Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to create directory with all rights granted to everyone

I need to programmatically create a directory that grants "Full Control" to the group "Everyone". If I use

CreateDirectory(path, NULL);

This will, according to the Win32 SDK documentation, create a directory that inherits from its parent directory. I do not want to inherit the access rights of the parent directory I need to ensure that "Everyone" has full control over the directory.

Obviously, this will require setting up the SECURITY_ATTRIBUTES structure with the appropriate security descriptor. How do I do that?

like image 219
Jeff Stong Avatar asked Mar 27 '09 17:03

Jeff Stong


People also ask

How do you set a directory with full permissions in Linux?

The mkdir command by default gives rwx permissions for the current user only. To add read, write, and execute permission for all users, add the -m option with the user 777 when creating a directory. The directory with rwx permissions for all users is highlighted.

How do you create a directory?

Creating a new directory (or folder) is done using the "mkdir" command (which stands for make directory.) I'll create a new directory named "OtherStuff". When I type "ls", we'll see the new folder in our list. That's really all there is to it!


2 Answers

I prefer the following code snippet as it creates a folder inheriting default rights - which seems the right thing to do - other software / the user might have setup specific inheritable rights on a directory for a legitimate reason - then adds a Full Control explicit access entry for the built in "Users" group.

BOOL CreateDirectoryWithUserFullControlACL(LPCTSTR lpPath)
{
  if(!CreateDirectory(lpPath,NULL))
    return FALSE;

  HANDLE hDir = CreateFile(lpPath,READ_CONTROL|WRITE_DAC,0,NULL,OPEN_EXISTING,FILE_FLAG_BACKUP_SEMANTICS,NULL);
  if(hDir == INVALID_HANDLE_VALUE)
    return FALSE; 

  ACL* pOldDACL;
  SECURITY_DESCRIPTOR* pSD = NULL;
  GetSecurityInfo(hDir, SE_FILE_OBJECT , DACL_SECURITY_INFORMATION,NULL, NULL, &pOldDACL, NULL, (void**)&pSD);

  PSID pSid = NULL;
  SID_IDENTIFIER_AUTHORITY authNt = SECURITY_NT_AUTHORITY;
  AllocateAndInitializeSid(&authNt,2,SECURITY_BUILTIN_DOMAIN_RID,DOMAIN_ALIAS_RID_USERS,0,0,0,0,0,0,&pSid);

  EXPLICIT_ACCESS ea={0};
  ea.grfAccessMode = GRANT_ACCESS;
  ea.grfAccessPermissions = GENERIC_ALL;
  ea.grfInheritance = CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE;
  ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
  ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
  ea.Trustee.ptstrName = (LPTSTR)pSid;

  ACL* pNewDACL = 0;
  DWORD err = SetEntriesInAcl(1,&ea,pOldDACL,&pNewDACL);

  if(pNewDACL)
    SetSecurityInfo(hDir,SE_FILE_OBJECT,DACL_SECURITY_INFORMATION,NULL, NULL, pNewDACL, NULL);

  FreeSid(pSid);
  LocalFree(pNewDACL);
  LocalFree(pSD);
  LocalFree(pOldDACL);
  CloseHandle(hDir);

  return TRUE;
}
like image 197
Chris Becke Avatar answered Oct 12 '22 13:10

Chris Becke


Here's one technique that seems to work:

SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
PSID everyone_sid = NULL;
AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 
   0, 0, 0, 0, 0, 0, 0, &everyone_sid);

EXPLICIT_ACCESS ea;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SPECIFIC_RIGHTS_ALL | STANDARD_RIGHTS_ALL;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName  = (LPWSTR)everyone_sid;

PACL acl = NULL;
SetEntriesInAcl(1, &ea, NULL, &acl);

PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, 
                                   SECURITY_DESCRIPTOR_MIN_LENGTH);
InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(sd, TRUE, acl, FALSE);

SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.lpSecurityDescriptor = sd;
sa.bInheritHandle = FALSE;

CreateDirectory(path, &sa);

FreeSid(everyone_sid);
LocalFree(sd);
LocalFree(acl);

Note that this sample code has absolutely no error checking -- you'll have to supply that yourself.

like image 42
Jeff Stong Avatar answered Oct 12 '22 12:10

Jeff Stong