How i can add rights to already existing ACL ,i use this code code link ,but this code erases all old rights, how can I add rights to already existing rights?
You can use SetEntriesInAcl to Create a new ACL that merges the new ACE into the existing DACL.
You may refer to the Modifying the ACLs of an Object in C++.
Related
I would like to set the permission on the folder C:\Share\Project\Project1 (and the previous one if needed) to let a specific user "Bob" create modify and read files but I don't want anybody to be able to delete files. Those folder are shared via an ad and Bob acces them following this path \WIN-SRV1\Share\Project\Project 1. I have all the permission on those deviceS both Bob and the hosting server are on windows.
I think i tried every advanced security permission settings for david and everyone etc, and advanced shared setting
Thank you in advance:)
Problem is simple my application copies some file from one location to another.
File at destination folder should be readable by all administrators of computer without elevating privileges.
I've found an API which should do it:
SetNamedSecurityInfoW
SetKernelObjectSecurity
But I'm not fluent with Windows API and this security API is quite complex, so I need help ho to use this API.
Main problem I have is how to get psidGroup? Other stuff is obvious or I can just provide a NULL.
Or is there a better API so I can add this read permission for administrators while file is copied?
psidGroup in SetNamedSecurityInfo is used to change owner or group of the file. There is an example on msdn, get the old Security Info first, then modify(SetEntriesInAcl) and submit(SetNamedSecurityInfo). If you want to set the permission of the a group, set the EXPLICIT_ACCESS.Trustee.TrusteeType to TRUSTEE_IS_GROUP, then you can set the a permission for a group.
I see an edit variable permission that is scoped to the environment. However, it seems like who ever is responsible for setting up the project, would be responsible for creating the variables, where some other security entity would be responsible for only modifying the values, specifically the secure ones. Is this possible?
Edit:
Adding a little more, I suppose I'm asking for permissions based on the project variable set. Only those with the "EditProjectVariableSet" permission would be able to add or remove variables from the project.
Edit:
Added uservoice:
https://octopusdeploy.uservoice.com/forums/170787-general/suggestions/18022360-separate-permission-for-editing-variable-values-wi
In the Configuration->Teams there is a link to Roles.
You could create a new role, for ex: Variable Editor and only assign VariableEdit, VariableEditUnscoped, VariableView, VariableViewUnscoped.
However I don't think you can restrict to a modification only.
I would like to create logfiles for my application in an user independent lactation. AFAIK C:\ProgramData is good place for that.
I've tried it this way:
if not DirectoryExists('C:\ProgramData\MyApp') then
CreateDirectory('C:\ProgramData\MyApp', nil);
LogFileStream := TFileStream.Create('C:\ProgramData\MyApp\LogFile01.txt', fmCreate, (fmOpenRead or fmShareDenyNone));
The problem with this approach is that the created filed does not have Authenticated Users nor Everyone in Properties->Security->Group or user names.
This results in other users being unable to modify the created files.
But how can I achieve this, also other users being albe to modify the created files.
I think it must be possible to have files with this permission there. Some files do have this permission e.g. C:\ProgramData\Microsoft\Windows\Ringtones\Ringtone *.wav
Maybe either in
1.) somehow creating a 'MyApp' folder in C:\ProgramData with Authenticated Users or Everyone permission which would result in TFileStream automatically creating files with the same permission or
2.) somehow telling TFileStream to create the files with the required permission or
3.) somehow changing the files permission with some API function after its creation or
4.) some other way??
The default permissions in C:\ProgramData, aka FOLDERID_ProgramData allow any user to create new files and folders. However, only the user who creates the file or folder has permission to write to it.
So, if you wish to allow any user to modify objects under FOLDERID_ProgramData then you need to add a permissive ACL to grant those rights. You would typically do that when you installed your program. Create a folder under FOLDERID_ProgramData and add an ACL to grant rights to whichever class of users you wish to allow full access.
As an aside, clearly you should not be hard coding C:\ProgramData, but instead using FOLDERID_ProgramData with the known folder API. I guess the code in the question is just for testing, and your real program code does it correctly.
I have a write-restricted folder which may only be written in if the user is in a specific group or has been explicitly given the rights to do so. I have successfully implemented that with C++ using SetNamedSecurityInfo on the folder with the specified groups and users. However, the following scenario gives me trouble:
Admin gives write-rights to user
User creates a file
Admin removes write-rights from user
User keeps writing in the file
The last point is the problem. Since the user is the owner of the file he can write in it, even though the admin removed the right (by removing group membership for example).
I want to accomplish that the ownership of a file does not grant any rights to the owner in that restricted folder.
You need to remove the CREATOR OWNER SID from the folder, and push that down to the files.