GetEffectiveRightsFromAclA 函数 (aclapi.h)
[GetEffectiveRightsFromAcl 可用于“要求”部分中指定的操作系统。 在后续版本中可能会更改或不可用。 请改用以下示例中演示的方法。]
GetEffectiveRightsFromAcl 函数检索 ACL 结构向指定受托人授予的有效访问权限。 受托人的有效访问权限是 ACL 授予受托人或受托人所属的任何组的访问权限。
语法
DWORD GetEffectiveRightsFromAclA(
[in] PACL pacl,
[in] PTRUSTEE_A pTrustee,
[out] PACCESS_MASK pAccessRights
);
参数
[in] pacl
指向 ACL 结构的指针,从中获取受托人的有效访问权限。
[in] pTrustee
指向标识受托人的 受托人 结构的指针。 受托人可以是用户、组或程序(例如 Windows 服务)。 可以使用名称或安全标识符(SID)来标识受托人。
[out] pAccessRights
指向接收受托方有效访问权限的 ACCESS_MASK 变量的指针。
返回值
如果函数成功,该函数将返回ERROR_SUCCESS。
如果函数失败,它将返回 WinError.h 中定义的非零错误代码。
言论
受托人的组权限由本地计算机上的 GetEffectiveRightsFromAcl 枚举,即使受托人正在远程计算机上访问对象。 此函数不评估远程计算机上的组权限。
GetEffectiveRightsFromAcl 函数不考虑以下事项:
- 确定有效权限时,为对象的所有者隐式授予访问权限,例如READ_CONTROL和WRITE_DAC。
- 确定有效访问权限时受托人持有的特权。
- 与 登录会话关联的组权限(例如交互式、网络、经过身份验证的用户等)来确定有效的访问权限。
- 资源管理器 策略。 例如,对于文件对象,即使对对象拒绝,父属性也可以提供 Delete 和 Read 属性。
例子
以下示例演示如何使用 Authz API 从 ACL 获取有效访问权限。
// Copyright (C) Microsoft. All rights reserved.
#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
#include <tchar.h>
#include <strsafe.h> // for proper buffer handling
#include <authz.h>
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "authz.lib")
LPTSTR lpServerName = NULL;
PSID ConvertNameToBinarySid(LPTSTR pAccountName)
{
LPTSTR pDomainName = NULL;
DWORD dwDomainNameSize = 0;
PSID pSid = NULL;
DWORD dwSidSize = 0;
SID_NAME_USE sidType;
BOOL fSuccess = FALSE;
HRESULT hr = S_OK;
__try
{
LookupAccountName(
lpServerName, // look up on local system
pAccountName,
pSid, // buffer to receive name
&dwSidSize,
pDomainName,
&dwDomainNameSize,
&sidType);
// If the Name cannot be resolved, LookupAccountName will fail with
// ERROR_NONE_MAPPED.
if (GetLastError() == ERROR_NONE_MAPPED)
{
wprintf_s(_T("LookupAccountName failed with %d\n"), GetLastError());
__leave;
}
else if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
pSid = (LPTSTR)LocalAlloc(LPTR, dwSidSize * sizeof(TCHAR));
if (pSid == NULL)
{
wprintf_s(_T("LocalAlloc failed with %d\n"), GetLastError());
__leave;
}
pDomainName = (LPTSTR)LocalAlloc(LPTR, dwDomainNameSize * sizeof(TCHAR));
if (pDomainName == NULL)
{
wprintf_s(_T("LocalAlloc failed with %d\n"), GetLastError());
__leave;
}
if (!LookupAccountName(
lpServerName, // look up on local system
pAccountName,
pSid, // buffer to receive name
&dwSidSize,
pDomainName,
&dwDomainNameSize,
&sidType))
{
wprintf_s(_T("LookupAccountName failed with %d\n"), GetLastError());
__leave;
}
}
// Any other error code
else
{
wprintf_s(_T("LookupAccountName failed with %d\n"), GetLastError());
__leave;
}
fSuccess = TRUE;
}
__finally
{
if(pDomainName != NULL)
{
LocalFree(pDomainName);
pDomainName = NULL;
}
// Free pSid only if failed;
// otherwise, the caller has to free it after use.
if (fSuccess == FALSE)
{
if(pSid != NULL)
{
LocalFree(pSid);
pSid = NULL;
}
}
}
return pSid;
}
void DisplayError(char* pszAPI, DWORD dwError)
{
LPVOID lpvMessageBuffer;
if (!FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_FROM_SYSTEM,
GetModuleHandle(L"Kernel32.dll"), dwError,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // the user default language
(LPTSTR)&lpvMessageBuffer, 0, NULL))
{
wprintf_s(L"FormatMessage failed with %d\n", GetLastError());
ExitProcess(GetLastError());
}
// ...now display this string.
wprintf_s(L"ERROR: API = %s.\n", (char *)pszAPI);
wprintf_s(L" error code = %08X.\n", dwError);
wprintf_s(L" message = %s.\n", (char *)lpvMessageBuffer);
// Free the buffer allocated by the system.
LocalFree(lpvMessageBuffer);
ExitProcess(GetLastError());
}
void DisplayAccessMask(ACCESS_MASK Mask)
{
// This evaluation of the ACCESS_MASK is an example.
