Microsoft Platform SDK Security Discussions
 
SetSecurityDescriptorGroup
(1)
SetSecurityDescriptorOwner
(1)
SetSecurityDescriptorDacl
(1)
AllocateAndInitializeSid
(1)
SetEntriesInAcl
(1)
EIDAlloc
(1)
InitializeSecurityDescriptor
(1)
Trustee.pMultipleTrustee
(1)

File / Folder Permissions (Change File But Not Create)

Asked By KM
19-Nov-09 08:54 AM
Reply
We have a situation where we have one AD group (admins) that needs to be able
to create (basically full control) files in a folder and a separate AD group
that should only be able to change files (overwrite) that were placed in the
folder by the first AD group.    This will allow us to catalog what files are
put in the folder and then after that the user base can modify / change the
files at will.   We would prefer to set the permissions on the folder level
but the amount of files is small so some or all of the permissions could be
at the file level.

We're not seeing a way for this to be done using Windows or the SDK and we
were hoping for advise?

Thanks in advance.

Look at http://msdn.microsoft.com/en-us/library/aa364399%28VS.85%29.

vletoux replied to KM
06-Dec-09 01:34 PM
Reply
Look at http://msdn.microsoft.com/en-us/library/aa364399%28VS.85%29.aspx

Basically, you have to create a security descriptor.

Exemple :
if (!AllocateAndInitializeSid(&sia, 1, SECURITY_LOCAL_SYSTEM_RID,0, 0,
0, 0, 0, 0, 0, &pSidSystem))
{
dwError =3D GetLastError();
__leave;
}

// create Local Administrators alias SID
if (!AllocateAndInitializeSid(&sia, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0,0, 0, &pSidAdmins))
{
dwError =3D GetLastError();
__leave;
}
EXPLICIT_ACCESS ea[2];
ZeroMemory(&ea, sizeof(ea));
// fill an entry for the SYSTEM account
ea[0].grfAccessMode =3D GRANT_ACCESS;
ea[0].grfAccessPermissions =3D GENERIC_ALL;
ea[0].grfInheritance =3D NO_INHERITANCE;
ea[0].Trustee.MultipleTrusteeOperation =3D NO_MULTIPLE_TRUSTEE;
ea[0].Trustee.pMultipleTrustee =3D NULL;
ea[0].Trustee.TrusteeForm =3D TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType =3D TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName =3D (LPTSTR)pSidSystem;
// fill an entry for the Administrators alias
ea[1].grfAccessMode =3D GRANT_ACCESS;
ea[1].grfAccessPermissions =3D GENERIC_ALL;
ea[1].grfInheritance =3D NO_INHERITANCE;
ea[1].Trustee.MultipleTrusteeOperation =3D NO_MULTIPLE_TRUSTEE;
ea[1].Trustee.pMultipleTrustee =3D NULL;
ea[1].Trustee.TrusteeForm =3D TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType =3D TRUSTEE_IS_ALIAS;
ea[1].Trustee.ptstrName =3D (LPTSTR)pSidAdmins;
// create a DACL
dwError =3D SetEntriesInAcl(2, ea, NULL, &pDacl);
if (dwError !=3D ERROR_SUCCESS)
__leave;
pSD =3D (PSECURITY_DESCRIPTOR) EIDAlloc(SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!pSD)
{
__leave;
}
if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
dwError =3D GetLastError();
__leave;
}
// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pSD,TRUE,pDacl,FALSE))
{
dwError =3D GetLastError();
__leave;
}
if (!SetSecurityDescriptorOwner(pSD,pSidAdmins,FALSE))
{
dwError =3D GetLastError();
__leave;
}
if (!SetSecurityDescriptorGroup (pSD,pSidAdmins,FALSE))
{
dwError =3D GetLastError();
__leave;
}

able
oup
the
iles are
he
evel
be
e
Previous Discussion:  How to know what key pair to use when CPSignHash is called
Post Question To EggHeadCafe