16,548
社区成员
发帖
与我相关
我的任务
分享求教:ACCESS_MASK如何解析,望有解析过的朋友不吝赐教
我要取得一个共享文件的权限列表,现在已经取得了DACL中的ace,并且根据ace中的Psid解析到了用户(组)名,在ACCESS_ALLOWED_ACE结构中包含一个ACCESS_MASK,为DWORD类型,请问,如何解析它从而得出具体的控制权限???
...全文
请发表友善的回复…
发表回复
0313700000 2005-08-25
- 打赏
- 举报
这两天很忙,没及时结贴,谢谢 masterz
masterz 2005-08-22
- 打赏
- 举报
http://www.windowsitpro.com/Files/15/15989/Listing_01.txt
Listing 1: DumpTokenInfo.cpp
Listing 1: DumpTokenInfo.cpp
masterz 2005-08-22
- 打赏
- 举报
http://iain.cx/articles/acls/acls.html
...
typedef struct _ACE_HEADER {
char AceType;
char AceFlags;
short AceSize;
} ACE_HEADER;
typedef struct _ACCESS_ALLOWED_ACE {
ACE_HEADER Header;
unsigned long Mask;
unsigned long SidStart;
} ACCESS_ALLOWED_ACE;
The ACE structure itself is easy to understand. Only SidStart needs to be explained. It is a pointer to the SID to which the ACE applies, only declared as DWORD. To get the SID, you can do something like
SID *sid = (SID *) &ace->Header->SidStart;
I will skip presentation of the ACL structure, as we don't need to know about it at all... To get ACEs from an ACL, we use GetAclInformation() to find the number of ACEs and then loop through them with GetAce().
int GetAclInformation(ACL *acl, void *info, unsigned long size, ACL_INFORMATION_CLASS class);
int GetAce(ACL *acl, unsigned long ace_id, void **ace);
Sample code
Getting the size and number of ACEs in an ACL
#include <stdio.h>
#include <windows.h>
ACL_SIZE_INFORMATION size_info;
ACL *acl; /* Obtained from somewhere */
if (! GetAclInformation(acl, &size_info, sizeof(size_info), AclSizeInformation)) /* Error */
printf("Number of ACEs: %d\n", size_info.AceCount);
Inspecting all ACEs
#include <stdio.h>
#include <windows.h>
ACL *acl; /* Obtained from somewhere */
ACL_SIZE_INFORMATION size_info; /* Filled in as per code above */
unsigned long i, mask;
void *ace;
SID *sid;
char *stringsid;
for (i = 0; i < size_info.AceCount; i++) {
if (! GetAce(acl, i, &ace)) /* Error */
/* Check type of ACE */
if (((ACCESS_ALLOWED_ACE *) ace)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) {
sid = (SID *) &((ACCESS_ALLOWED_ACE *) ace)->SidStart;
mask = ((ACCESS_ALLOWED_ACE *) ace)->Mask;
printf("Allow ACE\n");
}
else if (((ACCESS_DENIED_ACE *) ace)->Header.AceType == ACCESS_DENIED_ACE_TYPE) {
sid = (SID *) &((ACCESS_DENIED_ACE *) ace)->SidStart;
mask = ((ACCESS_DENIED_ACE *) ace)->Mask;
printf("Deny ACE\n");
}
else printf("Other ACE\n");
/* Check permissions */
if (mask & FILE_READ_DATA) printf("Read access\n");
if (mask & FILE_WRITE_DATA) printf("Write access\n");
/* ... */
/* Get SID */
if (! ConvertSidToStringSid(sid, &stringsid)) /* Error */
printf("Account affected: %s\n", stringsid);
HeapFree(GetProcessHeap(), 0, stringsid);
}
...
typedef struct _ACE_HEADER {
char AceType;
char AceFlags;
short AceSize;
} ACE_HEADER;
typedef struct _ACCESS_ALLOWED_ACE {
ACE_HEADER Header;
unsigned long Mask;
unsigned long SidStart;
} ACCESS_ALLOWED_ACE;
The ACE structure itself is easy to understand. Only SidStart needs to be explained. It is a pointer to the SID to which the ACE applies, only declared as DWORD. To get the SID, you can do something like
SID *sid = (SID *) &ace->Header->SidStart;
I will skip presentation of the ACL structure, as we don't need to know about it at all... To get ACEs from an ACL, we use GetAclInformation() to find the number of ACEs and then loop through them with GetAce().
int GetAclInformation(ACL *acl, void *info, unsigned long size, ACL_INFORMATION_CLASS class);
int GetAce(ACL *acl, unsigned long ace_id, void **ace);
Sample code
Getting the size and number of ACEs in an ACL
#include <stdio.h>
#include <windows.h>
ACL_SIZE_INFORMATION size_info;
ACL *acl; /* Obtained from somewhere */
if (! GetAclInformation(acl, &size_info, sizeof(size_info), AclSizeInformation)) /* Error */
printf("Number of ACEs: %d\n", size_info.AceCount);
Inspecting all ACEs
#include <stdio.h>
#include <windows.h>
ACL *acl; /* Obtained from somewhere */
ACL_SIZE_INFORMATION size_info; /* Filled in as per code above */
unsigned long i, mask;
void *ace;
SID *sid;
char *stringsid;
for (i = 0; i < size_info.AceCount; i++) {
if (! GetAce(acl, i, &ace)) /* Error */
/* Check type of ACE */
if (((ACCESS_ALLOWED_ACE *) ace)->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) {
sid = (SID *) &((ACCESS_ALLOWED_ACE *) ace)->SidStart;
mask = ((ACCESS_ALLOWED_ACE *) ace)->Mask;
printf("Allow ACE\n");
}
else if (((ACCESS_DENIED_ACE *) ace)->Header.AceType == ACCESS_DENIED_ACE_TYPE) {
sid = (SID *) &((ACCESS_DENIED_ACE *) ace)->SidStart;
mask = ((ACCESS_DENIED_ACE *) ace)->Mask;
printf("Deny ACE\n");
}
else printf("Other ACE\n");
/* Check permissions */
if (mask & FILE_READ_DATA) printf("Read access\n");
if (mask & FILE_WRITE_DATA) printf("Write access\n");
/* ... */
/* Get SID */
if (! ConvertSidToStringSid(sid, &stringsid)) /* Error */
printf("Account affected: %s\n", stringsid);
HeapFree(GetProcessHeap(), 0, stringsid);
}
masterz 2005-08-22
- 打赏
- 举报
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/access_mask.asp
ACCESS_MASK
ACCESS_MASK
0313700000 2005-08-22
- 打赏
- 举报
我取得mask值根msdn的说明对比,代表GENERIC_ALL的位总是为1,不管我有没有设置完全控制,不知道为什么
