Checking File Permission on Windows for non elevated users

Question

I am writing some C++ code for the Windows(XP/7) platform to check the permission associated to a file. I want to verify that the file I am reading cannot be written by accounts with non elevated privileges. This is what I am currently doing:

• I get the DACL associated with the file calling GetNamedSecurityInfo
• I call CreateWellKnownSid with well known Sids, such as WinAuthenticatedUserSid (the Users group)
• I call BuildTrusteeWithSid to build a TRUSTEE with the previous SID
• I call GetEffectiveRightsFromAcl with the previously created trustee to get the effective acl
• I check that the ACL does not contain the Write Flag set.

This code is working perfectly for the Users group. What about the other groups such as Everyone, Guests, or other specific users which may have specific write access on the file? I would like to find a solution where I don't need to enumerate all possible SID and check against all of them. Is there a SID I could use such as "anything but not admin"?

Regards, Ant

Answer 1

I'd take a slightly different approach:

1. Get all ACE's via GetExplicitEntriesFromAcl, for the file and all its parents
2. Select the GRANT_ACCESS and SET_ACCESS ACE's
3. Get the list of trustees from the selected ACE's
4. For each of the trustees, perform an access check. GetEffectiveRightsFromAcl is probably the easiest solution here.

You'll want to think specifically what you want to do with the OWNER. He can alter the rights at any time.