获取ACL [英] Get ACL
问题描述
我使用此代码在Win32Security.DLL文件夹/文件上设置writepermissions
SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity(@strFile,SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)
Dacl dacl = secDesc.Dacl
dacl.AddAce(新的AceAccessAllowed(新的Sid(用户),AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE,AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE))
secDesc.SetDacl(dacl)
secDesc.SetFileSecurity(@strFile,SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)
但是如何为用户获取ACL?我需要知道用户是否具有文件/文件夹中上述代码中所述的权限。
I use this code to set writepermissions on a folder/file with Win32Security.DLL
SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)
Dacl dacl = secDesc.Dacl
dacl.AddAce (new AceAccessAllowed (new Sid (user), AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE, AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE))
secDesc.SetDacl(dacl)
secDesc.SetFileSecurity(@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION)
But how do I get the ACL for a user? I need to know if a user has the permissions as stated in the code above on a file/folder.
推荐答案
你不应该使用 ;不受支持"像Win32Security.dll这样的东西,使用
System.DirectoryServices(XP及更高版本)或System.Management命名空间
代替。
接下来是一个完整示例说明如何使用System.Management类从文件
对象DACL转储ACE。
使用System;
使用System.Management;
使用System.Collections;
//访问掩码(参见AccessMask属性)
[Flags]
enum面具:uint
{
FileReadData = 0x00000001,
FileWriteData = 0x00000002,
FileAppendData = 0x00000004,
FileReadEA = 0x00000008,
FileWriteEA = 0x00000010,
FileExecute = 0x00000020,
FileDeleteChild = 0x00000040,
FileReadAttributes = 0x00000080,
FileWriteAttributes = 0x00000100,
删除= 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x000 80000,
同步= 0x00100000,
AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,
GenericAll = 0x10000000,
GenericExecute = 0x20000000,
GenericWrite = 0x40000000,
GenericRead = 0x80000000
}
[标志]
枚举AceFlags:int
{
ObjectInheritAce = 1,
ContainerInheritAce = 2,
NoPropagateInheritAce = 4,
InheritOnlyAce = 8,
InheritedAce = 16
}
[标志]
enum AceType:int
{
AccessAllowed = 0,
AccessDenied = 1,
审核= 2
}
班级测试员{
public static void Main(){
string fileObject = @" c:\\pipo\\t.txt" ;; //观看双反斜杠
使用(ManagementObject lfs = new
ManagementObject(@Win32_LogicalFileSecuritySettin g.Path =" +"''" +
fileObject +"''"))
{
//获取此对象的安全描述符
//转储所有受托人(包括所有者)
ManagementBaseObject outParams =
lfs.InvokeMethod(" GetSecurityDescriptor",null,null);
if(((uint)(outParams.Properties [" ReturnValue"]。Value))== 0)//如果
成功
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties [" Descriptor"]。Value));
// DACL是一个数组Win32_ACE对象。
ManagementBaseObject [] dacl =
((ManagementBaseObject [])(secDescriptor.Properties [" Dacl"]。Value));
DumpACEs(dacl);
}
}
}
>
static void DumpACEs(ManagementBaseObject [] dacl)
{
foreach(dacl中的ManagementBaseObject mbo){
Console.WriteLine (" \\\
--------- \\\
Mask:{0:X} - 标志:{1} - 输入:{2}",
mbo [" ; AccessMask"],mbo [" AceFlags"],mbo [&'AceType"]);
//允许/拒绝访问ACE
if(Convert.ToInt32 (mbo [" AceType"])==(int)AceType.AccessDenied)
Console.WriteLine(" DENIED ACE TYPE");
else
Console.WriteLine(" ALLOWED ACE TYPE");
//转储受托人
ManagementBaseObject Trustee =((ManagementBaseObject)(mbo [" Trustee" ;]));
Console.WriteLine(" Name:{0} - Domain:{1} - SID {2} \ n",
受托人。属性[" Name"]。值,
Trustee.Properties [" Domain"]。值,
Trustee.Properties [" SIDString"]。Value) ;
//在可读的f中转储ACE掩码orm
UInt32 mask =(UInt32)mbo [" AccessMask"];
Console.WriteLine(Enum.Format(typeof(Mask),mask," g" ));
}
}
}
Willy。
" Aleborg" <一个**** @ aleborg.se>在留言中写道
新闻:D5 ********************************** @ microsof t.com ...
You shouldn''t use "unsupported" stuff like Win32Security.dll, use the
System.DirectoryServices (XP and higher) or System.Management namespace
instead.
