Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Resetting file security to inherit AFTER a MoveFile() operation

Windows/C++

Looking for some recommendations on how to reset the security attributes on a file after it's been moved to a new folder.

Our standard way of creating files (and download from the server) is to create the file in a temporary folder, then as the file streams down, the file is appended. Once the download is completed, we move the file to it's final destination.

MoveFile() will transfer the security on the file when the file is moved. In certain configuration this causes a problem -- where the security defaults of final folder don't match the original folder. We cannot mess with folder security....

So, ultimately, I would like to perform an operation on the file after I move it. My current thinking is that I should fetch the security attributes of the folder it goes into, and then apply to the file after the move is completed.

like image 740
pweyzen Avatar asked Jul 08 '13 21:07

pweyzen


2 Answers

To expand on Harry's answer, here is the full code:

// blank acl used to restore permissions after a file move
ACL g_null_acl = { 0 };
InitializeAcl(&g_null_acl, sizeof(g_null_acl), ACL_REVISION);

DWORD error = SetNamedSecurityInfo(file_path, SE_FILE_OBJECT,
    DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION,
    NULL, NULL, (PACL)&g_null_acl, NULL);

Keep in mind that calling SetNamedSecurityInfo (in this instance) requires SE_RESTORE_NAME privileges, so it cannot be called from a service running as Network Service (or Local Service), as they have limited permissions.

like image 183
josh poley Avatar answered Oct 21 '22 21:10

josh poley


Use SetNamedSecurityInfo with the UNPROTECTED_DACL_SECURITY_INFORMATION flag. Just pass an empty ACL to remove the entries the file got from its previous parent. This would look something like this:

error = SetNamedSecurityInfo(
            path_to_file, 
            SE_FILE_OBJECT, 
            DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION,
            NULL,
            NULL,
            empty_acl, 
            NULL);
like image 4
Harry Johnston Avatar answered Oct 21 '22 22:10

Harry Johnston