获取ACL

本文介绍了获取ACL的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我使用此代码在Win32Security.DLL文件夹/文件上设置writepermissions SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity（@strFile，SECURITY_INFORMATION.DACL_SECURITY_INFORMATION） Dacl dacl = secDesc.Dacl dacl.AddAce（新的AceAccessAllowed（新的Sid（用户），AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE，AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE）） secDesc.SetDacl（dacl） secDesc.SetFileSecurity（@strFile，SECURITY_INFORMATION.DACL_SECURITY_INFORMATION） 但是如何为用户获取ACL？我需要知道用户是否具有文件/文件夹中上述代码中所述的权限。

I use this code to set writepermissions on a folder/file with Win32Security.DLL SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION) Dacl dacl = secDesc.Dacl dacl.AddAce (new AceAccessAllowed (new Sid (user), AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE, AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE)) secDesc.SetDacl(dacl) secDesc.SetFileSecurity(@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION) But how do I get the ACL for a user? I need to know if a user has the permissions as stated in the code above on a file/folder.

推荐答案

你不应该使用 ;不受支持"像Win32Security.dll这样的东西，使用 System.DirectoryServices（XP及更高版本）或System.Management命名空间 代替。 接下来是一个完整示例说明如何使用System.Management类从文件 对象DACL转储ACE。 使用System; 使用System.Management; 使用System.Collections; //访问掩码（参见AccessMask属性） [Flags] enum面具：uint { FileReadData = 0x00000001， FileWriteData = 0x00000002， FileAppendData = 0x00000004， FileReadEA = 0x00000008， FileWriteEA = 0x00000010， FileExecute = 0x00000020， FileDeleteChild = 0x00000040， FileReadAttributes = 0x00000080， FileWriteAttributes = 0x00000100， 删除= 0x00010000， ReadControl = 0x00020000， WriteDac = 0x00040000， WriteOwner = 0x000 80000， 同步= 0x00100000， AccessSystemSecurity = 0x01000000， MaximumAllowed = 0x02000000， GenericAll = 0x10000000， GenericExecute = 0x20000000， GenericWrite = 0x40000000， GenericRead = 0x80000000 } [标志] 枚举AceFlags：int { ObjectInheritAce = 1， ContainerInheritAce = 2， NoPropagateInheritAce = 4， InheritOnlyAce = 8， InheritedAce = 16 } [标志] enum AceType：int { AccessAllowed = 0， AccessDenied = 1， 审核= 2 } 班级测试员{ public static void Main（）{ string fileObject = @" c：\\pipo\\t.txt" ;; //观看双反斜杠 使用（ManagementObject lfs = new ManagementObject（@Win32_LogicalFileSecuritySettin g.Path =" +"''" + fileObject +"''"）） { //获取此对象的安全描述符 //转储所有受托人（包括所有者） ManagementBaseObject outParams = lfs.InvokeMethod（" GetSecurityDescriptor"，null，null）; if（（（uint）（outParams.Properties [" ReturnValue"]。Value））== 0）//如果 成功 { ManagementBaseObject secDescriptor = （（ManagementBaseObject）（outParams.Properties [" Descriptor"]。Value））; // DACL是一个数组Win32_ACE对象。 ManagementBaseObject [] dacl = （（ManagementBaseObject []）（secDescriptor.Properties [" Dacl"]。Value））; DumpACEs（dacl）; } } } static void DumpACEs（ManagementBaseObject [] dacl） { foreach（dacl中的ManagementBaseObject mbo）{ Console.WriteLine （" \\\ --------- \\\Mask：{0：X} - 标志：{1} - 输入：{2}"， mbo [" ; AccessMask"]，mbo [" AceFlags"]，mbo [&'AceType"]）; //允许/拒绝访问ACE if（Convert.ToInt32 （mbo [" AceType"]）==（int）AceType.AccessDenied） Console.WriteLine（" DENIED ACE TYPE"）; else Console.WriteLine（" ALLOWED ACE TYPE"）; //转储受托人 ManagementBaseObject Trustee =（（ManagementBaseObject）（mbo [" Trustee" ;]））; Console.WriteLine（" Name：{0} - Domain：{1} - SID {2} \ n"， 受托人。属性[" Name"]。值， Trustee.Properties [" Domain"]。值， Trustee.Properties [" SIDString"]。Value） ; //在可读的f中转储ACE掩码orm UInt32 mask =（UInt32）mbo [" AccessMask"]; Console.WriteLine（Enum.Format（typeof（Mask），mask，" g" ））; } } } Willy。 " Aleborg" <一个**** @ aleborg.se>在留言中写道 新闻：D5 ********************************** @ microsof t ... You shouldn''t use "unsupported" stuff like Win32Security.dll, use the System.DirectoryServices (XP and higher) or System.Management namespace instead. Next is a complete example illustrating how to dump the ACE''s from a File object DACL using System.Management classes. using System; using System.Management; using System.Collections; // Access mask (see AccessMask property) [Flags] enum Mask : uint { FileReadData = 0x00000001, FileWriteData = 0x00000002, FileAppendData = 0x00000004, FileReadEA = 0x00000008, FileWriteEA = 0x00000010, FileExecute = 0x00000020, FileDeleteChild = 0x00000040, FileReadAttributes = 0x00000080, FileWriteAttributes= 0x00000100, Delete = 0x00010000, ReadControl = 0x00020000, WriteDac = 0x00040000, WriteOwner = 0x00080000, Synchronize = 0x00100000, AccessSystemSecurity = 0x01000000, MaximumAllowed = 0x02000000, GenericAll = 0x10000000, GenericExecute= 0x20000000, GenericWrite = 0x40000000, GenericRead = 0x80000000 } [Flags] enum AceFlags : int { ObjectInheritAce = 1, ContainerInheritAce = 2, NoPropagateInheritAce = 4, InheritOnlyAce = 8, InheritedAce = 16 } [Flags] enum AceType : int { AccessAllowed = 0, AccessDenied = 1, Audit = 2 } class Tester { public static void Main() { string fileObject = @"c:\\pipo\\t.txt"; // Watch the double Backslashes using(ManagementObject lfs = new ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "''" + fileObject + "''")) { // Get the security descriptor for this object // Dump all trustees (this includes owner) ManagementBaseObject outParams = lfs.InvokeMethod("GetSecurityDescriptor", null, null); if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if success { ManagementBaseObject secDescriptor = ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); //The DACL is an array of Win32_ACE objects. ManagementBaseObject[] dacl = ((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value)); DumpACEs(dacl); } } } static void DumpACEs(ManagementBaseObject[] dacl) { foreach(ManagementBaseObject mbo in dacl){ Console.WriteLine("\n---------\nMask: {0:X} - Flags: {1} - Type: {2}", mbo["AccessMask"], mbo["AceFlags"], mbo["AceType"]); // Access allowed/denied ACE if(Convert.ToInt32(mbo["AceType"]) == (int)AceType.AccessDenied) Console.WriteLine("DENIED ACE TYPE"); else Console.WriteLine("ALLOWED ACE TYPE"); // Dump trustees ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"])); Console.WriteLine("Name: {0} - Domain: {1} - SID {2}\n", Trustee.Properties["Name"].Value, Trustee.Properties["Domain"].Value, Trustee.Properties["SIDString"].Value); // Dump ACE mask in readable form UInt32 mask = (UInt32)mbo["AccessMask"]; Console.WriteLine(Enum.Format(typeof(Mask), mask, "g")); } } } Willy. "Aleborg" <an****@aleborg.se> wrote in message news:D5**********************************@microsof t... 我使用此代码使用 Win32Security.DLL在文件夹/文件上设置writepermissions： SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity（ @strFile， SECURITY_INFORMATION.DACL_SECURITY_INFORMATION）; Dacl dacl = secDesc.Dacl; dacl.AddAce（新的AceAccessAllowed（新的Sid（用户）， AccessType.GENERIC_EXECUTE | AccessType。 GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE， AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE））; secDesc.SetDacl（dacl）; secDesc.SetFileSecurity（@strFile， SECURITY_INFORMATION.DACL_SECURITY_INFORMATION）; 但是如何为用户获取ACL？我需要知道用户是否具有上述代码中文件/文件夹中所述的权限。 I use this code to set writepermissions on a folder/file withWin32Security.DLL: SecurityDescriptor secDesc = SecurityDescriptor.GetFileSecurity (@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION); Dacl dacl = secDesc.Dacl; dacl.AddAce (new AceAccessAllowed (new Sid (user), AccessType.GENERIC_EXECUTE | AccessType.GENERIC_READ | AccessType.GENERIC_WRITE | AccessType.DELETE, AceFlags.CONTAINER_INHERIT_ACE | AceFlags.OBJECT_INHERIT_ACE)); secDesc.SetDacl(dacl); secDesc.SetFileSecurity(@strFile, SECURITY_INFORMATION.DACL_SECURITY_INFORMATION); But how do I get the ACL for a user? I need to know if a user has the permissions as stated in the code above on a file/folder.