Next is a complete example illustrating how to dump the ACE''s from a File
object DACL using System.Management classes.
using System;
using System.Management;
using System.Collections;
// Access mask (see AccessMask property)
[Flags]
enum Mask : uint
{
FileReadData = 0x00000001,
FileWriteData = 0x00000002,
FileAppendData = 0x00000004,
FileReadEA = 0x00000008,
FileWriteEA = 0x00000010,
FileExecute = 0x00000020,
FileDeleteChild = 0x00000040,
FileReadAttributes = 0x00000080,
FileWriteAttributes= 0x00000100,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
AccessSystemSecurity = 0x01000000,
MaximumAllowed = 0x02000000,
GenericAll = 0x10000000,
GenericExecute= 0x20000000,
GenericWrite = 0x40000000,
GenericRead = 0x80000000
}
[Flags]
enum AceFlags : int
{
ObjectInheritAce = 1,
ContainerInheritAce = 2,
NoPropagateInheritAce = 4,
InheritOnlyAce = 8,
InheritedAce = 16
}
[Flags]
enum AceType : int
{
AccessAllowed = 0,
AccessDenied = 1,
Audit = 2
}
class Tester {
public static void Main() {
string fileObject = @"c:\\pipo\\t.txt"; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "''" +
fileObject + "''"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if
success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
DumpACEs(dacl);
}
}
}
static void DumpACEs(ManagementBaseObject[] dacl)
{
foreach(ManagementBaseObject mbo in dacl){
Console.WriteLine("\n---------\nMask: {0:X} - Flags: {1} - Type: {2}",
mbo["AccessMask"], mbo["AceFlags"], mbo["AceType"]);
// Access allowed/denied ACE
if(Convert.ToInt32(mbo["AceType"]) == (int)AceType.AccessDenied)
Console.WriteLine("DENIED ACE TYPE");
else
Console.WriteLine("ALLOWED ACE TYPE");
// Dump trustees
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
Console.WriteLine("Name: {0} - Domain: {1} - SID {2}\n",
Trustee.Properties["Name"].Value,
Trustee.Properties["Domain"].Value,
Trustee.Properties["SIDString"].Value);
// Dump ACE mask in readable form
UInt32 mask = (UInt32)mbo["AccessMask"];
Console.WriteLine(Enum.Format(typeof(Mask), mask, "g"));
}
}
}
Willy.
"Aleborg" <an****@aleborg.se> wrote in message
news:D5**********************************@microsof t.com...
我使用此代码使用
Win32Security.DLL在文件夹/文件上设置writepermissions:
SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity( @strFile,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
Dacl dacl = secDesc.Dacl;
dacl.AddAce(新的AceAccessAllowed(新的Sid(用户),
AccessType.GENERIC_EXECUTE | AccessType。 GENERIC_READ |
AccessType.GENERIC_WRITE | AccessType.DELETE,
AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE));
secDesc.SetDacl(dacl);
secDesc.SetFileSecurity(@strFile,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
但是如何为用户获取ACL?我需要知道用户是否具有上述代码中文件/文件夹中所述的
权限。
I use this code to set writepermissions on a folder/file with
Win32Security.DLL:
SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
Dacl dacl = secDesc.Dacl;
dacl.AddAce (new AceAccessAllowed (new Sid (user),
AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ |
AccessType.GENERIC_WRITE | AccessType.DELETE,
AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE));
secDesc.SetDacl(dacl);
secDesc.SetFileSecurity(@strFile,
SECURITY_INFORMATION.DACL_SECURITY_INFORMATION);
But how do I get the ACL for a user? I need to know if a user has the
permissions as stated in the code above on a file/folder.
嗨!
