一般Windows下的系統文件(夾)只讓受限帳戶讀取而不讓寫入和修改。如果要開啟寫操作權限就需要手動修改文件(夾)的用戶帳戶安全權限(這操作當然要在管理員帳戶下執行).以下用程序封裝了一下該操作:
先來個API版本:
//
// 啟用某個賬戶對某個文件(夾)的所有操作權限
// pszPath: 文件(夾)路徑
// pszAccount: 賬戶名稱
//
BOOL EnableFileAccountPrivilege (PCTSTR pszPath, PCTSTR pszAccount)
{
BOOL bSuccess = TRUE;
PACL pNewDacl = NULL, pOldDacl = NULL;
EXPLICIT_ACCESS ea;
do
{
// 獲取文件(夾)安全對象的DACL列表
if (ERROR_SUCCESS != ::GetNamedSecurityInfo ((LPTSTR)pszPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDacl, NULL, NULL))
{
bSuccess = FALSE;
break;
}
// 此處不可直接用AddAccessAllowedAce函數,因為已有的DACL長度是固定,必須重新創建一個DACL對象
// 生成指定用戶帳戶的訪問控制信息(這里指定賦予全部的訪問權限)
::BuildExplicitAccessWithName (&ea, (LPTSTR)pszAccount, GENERIC_ALL, GRANT_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT);
// 創建新的ACL對象(合并已有的ACL對象和剛生成的用戶帳戶訪問控制信息)
if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl))
{
bSuccess = FALSE;
break;
}[next]
// 設置文件(夾)安全對象的DACL列表
if (ERROR_SUCCESS != ::SetNamedSecurityInfo ((LPTSTR)pszPath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL))
{
bSuccess = FALSE;
}
} while (FALSE);
// 釋放資源
if (pNewDacl != NULL)
::LocalFree(pNewDacl);
return bSuccess;
}ATL封裝了安全操作函數,用ATL來寫就簡單多了: //
// 啟用某個賬戶對某個文件(夾)的所有操作權限(ATL版本)
// pszPath: 文件(夾)路徑
// pszAccount: 賬戶名稱
//
BOOL AtlEnableFileAccountPrivilege (PCTSTR pszPath, PCTSTR pszAccount)
{
CDacl dacl;
CSid sid;
// 獲取用戶帳戶標志符
if (!sid.LoadAccount (pszAccount))
{
return FALSE;
}
// 獲取文件(夾)的DACL
if (!AtlGetDacl (pszPath, SE_FILE_OBJECT, &dacl))
{
return FALSE;
}
// 在DACL中添加新的ACE項
dacl.AddAllowedAce (sid, GENERIC_ALL);
// 設置文件(夾)的DACL
return AtlSetDacl (pszPath, SE_FILE_OBJECT, dacl) ? TRUE : FALSE;
}
來源:http://www.uniuc.com/computer/show-6322-1.html\\\
通過程序對文件夾的訪問權限進行控制。
BOOL My_SetFolderSecurity(WCHAR* szPath)
{
SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY;
PSID pSidSystem = NULL;
PSID pSidAdmins = NULL;
PSID pSidWorld = NULL;
PACL pDacl = NULL;
EXPLICIT_ACCESS ea[4];
SECURITY_DESCRIPTOR SecDesc;
ULONG lRes = ERROR_SUCCESS;
__try
{
// create SYSTEM SID
if (!AllocateAndInitializeSid(&sia, 1, SECURITY_LOCAL_SYSTEM_RID,
0, 0, 0, 0, 0, 0, 0, &pSidSystem))
{
lRes = GetLastError();
__leave;
}
// create Local Administrators alias SID
if (!AllocateAndInitializeSid(&sia, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0,
0, 0, &pSidAdmins))
{
lRes = GetLastError();
__leave;
}
// create Authenticated users well-known group SID
if (!AllocateAndInitializeSid(&sia, 1, SECURITY_AUTHENTICATED_USER_RID,
0, 0, 0, 0, 0, 0, 0, &pSidWorld))
{
lRes = GetLastError();
__leave;
}
// fill an entry for the SYSTEM account
ea[0].grfAccessMode = GRANT_ACCESS;
ea[0].grfAccessPermissions = FILE_ALL_ACCESS;
ea[0].grfInheritance = OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE;
ea[0].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
ea[0].Trustee.pMultipleTrustee = NULL;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR)pSidSystem;
// fill an entry entries for the Administrators alias
ea[1].grfAccessMode = GRANT_ACCESS;
ea[1].grfAccessPermissions = FILE_ALL_ACCESS;
ea[1].grfInheritance = OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE;