嗨！ 谢谢，现在我有了这段代码： public int GetPermissions（） { string fileObject = @strFile; //观看双反斜杠 使用（ManagementObject lfs = new ManagementObject（@Win32_LogicalFileSecuritySettin g.Path =" +"''" + fileObject +"''"）） { //获取此对象的安全描述符 //转储所有受托人（包括所有者） ManagementBaseObject outParams = lfs.InvokeMethod（" GetSecurityDescriptor"，null，null）; if（（（uint）（outParams.Properties [" ReturnValue"]。Value））== 0） //如果成功 { ManagementBaseObject secDescriptor = （（ManagementBaseObject）（outParams.Properties [" Descriptor"]。Value））; // DACL是一个数组Win32_ACE对象。 ManagementBaseObject [] dacl = （（ManagementBaseObject []）（secDescriptor.Properties [" Dacl"]。Value））; 返回DumpACEs（dacl）; } 其他 retu rn -1; } } public int DumpACEs（ManagementBaseObject [] dacl） { string ace ="" ;; foreach（dacl中的ManagementBaseObject mbo） { ManagementBaseObject Trustee =（ （ManagementBaseObject）（mbo [" Trustee"]））; if（Trustee.Properties [" Name"]。Value.ToString（）== user） { UInt32 mask =（UInt32）mbo [" AccessMask"]; ace = Enum.Format（typeof（Mask），mask，" g"） ; } } if（ace ==" FileReadData，FileWriteData，FileAppendData，FileReadEA，FileWriteEA，FileExecute，FileReadAttributes，FileWriteAttributes，删除，ReadControl，同步） 返回0; else 返回-1; } 它有效但我们使用它来获取文件列表的权限（如果特定用户对文件/文件夹具有正确的权限）但它非常慢，我们几乎得到25个文件页面暂停（aspx）。 我们要做的是列出已登录用户的文件，如果文件具有修改权限，则选中复选框。 /> 我们如何设置修改？对文件的权限？ Hi! Thanks, now I have this code: public int GetPermissions() { string fileObject = @strFile; // Watch the double Backslashes using(ManagementObject lfs = new ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "''" + fileObject + "''")) { // Get the security descriptor for this object // Dump all trustees (this includes owner) ManagementBaseObject outParams = lfs.InvokeMethod("GetSecurityDescriptor", null, null); if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if success { ManagementBaseObject secDescriptor = ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); //The DACL is an array of Win32_ACE objects. ManagementBaseObject[] dacl = ((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value)); return DumpACEs(dacl); } else return -1; } } public int DumpACEs(ManagementBaseObject[] dacl) { string ace= ""; foreach(ManagementBaseObject mbo in dacl) { ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"])); if(Trustee.Properties["Name"].Value.ToString()==user) { UInt32 mask = (UInt32)mbo["AccessMask"]; ace = Enum.Format(typeof(Mask), mask, "g"); } } if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize") return 0; else return -1; } It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx). What we''re trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions. And how can we set "modify" permissions on a file?

