开发者

Failed to use AddAccessAllowedAce to append an ACE to an existing ACL

问答 作者:

I use following code to get an ACL from SD:

...
PACL pDacl = NULL;
BOOL bDaclPresent = TRUE;
BOOL bDaclDefaulted = FALSE;
if(!GetSecurityDescriptorDacl((PSECURITY_DESCRIPTOR)spSecurityDescriptor.get(),
                                &bDaclPresent,
                                &pDacl,
                                &bDaclDefaulted))
{
    ReportError(TEXT("Failed to call GetSecurityDescriptorDacl."));
    ...
}

Then I use AddAccessAllowedAce to append a new ACE:

if(!AddAccessAllowedAce(pDacl,
                        ACL_REVISION,
                        MQSEC_QUEUE_GENERIC_ALL,
                        pAnnySid))
{
    dwErrCode = GetLastError();
    ReportError(dwErrCode);
    ReportError(TEXT("Failed to call AddAccessAllowedAce.")开发者_如何转开发);
    ...
}

I got an error 1344 that "No more memory is available for security information updates."

Then I tried to increase the size of PACL buffer and changed the PACL header information. But I still got an error 1336 "The access control list (ACL) structure is invalid."

Could anyone give me a working sample code to do this?

MSDN privided an sample of AddAccessAllowedAce here: http://msdn.microsoft.com/en-us/library/ms707085%28v=vs.85%29.aspx But it's about to create a brand new ACL, not the same case.

I even think to 'GetAce' from old ACL then 'AddAce' to a new ACL, in the end I append my own new ACE. But looks like 'AddAce' need a parameter 'nAceListLength'; and I don't know how to get this value from ACE.

Any ideas?

GetSecurityDescriptorDacl() just gives you a pointer to the DACL that is already present in the SECURITY_DESCRIPTOR buffer. If you want to add something to it you need to allocate a larger buffer, copy the existing DACL, then add the new ACE. You need to do something like the following (pseudo-code off the top of my head; may have errors):

PACL pOldDacl = GetSecurityDescriptorDacl(pSecurityDescriptor);
DWORD cbOldSize = GetAclInformation(pOldDacl, ACL_SIZE_INFORMATION);
DWORD cbNewSize = cbOldSize + sizeof(ACE that you want to add);
PACL pNewDacl = alloc(cbNewSize);
InitializeAcl(pNewDacl, cbNewSize);
for each pAce in pOldDacl // GetAce(pOldDacl)
    AddAce(pNewDacl, pAce);
AddAce(pNewDacl, the ACE that you want to add); // or use specialized functions like AddAccessAllowedAce, etc
SetSecurityDescriptorDacl(pSecurityDescriptor, pNewDacl);

Microsoft KB has an article.

继续阅读:aclsecuritywindows

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9