Menu
I recently redesigned the security on a file server of ours, marking most of what was Full Control to be Modify. Now my developers are telling me that whenever they use GENERIC_ALL to open a file (with CreateFile() for instance), they receive an access denied message.
After research, nothing seemed to indicate that GENERIC_ALL was any more than GENERIC_EXECUTE + GENERIC_WRITE + GENERIC_READ; however, this seems not to be the case, since a developer was able to add the three constant values, and use this to CreateFile().
So, I ask... what does GENERIC_ALL really do?
Thanks,
Matt
612
The GENERIC_ALL access rights include every possible access right, including such things as WRITE_DAC (to change permissions) and WRITE_OWNER (to change owner). The File Security and Access Rights page shows how the GENERIC_* access rights map to specific access rights for files. The File Access Rights Constants page shows all the possible access rights for files (which presumably would all be requested when GENERIC_ALL is used).
You should encourage your developers to request only the level of access that they actually need. Rarely, for example, is a file opened for both GENERIC_EXECUTE and GENERIC_WRITE at the same time.
157
GENERIC_ALL means "every possible level of access" (for files, this has the name FILE_ALL_ACCESS). Since you removed Full Control, attempts to open for GENERIC_ALL will fail with Access Denied because (for example) WRITE_DAC is no longer granted.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