嗨！ 谢谢，现在我有了这个代码： public int GetPermissions（） { string fileObject = @strFile; //观看双反斜杠 使用（ManagementObject lfs = new ManagementObject（@Win32_LogicalFileSecuritySettin g.Path =" +"''" + fileObject +"''"）） { //获取此对象的安全描述符 //转储所有受托人（包括所有者） ManagementBaseObject outParams = lfs.InvokeMethod（" GetSecurityDescriptor"，null，null）; if（（（uint）（outParams.Properties [" ReturnValue"]。Value））== 0） //如果成功 { ManagementBaseObject secDescriptor = （（ManagementBaseObject）（outParams.Properties [" Descriptor"]。Value））; // DACL是一个数组Win32_ACE对象。 ManagementBaseObject [] dacl = （（ManagementBaseObject []）（secDescriptor.Properties [" Dacl"]。Value））; 返回DumpACEs（dacl）; } 其他 retu rn -1; } } public int DumpACEs（ManagementBaseObject [] dacl） { string ace ="" ;; foreach（dacl中的ManagementBaseObject mbo） { ManagementBaseObject Trustee =（ （ManagementBaseObject）（mbo [" Trustee"]））; if（Trustee.Properties [" Name"]。Value.ToString（）== user） { UInt32 mask =（UInt32）mbo [" AccessMask"]; ace = Enum.Format（typeof（Mask），mask，" g"） ; } } if（ace ==" FileReadData，FileWriteData，FileAppendData，FileReadEA，FileWriteEA，FileExecute，FileReadAttributes，FileWriteAttributes，删除，ReadControl，同步） 返回0; else 返回-1; } 它有效但我们使用它来获取文件列表的权限（如果特定用户对文件/文件夹具有正确的权限）但它非常慢，我们几乎得到25个文件页面暂停（aspx）。 我们要做的是列出已登录用户的文件，如果文件具有修改权限，则选中复选框。 /> 我们如何设置修改？对文件的权限？ Hi! Thanks, now I have this code: public int GetPermissions() { string fileObject = @strFile; // Watch the double Backslashes using(ManagementObject lfs = new ManagementObject(@"Win32_LogicalFileSecuritySettin g.Path=" + "''" + fileObject + "''")) { // Get the security descriptor for this object // Dump all trustees (this includes owner) ManagementBaseObject outParams = lfs.InvokeMethod("GetSecurityDescriptor", null, null); if (((uint)(outParams.Properties["ReturnValue"].Value)) == 0) // if success { ManagementBaseObject secDescriptor = ((ManagementBaseObject)(outParams.Properties["Descriptor"].Value)); //The DACL is an array of Win32_ACE objects. ManagementBaseObject[] dacl = ((ManagementBaseObject[])(secDescriptor.Properties["Dacl"].Value)); return DumpACEs(dacl); } else return -1; } } public int DumpACEs(ManagementBaseObject[] dacl) { string ace= ""; foreach(ManagementBaseObject mbo in dacl) { ManagementBaseObject Trustee = ((ManagementBaseObject)(mbo["Trustee"])); if(Trustee.Properties["Name"].Value.ToString()==user) { UInt32 mask = (UInt32)mbo["AccessMask"]; ace = Enum.Format(typeof(Mask), mask, "g"); } } if(ace=="FileReadData, FileWriteData, FileAppendData, FileReadEA, FileWriteEA, FileExecute, FileReadAttributes, FileWriteAttributes, Delete, ReadControl, Synchronize") return 0; else return -1; } It works but we use it to get permissions for a list of files(if a specific user has the correct permissions on the files/folders) but its VERY slow, with 25 files we almost get a time out on the page(aspx). What we''re trying to do is to list files for a user that has logged in and check a checkbox if the file has modify permissions. And how can we set "modify" permissions on a file?