Windows 7 - File / Folder Permissions (Change File But Not Create)

Asked By KM

19-Nov-09 08:54 AM

We have a situation where we have one AD group (admins) that needs to be able
to create (basically full control) files in a folder and a separate AD group
that should only be able to change files (overwrite) that were placed in the
folder by the first AD group.    This will allow us to catalog what files are
put in the folder and then after that the user base can modify / change the
files at will.   We would prefer to set the permissions on the folder level
but the amount of files is small so some or all of the permissions could be
at the file level.

We're not seeing a way for this to be done using Windows or the SDK and we
were hoping for advise?

Thanks in advance.

Platform SDK Security Discussions

SetSecurityDescriptorGroup
(1)

SetSecurityDescriptorOwner
(1)

SetSecurityDescriptorDacl
(1)

AllocateAndInitializeSid
(1)

SetEntriesInAcl
(1)

EIDAlloc
(1)

InitializeSecurityDescriptor
(1)

Trustee.pMultipleTrustee
(1)

vletoux replied to KM

06-Dec-09 01:34 PM

Look at http://msdn.microsoft.com/en-us/library/aa364399%28VS.85%29.aspx

Basically, you have to create a security descriptor.

Exemple :
if (!AllocateAndInitializeSid(&sia, 1, SECURITY_LOCAL_SYSTEM_RID,0, 0,
0, 0, 0, 0, 0, &pSidSystem))
{
dwError =3D GetLastError();
__leave;
}

// create Local Administrators alias SID
if (!AllocateAndInitializeSid(&sia, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0,0, 0, &pSidAdmins))
{
dwError =3D GetLastError();
__leave;
}
EXPLICIT_ACCESS ea[2];
ZeroMemory(&ea, sizeof(ea));
// fill an entry for the SYSTEM account
ea[0].grfAccessMode =3D GRANT_ACCESS;
ea[0].grfAccessPermissions =3D GENERIC_ALL;
ea[0].grfInheritance =3D NO_INHERITANCE;
ea[0].Trustee.MultipleTrusteeOperation =3D NO_MULTIPLE_TRUSTEE;
ea[0].Trustee.pMultipleTrustee =3D NULL;
ea[0].Trustee.TrusteeForm =3D TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType =3D TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName =3D (LPTSTR)pSidSystem;
// fill an entry for the Administrators alias
ea[1].grfAccessMode =3D GRANT_ACCESS;
ea[1].grfAccessPermissions =3D GENERIC_ALL;
ea[1].grfInheritance =3D NO_INHERITANCE;
ea[1].Trustee.MultipleTrusteeOperation =3D NO_MULTIPLE_TRUSTEE;
ea[1].Trustee.pMultipleTrustee =3D NULL;
ea[1].Trustee.TrusteeForm =3D TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType =3D TRUSTEE_IS_ALIAS;
ea[1].Trustee.ptstrName =3D (LPTSTR)pSidAdmins;
// create a DACL
dwError =3D SetEntriesInAcl(2, ea, NULL, &pDacl);
if (dwError !=3D ERROR_SUCCESS)
__leave;
pSD =3D (PSECURITY_DESCRIPTOR) EIDAlloc(SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!pSD)
{
__leave;
}
if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
{
dwError =3D GetLastError();
__leave;
}
// Add the ACL to the security descriptor.
if (!SetSecurityDescriptorDacl(pSD,TRUE,pDacl,FALSE))
{
dwError =3D GetLastError();
__leave;
}
if (!SetSecurityDescriptorOwner(pSD,pSidAdmins,FALSE))
{
dwError =3D GetLastError();
__leave;
}
if (!SetSecurityDescriptorGroup (pSD,pSidAdmins,FALSE))
{
dwError =3D GetLastError();
__leave;
}

able
oup
the
iles are
he
evel
be
e

Previous Discussion: How to know what key pair to use when CPSignHash is called

Namped pipe connection issue between win32 services Windows 7

pipe with SA to allow Everyone group all access. using following code. InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION); SetSecurityDescriptorDacl(&sd, TRUE, 0, FALSE); sa.nLength = sizeof(sa); sa.bInheritHandle = TRUE; sa.lpSecurityDescriptor = &sd; Client is happening here? Is compure account (ServerName$) part of Everyone group. Platform SDK Security Discussions SetSecurityDescriptorDacl (1) InitializeSecurityDescriptor (1) LocalSystem (1) ServerName (1) CreateFile (1) Windows (1) DESCRIPTOR (1) Doeswork (1

how to get folder / files ACL permissions using c++??? Windows 7

would be appriciated thanks in advance -prince Platform SDK Security Discussions SECURITY_DESCRIPTOR_REVISION (1) InitializeSecurityDescriptor (1) SetSecurityDescriptorDacl (1) PSECURITY_DESCRIPTOR (1) ERROR_UNKNOWN_REVISION (1) ACL (1) GetFileSecurity (1) NewSD (1) Look at the API changed to PSECURITY_DESCRIPTOR *NewSD = new PSECURITY_DESCRIPTOR; but im getting the same error while using the SetSecurityDescriptorDacl(NewSD, TRUE, NULL, FALSE)). can anyone tell me how to set the security_descriptor_revision level. problem

"Access Denied" connecting to any pipe from ISAPI Extension Windows 7

http: / / msdn2.microsoft.com / en-us / library / aa365600.aspx Platform SDK Security Discussions IIS (1) SetSecurityDescriptorDacl (1) ConnectNamedPipe (1) CreateNamedPipe (1) ACEs (1) ACLs (1) LocalSystem (1) CreateFile (1) Actually it with an initialized SECURITY_DESCRIPTOR that had no dACLs didn't work though. According to the SetSecurityDescriptorDacl page[1]: I thought this meant that a SECURITY_DESCRIPTOR that hadn't had SetSecurityDescriptorDacl called on it would alllow anything. Is there something else go [1] http: / / msdn2.microsoft com / en-us / library / aa379583.aspx Hi Jason, Try: SetSecurityDescriptorDacl(&sd, TRUE, 0, false); That might work. Dave If you doesn't supply NULL to