Denying Access Using Low-Level Functions

Denying Access Using Low-Level Functions

This example uses the low-level functions to attach an empty DACL to a file object. For similar examples that use the high-level security functions, see Denying Access.

The example allocates a buffer for the security descriptor and calls the InitializeSecurityDescriptor function to initialize the buffer. Then it allocates a buffer for the ACL and calls the InitializeAcl function to initialize that buffer. Next, it calls the SetSecurityDescriptorDacl function to attach the ACL to the security descriptor; and calls the SetFileSecurity function to attach the security descriptor to a file.

PSECURITY_DESCRIPTOR pSD;

PACL pACL;

DWORD cbACL = 1024;

/* Initialize a security descriptor. */

pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,

SECURITY_DESCRIPTOR_MIN_LENGTH); /* defined in WINNT.H */

if (pSD == NULL) {

ErrorHandler("LocalAlloc");

goto Cleanup;

}

if (!InitializeSecurityDescriptor(pSD,

SECURITY_DESCRIPTOR_REVISION)) { /* defined in WINNT.H */

ErrorHandler("InitializeSecurityDescriptor");

goto Cleanup;

}

/* Initialize a DACL. */

pACL = (PACL) LocalAlloc(LPTR, cbACL);

if (pACL == NULL) {

ErrorHandler("LocalAlloc");

goto Cleanup;

}

if (!InitializeAcl(pACL, cbACL, ACL_REVISION2)) {

ErrorHandler("InitializeAcl");

goto Cleanup;

}

/* Add an empty ACL to the SD to deny access. */

if (!SetSecurityDescriptorDacl(pSD,

TRUE, /* fDaclPresent flag */

pACL,

FALSE)) { /* not a default DACL */

ErrorHandler("SetSecurityDescriptorDacl");

goto Cleanup;

}

/* Use the new SD as the file's security info. */

if (!SetFileSecurity(lpszTestFile,

DACL_SECURITY_INFORMATION,

pSD)) {

ErrorHandler("SetFileSecurity");

goto Cleanup;

}

Cleanup:

if(pSD != NULL)

LocalFree((HLOCAL) pSD);

if(pACL != NULL)

LocalFree((HLOCAL) pACL);