// Applications should evaluate the ACCESS_MASK as necessary.
wprintf_s(L"Effective Allowed Access Mask : %8X\n", Mask);
if (((Mask & GENERIC_ALL) == GENERIC_ALL)
|| ((Mask & FILE_ALL_ACCESS) == FILE_ALL_ACCESS))
{
wprintf_s(L"Full Control\n");
return;
}
if (((Mask & GENERIC_READ) == GENERIC_READ)
|| ((Mask & FILE_GENERIC_READ) == FILE_GENERIC_READ))
wprintf_s(L"Read\n");
if (((Mask & GENERIC_WRITE) == GENERIC_WRITE)
|| ((Mask & FILE_GENERIC_WRITE) == FILE_GENERIC_WRITE))
wprintf_s(L"Write\n");
if (((Mask & GENERIC_EXECUTE) == GENERIC_EXECUTE)
|| ((Mask & FILE_GENERIC_EXECUTE) == FILE_GENERIC_EXECUTE))
wprintf_s(L"Execute\n");
}
void GetAccess(AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClient, PSECURITY_DESCRIPTOR psd)
{
AUTHZ_ACCESS_REQUEST AccessRequest = {0};
AUTHZ_ACCESS_REPLY AccessReply = {0};
BYTE Buffer[1024];
BOOL bRes = FALSE; // assume error
// Do AccessCheck.
AccessRequest.DesiredAccess = MAXIMUM_ALLOWED;
AccessRequest.PrincipalSelfSid = NULL;
AccessRequest.ObjectTypeList = NULL;
AccessRequest.ObjectTypeListLength = 0;
AccessRequest.OptionalArguments = NULL;
RtlZeroMemory(Buffer, sizeof(Buffer));
AccessReply.ResultListLength = 1;
AccessReply.GrantedAccessMask = (PACCESS_MASK) (Buffer);
AccessReply.Error = (PDWORD) (Buffer + sizeof(ACCESS_MASK));
if (!AuthzAccessCheck( 0,
hAuthzClient,
&AccessRequest,
NULL,
psd,
NULL,
0,
&AccessReply,
NULL) ) {
wprintf_s(_T("AuthzAccessCheck failed with %d\n"), GetLastError());
}
else
DisplayAccessMask(*(PACCESS_MASK)(AccessReply.GrantedAccessMask));
return;
}
BOOL GetEffectiveRightsForUser(AUTHZ_RESOURCE_MANAGER_HANDLE hManager,
PSECURITY_DESCRIPTOR psd,
LPTSTR lpszUserName)
{
PSID pSid = NULL;
BOOL bResult = FALSE;
LUID unusedId = { 0 };
AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzClientContext = NULL;
pSid = ConvertNameToBinarySid(lpszUserName);
if (pSid != NULL)
{
bResult = AuthzInitializeContextFromSid(0,
pSid,
hManager,
NULL,
unusedId,
NULL,
&hAuthzClientContext);
if (bResult)
{
GetAccess(hAuthzClientContext, psd);
AuthzFreeContext(hAuthzClientContext);
}
else
wprintf_s(_T("AuthzInitializeContextFromSid failed with %d\n"), GetLastError());
}
if(pSid != NULL)
{
LocalFree(pSid);
pSid = NULL;
}
return bResult;
}
void UseAuthzSolution(PSECURITY_DESCRIPTOR psd, LPTSTR lpszUserName)
{
AUTHZ_RESOURCE_MANAGER_HANDLE hManager;
BOOL bResult = FALSE;
bResult = AuthzInitializeResourceManager(AUTHZ_RM_FLAG_NO_AUDIT,
NULL, NULL, NULL, NULL, &hManager);
if (bResult)
{
bResult = GetEffectiveRightsForUser(hManager, psd, lpszUserName);
AuthzFreeResourceManager(hManager);
}
else
wprintf_s(_T("AuthzInitializeResourceManager failed with %d\n"), GetLastError());
}
void wmain(int argc, wchar_t *argv[])
{
DWORD dw;
PACL pacl;
PSECURITY_DESCRIPTOR psd;
PSID psid = NULL;
if (argc != 3)
{
wprintf_s(L"Usage: FileOrFolderName UserOrGroupName\n");
wprintf_s(L"Usage: FileOrFolderName UserOrGroupName\n");
return;
}
dw = GetNamedSecurityInfo(argv[1], SE_FILE_OBJECT, DACL_SECURITY_INFORMATION |
OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION, NULL, NULL, &pacl, NULL, &psd);
if (dw != ERROR_SUCCESS)
{ printf("couldn't do getnamedsecinfo \n");
DisplayError("GetNamedSecurityInfo", dw);
}
UseAuthzSolution(psd, argv[2]);
if(psid != NULL)
{
LocalFree(psid);
psid = NULL;
};
LocalFree(psd);
}
注意
aclapi.h 标头将 GetEffectiveRightsFromAcl 定义为一个别名,该别名根据 UNICODE 预处理器常量的定义自动选择此函数的 ANSI 或 Unicode 版本。 将中性编码别名与不中性编码的代码混合使用可能会导致编译或运行时错误不匹配。 有关详细信息,请参阅函数原型的
要求
| 要求 | 价值 |
|---|---|
| 最低支持的客户端 | Windows XP [仅限桌面应用] |
| 支持的最低服务器 | Windows Server 2003 [仅限桌面应用] |
| 目标平台 | 窗户 |
| 标头 | aclapi.h |
| 库 | Advapi32.lib |
| DLL | Advapi32.dll |