SETTING FOLDER SECURITY

[nick666]

I have a folder for which I want to alter/change the security attributes. To be more specific I have a user called "test4", member of group "Power Users" and a folder called "CLAU". I want to give full control of this folder to user "test4". The machine name is "Marijuana", see code below. The code works fine, no error throwed, but I DO NOT HAVE FULL ACCESS to this folder for user "test4". Does anybody knows why ?
Any useful answer will be rated.

// get the security information for the specific folder.
// we are intrested in the DACL
PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;

if (GetNamedSecurityInfo("C:\\CLAU",SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,NULL,NULL,&pOldDACL,NULL,&pSecurityDescriptor) != ERROR_SUCCESS)
{
printf("\nGetNamedSecurityInfo failure !!!\n");
return;
}

// initialize an EXPLICIT_ACCESS structure for the new ACE
EXPLICIT_ACCESS access;
ZeroMemory(&access,sizeof(EXPLICIT_ACCESS));
access.grfAccessPermissions = 2032127;
access.grfAccessMode = GRANT_ACCESS;
access.grfInheritance = CONTAINER_INHERIT_ACE;
access.Trustee.pMultipleTrustee = NULL;
access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
access.Trustee.TrusteeType = TRUSTEE_IS_USER;
access.Trustee.ptstrName = "Marijuana\\test4"; // we have only a test user here

// add this new entry to the old DACL of the folder
if (SetEntriesInAcl(1,&access,pOldDACL,&pNewDACL) != ERROR_SUCCESS)
{
printf("\nSetEntriesInAcl failure !!!\n");
return;
}

// attach this new DACL to the object's DACL
if (SetNamedSecurityInfo("C:\\CLAU",SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,pNewDACL,NULL) != ERROR_SUCCESS)
{
printf("\nSetNamedSecurityInfo failure !!!\n");
}
else printf("\nOperation succesful !!!\n");

// clean-up the ****
LocalFree((HLOCAL)pSecurityDescriptor);
LocalFree((HLOCAL)pNewDACL);




What is wrong here ?? My guess is that the error could be in setting the member access.grfAccessPermissions = 2032127;. I was looking in the MSDN and I noticed that for the ACCESS_MASK structure I need to set bit 28 for GENERIC_ALL, which , documentation states, will be mapped to the SPECIFIC and STANDARD rights.
But, doesn't work. Then, I did another thing.
I set manually full permissions for user "test4" for folder "CLAU", and then, using the following code I got the AccessMask:

/////////////////////// JUST FOR DEBUGGING ////////////////////////////
/* EXPLICIT_ACCESS info;
ACCESS_MASK AccessMask;
TRUSTEE Trustee;

ZeroMemory(&info,sizeof(EXPLICIT_ACCESS));
ZeroMemory(&AccessMask,sizeof(ACCESS_MASK));

Trustee.pMultipleTrustee = NULL;
Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
Trustee.TrusteeForm = TRUSTEE_IS_NAME;
Trustee.TrusteeType = TRUSTEE_IS_USER;
Trustee.ptstrName = "Marijuana\\test4";
if (GetEffectiveRightsFromAcl(pOldDACL,&Trustee,&AccessMask) != ERROR_SUCCESS)
{
printf("\nError GetEffectiveRightsFromAcl !!!\n");
} */
/////////////////////// END DEBUGGING CODE /////////////////////////////



I get the AccessMask value and put it in my first code for the value. Again the same problem.
If U have some other source-code which can help me I will also appreciate it.
10x in advance

[Alex Fedotov]

The code seems to be correct at a first glance (except that I would
use plain GERNERIC_ALL constant instead of cryptic 2032127).

The question: what permissions the folder has after executing
this code (as seen in the Security tab in the folder properties
dialog)?


Russian Software Developer Network - http://www.rsdn.ru

[Anthony Mai]

The question to ask is:
Under what user account did you run that piece of code? Does that user account has authorization to grant full access to user "test4".
If the answer is NO, then your code should not and would not work. Because the system is designed to prevent that from happening.


TRUE and FALSE and NOTHING in between. These are the only three building blocks of all computer languages.

[nick666]

From "Administrator" account of course.
But it is not working properly.

[nick666]

In the permissions list , in the Security tab, I have set only the "List Folder Contents" right.
The other permissions are cleared.
But there is a strange thing. In the security tab there is one more button: Advanced, used probably for more security options (more refined). And suprize , there , for user "test4" I have "Full control". How the **** could be possible. Here I have full control and in the main security tab window I do not have full control ????
If u have some code todo the **** pls. send it to me. I will be grateful, and pray for U .

PS: I already tried using the GENERIC_ALL constant, but the result is the same. And not only for this folder, but also for other folders.

[Alex Fedotov]

I think this is because of unusual inheritance flags.

The new security UI (as compared to NT4-style dialogs) is unable
to show complex security settings on its main page. If it encounters
something that it cannot display, it just cleares all marks and
writes "More security options available but are not viewable here.
Press Advanced button blah, blah, blah...".

I'm not sure you really want only CONTAINER_INHERIT_ACE flag to be set.
Most often both CONTAINER_INHERIT_ACE and OBJECT_INHERIT_ACE flags are
set and this is what Windows security editor expects.

Russian Software Developer Network - http://www.rsdn.ru