (Atom)