Re: DataSnap server DCOM installation.

From: Colin Wilson (colin_at_wilsonc.demon.co.uk)
Date: 12/19/03 

Date: 19 Dec 2003 02:54:17 -0700

Colin Wilson wrote:

> I've got some code that does this. I'll try and post it tomorrow -
> for some reason it's not on my website.

Ok - here's how it works...

1. The DefaultLaunchPermissions (and LaunchPermission in AppID) hold a
security descriptor so you can load it like in snippet 1 below.

2. Once you've got the PSECURITY_DESCRIPTOR from the registry you get
the ACL with the standard GetSecurityDecriptorDacl API.

3. Once you've got the ACL you know how many ACEs there are with
ACL^.AceCount.

4. You can then get each ACE with the GetACE API. That gives you the
SID for the account, and the ace type - allowed or denied.

5. To change the permissions you need to reverse the above steps.
First build an ACL with the ACES you want, add them to a new
(initialized) security descriptor (with SetSecurityDescriptorDACL),
then save it to the registry (snippet 2!). Some of this is tricky -
especially building the ACL. But there's free code available in my
website that shows how to do it. Go for the "NT Low Level Utilities"
package, and have a look in unitNTSecurity.pas

--- Snippet 1 ------

function AllocSDFromRegistry (rootKey : HKEY; const regPath, accessKey
: string; var sd : PSECURITY_DESCRIPTOR; var sdLen : DWORD) : boolean;
var
  reg : TRegistry;
  size : Integer;
begin
  result := False;
  reg := TRegistry.Create;
  try
    reg.RootKey := rootKey;
    if reg.OpenKeyReadOnly (regPath) then
    begin
      size := reg.GetDataSize (accessKey);
      if size > -1 then
      begin
        GetMem (sd, size);
        reg.ReadBinaryData (accessKey, sd^, size);
        sdLen := size;
        result := True
      end
      else
      begin
        GetMem (sd, SECURITY_DESCRIPTOR_MIN_LENGTH);
        InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION);
        SetSecurityDescriptorDacl(sd, True, Nil, False);
        sdLen := SECURITY_DESCRIPTOR_MIN_LENGTH
      end
    end
  finally
    reg.Free
  end
end;

--- Snippet 2

procedure SaveSDToRegistry (rootKey : HKEY; const regPath, accessKey :
string; sd : PSecurityDescriptor; sdLen : DWORD);
var
  reg : TRegistry;
begin
  reg := TRegistry.Create;
  try
    reg.RootKey := rootKey;
    if reg.OpenKey (regPath, True) then
      reg.WriteBinaryData (accessKey, sd^, sdLen);
  finally
    reg.Free
  end
end; 

-- 
Colin - using XanaNews HTTP Transport
e-mail :colin@wilsonc.demon.co.uk
web: http://www.wilsonc.demon.co.uk/delphi.htm
Posted with XanaNews 1.15.8.4

Relevant Pages

  • Re: Want to turn permission propagation off in SetNamedSecurityInfo . . .
    ... The ACL and ACEs were pretty easy to parse, ... The object-specific ACEs are a bit weird and I ... determining the exact algorithms used to propagate the permissions. ... SE_FILE_OBJECT, read the dacl, then deleted any ACEs from the DACL ...
    (microsoft.public.platformsdk.security)
  • Re: Default Permissions
    ... When you look using the advanced view you see all ACEs in the ACL ... folder, ... carry no permissions on the contained files. ...
    (microsoft.public.security)
  • Re: Win2k - Account Operator not working properly
    ... All of the ACEs are applicable. ... > about inherited ACLs the object the inheritence applies to is not listed in the ... It is broken up into multiple sections in the inherited ACL ... > permission for the group and reapply again. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting write priviledges to a folder
    ... "Rubio" wrote in message ... | I'm trying to grant everything but full control to a well-known local user group ... I basically get the ACL for the folder, create a new EXPLICIT_ACCESS struct, ... | I don't have to worry about the order of ACEs on the ACL. ...
    (microsoft.public.platformsdk.security)
Loading