CODEWITHSUNDEEP
c++winapi
Ruban Thilak
Ruban Thilak

Reputation: 167

EXPLICIT_ACCESS array from ACL - WIN32 API

void main() {

    PSID UserSID = NULL;
    PSID GroupSID = NULL;
    PSECURITY_DESCRIPTOR SD = NULL;
    ACL *pDACL = new ACL ;

    string input, ext = "";
    wcout << "Enter the location : " << endl;
    std::getline(cin, input);
    LPCSTR file = input.c_str();

    HANDLE hFile = CreateFileA(file, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);

    if (hFile == INVALID_HANDLE_VALUE)
    {
        if (GetLastError() == ERROR_ACCESS_DENIED)
        {
            cout << "Access Denied : System Files" << endl;
            return;
        }
        else if (GetLastError() == ERROR_PATH_NOT_FOUND)
        {
            cout << "Path Name Not Found" << endl;
            return;
        }
        else if (GetLastError() == ERROR_FILE_NOT_FOUND)
        {
            cout << "File Not Found" << endl;
            return;
        }
        else
        {
            cout << GetLastError() << endl;
            return;                                                                                                                                                                                                                                                                     
        }
    }

    ULONG Count = NULL;
    PEXPLICIT_ACCESS_W *pExplicitEntries = new PEXPLICIT_ACCESS_W;


    if (GetSecurityInfo(hFile,SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &SD) == ERROR_SUCCESS)
    {
        cout << "GetSecInfo Success " << pDACL->AceCount << endl;
        cout << GetLastError() << endl;
    }

    if (GetExplicitEntriesFromAclW(pDACL, &Count, pExplicitEntries) == ERROR_SUCCESS)
    {
        cout << Count << endl;
        cout << GetLastError() << endl;
    }

    if (pExplicitEntries[0]->Trustee.TrusteeForm == TRUSTEE_IS_SID)
    {
        TCHAR AccountBuff[80];
        TCHAR DomainBuff[80];
        DWORD AccountBufflength = 40;
        DWORD DomainBufflength = 40;
        PSID_NAME_USE peUse = new SID_NAME_USE;
        PSID Sid = pExplicitEntries[0]->Trustee.ptstrName;

        LookupAccountSidW(NULL, Sid, AccountBuff, &AccountBufflength, DomainBuff, &DomainBufflength, peUse);

        wcout << AccountBuff << endl;

        DWORD pAccessRights;

        if (GetEffectiveRightsFromAclW(pDACL, &pExplicitEntries[0]->Trustee, &pAccessRights) == ERROR_SUCCESS)
        {
            DisplayAccessMask(pAccessRights);
        }
    }
}

Currently, the array index is 0, if i switch to other index like 1 or 2, it causes exception : Accessing location. Please Help, please someone give me solution to access all the trustee in the ACL and get the access permission and username of each trustee of a file

Upvotes: 0

Views: 783

Answers (2)

Raghu Ram
Raghu Ram

Reputation: 1

Looks like you are passing null EXPLICIT_ACCESS_W to GetExplicitEntriesFromAclW.

So try either:

EXPLICIT_ACCESS_W *pExplicitEntries=NULL;
EXPLICIT_ACCESS_W **pExplicitEntries2=&pExplicitEntries;
GetExplicitEntriesFromAclA(pacl,&countExplicitACL,pExplicitEntries2);

or:

EXPLICIT_ACCESS_W *pExplicitEntries =NULL;
GetExplicitEntriesFromAclA(pacl,&countExplicitACL,&pExplicitEntries2);

Both serve your purpose. Beware of NULL pointers.

Upvotes: 0

Rita Han
Rita Han

Reputation: 9700

GetSecurityInfo gives me ACE count as 4 , but when it comes to the GetExplicitEntriesFromAclW the Count value remains 0.

I can reproduce this issue when my test target file is an new created, for example, TXT file. Yes, GetSecurityInfo gives me ACE count as 4 , but when it comes to the GetExplicitEntriesFromAclW the Count value remains 0.

Use function to check the ACE type and found that all types are 0: ACCESS_MIN_MS_ACE_TYPE \ ACCESS_ALLOWED_ACE_TYPE.

if (GetSecurityInfo(hFile, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &SD) == ERROR_SUCCESS)
{
    cout << "GetSecInfo Success " << pDACL->AceCount << endl;
    cout << GetLastError() << endl;
}
PACL pAcl = pDACL;
int aceNum = pDACL->AceCount;
for (int i = 0; i < aceNum; i++)
{
    ACE_HEADER *aceAddr = NULL;
    if (GetAce(pAcl, i, (void**)(&aceAddr)))
    {
        printf("ACE type: %d \n",aceAddr->AceType); ACCESS_ALLOWED_ACE_TYPE;
        printf("ACE flags: %d \n", aceAddr->AceFlags);
        printf("ACE size: %d \n", aceAddr->AceSize);
    }
}

If you set deny write operation for current user like this:

enter image description here

Then ACE type 1 (ACCESS_DENIED_ACE_TYPE) appears. And the Count value returned from the GetExplicitEntriesFromAclW equals the number of entries whose ACE type is 1. See the following snapshot:

enter image description here

Upvotes: 1

Related Questions