谢谢,现在我有了这段代码:
public int GetPermissions()
{
string fileObject = @strFile; //观看双反斜杠
使用(ManagementObject lfs = new
ManagementObject(@Win32_LogicalFileSecuritySettin g.Path =" +"''" +
fileObject +"''"))
{
//获取此对象的安全描述符
//转储所有受托人(包括所有者)
ManagementBaseObject outParams =
lfs.InvokeMethod(" GetSecurityDescriptor",null,null);
if(((uint)(outParams.Properties [" ReturnValue"]。Value))== 0)
//如果成功
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties [" Descriptor"]。Value));
// DACL是一个数组Win32_ACE对象。
ManagementBaseObject [] dacl =
((ManagementBaseObject [])(secDescriptor.Properties [" Dacl"]。Value));
返回DumpACEs(dacl);
}
其他
retu rn -1;
}
}
public int DumpACEs(ManagementBaseObject [] dacl)
{
string ace ="" ;;
foreach(dacl中的ManagementBaseObject mbo)
{
ManagementBaseObject Trustee =( (ManagementBaseObject)(mbo [" Trustee"]));
if(Trustee.Properties [" Name"]。Value.ToString()== user)
{
UInt32 mask =(UInt32)mbo [" AccessMask"];
ace = Enum.Format(typeof(Mask),mask," g") ;
}
}
if(ace ==" FileReadData,FileWriteData,FileAppendData,FileReadEA,FileWriteEA,FileExecute,FileReadAttributes,FileWriteAttributes,删除,ReadControl,同步)
返回0;
else
返回-1;
}
它有效但我们使用它来获取文件列表的权限(如果特定用户对文件/文件夹具有正确的权限)但它非常慢,我们几乎得到25个文件页面暂停(aspx)。
我们要做的是列出已登录用户的文件,如果文件具有修改权限,则选中复选框。 />
我们如何设置修改?对文件的权限?
Hi!
Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "''" +
fileObject + "''"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);
}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize")
return 0;
else
return -1;
}
It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx).
What we''re trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions.
And how can we set "modify" permissions on a file?
嗨!
谢谢,现在我有了这个代码:
public int GetPermissions()
{
string fileObject = @strFile; //观看双反斜杠
使用(ManagementObject lfs = new
ManagementObject(@Win32_LogicalFileSecuritySettin g.Path =" +"''" +
fileObject +"''"))
{
//获取此对象的安全描述符
//转储所有受托人(包括所有者)
ManagementBaseObject outParams =
lfs.InvokeMethod(" GetSecurityDescriptor",null,null);
if(((uint)(outParams.Properties [" ReturnValue"]。Value))== 0)
//如果成功
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties [" Descriptor"]。Value));
// DACL是一个数组Win32_ACE对象。
ManagementBaseObject [] dacl =
((ManagementBaseObject [])(secDescriptor.Properties [" Dacl"]。Value));
返回DumpACEs(dacl);
}
其他
retu rn -1;
}
}
public int DumpACEs(ManagementBaseObject [] dacl)
{
string ace ="" ;;
foreach(dacl中的ManagementBaseObject mbo)
{
ManagementBaseObject Trustee =( (ManagementBaseObject)(mbo [" Trustee"]));
if(Trustee.Properties [" Name"]。Value.ToString()== user)
{
UInt32 mask =(UInt32)mbo [" AccessMask"];
ace = Enum.Format(typeof(Mask),mask," g") ;
}
}
if(ace ==" FileReadData,FileWriteData,FileAppendData,FileReadEA,FileWriteEA,FileExecute,FileReadAttributes,FileWriteAttributes,删除,ReadControl,同步)
返回0;
else
返回-1;
}
它有效但我们使用它来获取文件列表的权限(如果特定用户对文件/文件夹具有正确的权限)但它非常慢,我们几乎得到25个文件页面暂停(aspx)。
我们要做的是列出已登录用户的文件,如果文件具有修改权限,则选中复选框。 />
我们如何设置修改?对文件的权限?
Hi!
Thanks, now I have this code:
public int GetPermissions()
{
string fileObject = @strFile; // Watch the double Backslashes
using(ManagementObject lfs = new
ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "''" +
fileObject + "''"))
{
// Get the security descriptor for this object
// Dump all trustees (this includes owner)
ManagementBaseObject outParams =
lfs.InvokeMethod("GetSecurityDescriptor", null, null);
if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0)
// if success
{
ManagementBaseObject secDescriptor =
((ManagementBaseObject)(outParams.Properties["Descriptor"].Value));
//The DACL is an array of Win32_ACE objects.
ManagementBaseObject[] dacl =
((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value));
return DumpACEs(dacl);
}
else
return -1;
}
}
public int DumpACEs(ManagementBaseObject[] dacl)
{
string ace= "";
foreach(ManagementBaseObject mbo in dacl)
{
ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"]));
if(Trustee.Properties["Name"].Value.ToString()==user)
{
UInt32 mask = (UInt32)mbo["AccessMask"];
ace = Enum.Format(typeof(Mask), mask, "g");
}
}
if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize")
return 0;
else
return -1;
}
It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx).
What we''re trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions.
And how can we set "modify" permissions on a file?
这篇关于获取ACL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!