ea[1].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
ea[1].Trustee.pMultipleTrustee = NULL;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_ALIAS;
ea[1].Trustee.ptstrName = (LPTSTR)pSidAdmins;
// fill an entry for the Authenticated users well-known group
ea[2].grfAccessMode = GRANT_ACCESS;
ea[2].grfAccessPermissions = FILE_GENERIC_READ|FILE_GENERIC_WRITE ;
ea[2].grfInheritance = OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE;
ea[2].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
ea[2].Trustee.pMultipleTrustee = NULL;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[2].Trustee.ptstrName = (LPTSTR)pSidWorld;
// create a DACL
lRes = SetEntriesInAcl(3, ea, NULL, &pDacl);
if (lRes != ERROR_SUCCESS)
__leave;
// initialize security descriptor
if(!InitializeSecurityDescriptor(&SecDesc, SECURITY_DESCRIPTOR_REVISION))
__leave ;
if(!SetSecurityDescriptorDacl(&SecDesc, TRUE, pDacl, FALSE))
__leave ;
// assign security descriptor to the key
//lRes = RegSetKeySecurity(hKey, DACL_SECURITY_INFORMATION, &SecDesc);
lRes = SR_SetFileSecurityRecursive(szPath, DACL_SECURITY_INFORMATION, &SecDesc);
//lRes = SetFileSecurity(szPath, DACL_SECURITY_INFORMATION, &SecDesc);
}
__finally
{
if (pSidSystem != NULL)
FreeSid(pSidSystem);
if (pSidAdmins != NULL)
FreeSid(pSidAdmins);
if (pSidWorld != NULL)
FreeSid(pSidWorld);
if (pDacl != NULL)
LocalFree((HLOCAL)pDacl);
}
SetLastError(lRes);
return lRes != ERROR_SUCCESS;
}
Command what is yours
Conquer what is not
==========================================================
我解決了,在MSDN里找到的
(取自MSDN)
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <sddl.h>
#include <stdio.h>
BOOL CreateMyDACL(SECURITY_ATTRIBUTES *);
void main()
{
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
// Call function to set the DACL. The DACL
// is set in the SECURITY_ATTRIBUTES
// lpSecurityDescriptor member.
if (!CreateMyDACL(&sa))
{
// Error encountered; generate message and exit.
printf( "Failed CreateMyDACL\n ");
exit(1);
}
// Use the updated SECURITY_ATTRIBUTES to specify
// security attributes for securable objects.
// This example uses security attributes during
// creation of a new directory.
if (0 == CreateDirectory(TEXT( "C:\\MyFolder "), &sa))
{
// Error encountered; generate message and exit.
printf( "Failed CreateDirectory\n ");
exit(1);
}
// Free the memory allocated for the SECURITY_DESCRIPTOR.
if (NULL != LocalFree(sa.lpSecurityDescriptor))
{
// Error encountered; generate message and exit.
printf( "Failed LocalFree\n ");
exit(1);
}
}
BOOL CreateMyDACL(SECURITY_ATTRIBUTES * pSA)
{
TCHAR * szSD = TEXT( "D: ") // Discretionary ACL
TEXT( "(D;OICI;GA;;;BG) ") // Deny access to built-in guests
TEXT( "(D;OICI;GA;;;AN) ") // Deny access to anonymous logon
TEXT( "(A;OICI;GRGWGX;;;AU) ") // Allow read/write/execute to authenticated users
TEXT( "(A;OICI;GA;;;BA) "); // Allow full control to administrators
if (NULL == pSA)
return FALSE;
return ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(pSA-> lpSecurityDescriptor),
NULL);
}