Win 8 似乎有一个新的用户组“ALL APPLICATION PACKAGES”。默认情况下,该组似乎对所有文件夹都具有读取权限。但是我的要求是在我创建的文件夹上设置一些特定的 ACL。该组目前对我的文件夹没有权限,我编写了一些代码来为“所有应用程序包”添加读取权限。我使用的是 VS 2010,下面是精简的代码片段。
在 http://msdn.microsoft.com/en-us/library/cc980032.aspx 中列出的“所有应用程序包”的 SID是 ALL_APP_PACKAGES (S-1-15-2-1)。
但无论我作为受托人 Name 如何或传递什么值,下面的代码都不起作用。例如,在下面的代码中,SetNamedSecurityInfo() 因 ERROR_INVALID_ACL 而失败。但是,如果我使用“Administrators”或“Everyone”帐户,则它会起作用。
我需要分配的确切权限是“读取和执行”、“列出文件夹内容”和“读取”
#include "stdafx.h"
#include "windows.h"
#include "sddl.h"
#include "Aclapi.h"
int _tmain(int argc, _TCHAR* argv[])
{
TCHAR pszObjName[MAX_PATH] = L"C:\\Program Files\\Common Files\\Test\\";
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
// Get a pointer to the existing DACL (Conditionaly).
DWORD dwRes = GetNamedSecurityInfo(pszObjName, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, &pSD);
// Initialize an EXPLICIT_ACCESS structure for the new ACE.
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = STANDARD_RIGHTS_READ;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
// ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
// Should I be using SID (S-1-15-2-1) (SetEntriesInAcl() fails) or "ALL_APP_PACKAGES" (SetEntriesInAcl() passes but SetNamedSecurityInfo() fails)
//If I use "Administrators" or "Everyone" as Trustee Name then it works fine but not with "ALL APPLICATION PACKAGES"
ea.Trustee.ptstrName = _T(" ALL_APP_PACKAGES");
// Create a new ACL that merges the new ACE into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if(ERROR_SUCCESS != dwRes)
goto Cleanup;
// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, SE_FILE_OBJECT, si, NULL, NULL, pNewDACL, NULL);
if(ERROR_SUCCESS != dwRes)
goto Cleanup;
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pNewDACL != NULL)
LocalFree((HLOCAL) pNewDACL);
return dwRes;
}
请您参考如下方法:
尝试以这种方式设置 Trustee 结构。它对我有用。
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName = L"ALL APPLICATION PACKAGES";