Hi,
I have a NTFS volume with ~300,000 folders and files on it. Using C/C++, I need to change the effective permission from read-only to writable QUICKLY. I have written some code using SetNamedSecurityInfo() against the root directory, which worked, however, I was dismayed to find that using the ACE flags CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE caused the new ACE to be propagated immediately, instead of calculated when the subobjects were accessed. It took about 15 minutes for SetSecurityInfo() to return. Here is my test code:
int main(int argc, char* argv[])
{
#define THE_PATH "g:\\"
PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
PACL pDacl;
DWORD status;
PSID psidOwner;
PACL NewAcl = NULL;
time_t seconds;
DWORD InheritFlag = CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE;
ACCESS_MODE option = GRANT_ACCESS;
EXPLICIT_ACCESS explicitaccess;
seconds = time(NULL);
status = GetNamedSecurityInfo(
THE_PATH,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION|OWNER_SECURITY_INFORMATION,
&psidOwner,
NULL,
&pDacl,
NULL,
&SecurityDescriptor
);
BuildExplicitAccessWithName(
&explicitaccess,
"Users",
FILE_ALL_ACCESS,
// FILE_GENERIC_READ,
SET_ACCESS,
InheritFlag
);
status = SetEntriesInAcl(
1,
&explicitaccess,
NULL,
&NewAcl
);
status = SetNamedSecurityInfo(
THE_PATH,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION ,
NULL,
NULL,
NewAcl,
NULL);
seconds = time(NULL) - seconds;
printf("It took %d seconds.\n", seconds);
if (ERROR_SUCCESS != status) {
printf( "SetNamedSecurityInfo Error %u\n", status );
}
if(SecurityDescriptor) LocalFree(SecurityDescriptor);
return 0;
}
Some background on my situation: The volume in question is essentially a database extract, which is distributed on a hard drive to my customers. The customers are frequently in situations where a network connection is unavailable, so the hard drive provides them the data they need without requiring a network connection. Also provided is a util for synchronizing their copy with a master copy, which is used when a network connection is available. We have run into problems where a user accidentally drags one of the folders into another folder, which disturbs the structure expected by the update util. Hence the desire for this data to be read-only, except when the util is running. The owner of all the files/dirs is the group Users, so the customers will not have problems running a program that changes permissions on objects on this volume. What this boils down to is that we are not concerned with setting protections that can't be changed with the Explorer Security dialog, merely preventing accidental moves/deletes.
I have thoughts on how I might solve this:
- Are inherited ACEs always propagated immediately? If not, what code is required for this behavior?
- I have seen hints that XP supports mounting NTFS volumes read-only, but no code samples on how this is accomplised. Is this a flag that can easily be set without unmounting the volume? My volume is actually encrypted using PGPdisk, so if I can't set a flag on an already mounted volume, I doubt I could get this approach to work.
Other suggestions?
Thanks
by: KavarPosted on 2006-03-08 at 07:27:35ID: 16134583
A MUCH SIMPLER approach would be to have the utitlity run under the only writable credentials. This would prevent the writes, but would allow for no changes to the NTFS drive