[windev] UAC and file ownership problem...

Chris Becke Chris.Becke at derivco.com
Fri Feb 13 08:27:26 GMT 2009 

I made, and use, the following function in my install program. This is used to create a folder in the all users profile. I create a special SID representing the well known "Users" group that I add to the folder's ACL as an inheritable full-access grant-access entry.
This potentially means that there are two separate Users entries in the ACL - I wasn't too interested in parsing the retrieved ACL to see if there is a users entry to purge as it would just add potential failure modes to no real benefit.

(this code is flakey enough as it is. Early versions used a localized form to describe the "Users" group which resulted in setting a NULL ACL - which - on Vista no longer grants full access any more, but denies instead.

Anyway, the ONLY entity your setup program needs to do this kind of work on should be the folder it creates. Once the folder has the inheritable properties, they will automatically propogate to all files created, (or copied (not moved)) into the folder with no further work.

Oh yes, it IS possible to create a directory from first prinicpals with an ACL - I found that rather useless as there doesn't seem to be an easy way to just get the default ACL for objects in the Users folders. Its easier to create the folder with a default ACL, then modify the ACL, rather than trying to figure out, from scratch, wether to add admin, everyone etc.

The below code at least honors and preserves any specific other inheritable rights that the user might have assigned to the all users profile folders.


BOOL CreateDirectoryWithUserFullControlACL(LPCTSTR lpPath)
{
  if(!CreateDirectory(lpPath,NULL))
    return FALSE;

  HANDLE hDir = CreateFile(lpPath,READ_CONTROL|WRITE_DAC,0,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL);
  if(hDir == INVALID_HANDLE_VALUE)
    return FALSE;

  ACL* pOldDACL;
  SECURITY_DESCRIPTOR* pSD = NULL;
  GetSecurityInfo(hDir, SE_FILE_OBJECT , DACL_SECURITY_INFORMATION,NULL, NULL, &pOldDACL, NULL, (void**)&pSD);

    PSID pSid = NULL;
    SID_IDENTIFIER_AUTHORITY authNt = SECURITY_NT_AUTHORITY;
    AllocateAndInitializeSid(&authNt,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_USERS,0,0,0,0,0,0,&pSid);

    EXPLICIT_ACCESS ea={0};
    ea.grfAccessMode = GRANT_ACCESS;
    ea.grfAccessPermissions = GENERIC_ALL;
    ea.grfInheritance = CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE;
    ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
    ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
    ea.Trustee.ptstrName = (LPTSTR)pSid;

    ACL* pNewDACL = 0;
    DWORD err = SetEntriesInAcl(1,&ea,pOldDACL,&pNewDACL);


    if(pNewDACL)
      SetSecurityInfo(hDir,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL, NULL, pNewDACL, NULL);

    FreeSid(pSid);
    LocalFree(pNewDACL);

  LocalFree(pSD);
  LocalFree(pOldDACL);

  CloseHandle(hDir);

  return TRUE;
}


-----Original Message-----
From: windev-bounces at windev.org [mailto:windev-bounces at windev.org] On Behalf Of David Little
Sent: Thursday, February 12, 2009 11:56 PM
To: windev at windev.org
Subject: [windev] UAC and file ownership problem...

In my app, I have a bunch of (maybe 60) data files which I create  - by copying - during the install.  They are copied to a folder we create under the %ALLUSERSPROFILE% folder.  the problem is, if the user has UAC (this is a Vista question for those who wonder what UAC is) turned on, the files get created just fine, but they are 'owned' by the admin (admin is required for installation) and they're read-only for everybody else.



Anybody know how to lower the rights required?  In prior versions, we just put them in a "system" folder under program files, but that's not an option at all now.



Any ideas?



Thanks!



-          David Little

-          COADE, Inc.

-          Houston, Texas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.windev.org/pipermail/windev/attachments/20090212/15a0db10/attachment.htm
--
Windev mailing list at Windev at windev.org

Lost your password?  Need to unsubscribe or change your delivery options?
Go to http://lists.windev.org/mailman/listinfo/windev
--
Search the Windev Archives - www.windev.org
#############################################################################################
The information transmitted is intended only for the person or entity to which it 
is addressed and may contain confidential and/or privileged material. 
Any review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the intended 
recipient is prohibited. If you received this in error, please contact the sender and
delete the material from any computer.

Furthermore, the information contained in this message, and any attachments thereto, is
for information purposes only and may contain the personal views and opinions of the 
author, which are not necessarily the views and opinions of the company.
#############################################################################################

More information about the Windev mailing list