Solved

Delphi Programming question

Posted on 1997-09-08
6
1,664 Views
Last Modified: 2008-03-03
Has anybody got some sample code to use the security API with Windows NT, such as GetFileSecurity etc. ?
0
Comment
Question by:gideon
  • 4
  • 2
6 Comments
 
LVL 3

Expert Comment

by:mirek071497
ID: 1344400
Hi
Do you still waiting for help ?
0
 

Author Comment

by:gideon
ID: 1344401
Yes, I am still waiting. Nobody seems to know much about using  the security stuff. Can you help ?
0
 
LVL 3

Expert Comment

by:mirek071497
ID: 1344402
Hi this is article from SDK, example is good documented but in C source. If you need i can translate this to Delphi. (for translate please increase point if you have any)

PSS ID Number: Q102102
Authored 28-Jul-1993                  Last modified 05-Jan-1995

The information in this article applies to:

 - Microsoft Win32 Software Development Kit (SDK) for Windows NT

SUMMARY

This article explains the process of adding an access-allowed (or
access-denied) access control entry (ACE) to a file.

Adding an access-allowed ACE to a file's access control list (ACL) provides
a means of granting or denying (using an access-denied ACE) access to the
file to a particular user or group. In most cases, the file's ACL will not
have enough free space to add an additional ACE, and therefore it is
usually necessary to create a new ACL and copy the file's existing ACEs
over to it. Once the ACEs are copied over and the access-allowed ACE is
also added, the new ACL can be applied to the file's security descriptor
(SD). This process is explained in detail in the section below. Sample code
is provided at the end of this article.

MORE INFORMATION

At the end of this article is sample code that defines a function named
AddAccessRights(), which adds an access-allowed ACE to the specified file
allowing the specified access. Steps 1-17 in the comments of the sample
code are discussed in detail below:

 1. GetUserName() is called to retrieve the name of the currently
    logged in user. The user name is stored in plszUserName[] array.

 2. LookupAccountName() is called to obtain the SID of the user
    returned by GetUserName() in step 1. The resulting SID is stored
    in the UserSID variable and will be used later in the
    AddAccessAllowedACE() application programming interface (API)
    call. The LookupAccountName() API is also providing the user's
    domain in the plszDomain[] array. Please note that
    LookupAccountName() returns the SID of the first user or group
    that matches the name in plszUserName.

 3. GetFileSecurity() is used here to obtain a copy of the file's
    security descriptor (SD). The file's SD is placed into the ucSDbuf
    variable, which is declared a size of
    65536+SECURITY_DESCRIPTOR_MIN_LENGTH for simplicity. This value
    represents the maximum size of an SD, which ensures the SD will be
    of sufficient size.

 4. Here we initialize the new security descriptor (NewSD variable) by
    calling the InitializeSecurityDescriptor() API. Because the
    SetFileSecurity() API requires that the security item being set is
    contained in a SD, we create and initialize NewSD.

 5. Here GetSecurityDescriptorDacl() retrieves a pointer to the
    discretionary access control list (DACL) in the SD. The pointer is
    stored in the pACL variable.

 6. GetAclInformation() is called here to obtain size information on
    the file's DACL in the form of a ACL_SIZE_INFORMATION structure.
    This information is used when computing the size of the new DACL
    and when copying ACEs.

 7. This statement computes the exact number of bytes to allocate for
    the new DACL. The AclBytesInUse member represents the number of
    bytes being used in the file's DACL. We add this number to the
    size of an ACCESS_ALLOWED_ACE and the size of the user's SID.
    Subtracting the size of a DWORD is an adjustment required to
    obtain the exact number of bytes necessary.

 8. Here we allocate memory for the new ACL that will ultimately
    contain the file's existing ACEs plus the access-allowed ACE.

 9. In addition to allocating the memory, it is important to
    initialize the ACL structure as we do here.

10. Here we check the bDaclPresent flag returned by
    GetSecurityDescriptorDacl() to see if a DACL was present in the
    file's SD. If a DACL was not present, then we skip the code that
    copies the file's ACEs to the new DACL.

11. After verifying that there is at least one ACE in the file's DACL
    (by checking the AceCount member), we begin the loop to copy the
    individual ACEs to the new DACL.

12. Here we get a pointer to an ACE in the file's DACL by using the
    GetAce() API.

13. Now we add the ACE to the new DACL. It is important to note that
    we pass MAXDWORD for the dwStartingAceIndex parameter of AddAce()
    to ensure the ACE is added to the end of the DACL. The statement
    ((PACE_HEADER)pTempAce)->AceSize provides the size of the ACE.

14. Now that we have copied all the file's original ACEs over to our
    new DACL, we add the access-allowed ACE. The dwAccessMask variable
    will contain the access mask being granted. GENERIC_READ is an
    example of an access mask.

15. Because the SetFileSecurity() API can set a variety of security
    information, it takes a pointer to a security descriptor. For this
    reason, it is necessary to attach our new DACL to a temporary SD.
    This is done by using the SetSecurityDescriptorDacl() API.

16. Now that we have a SD containing the new DACL for the file, we set
    the DACL to the file's SD by calling SetFileSecurity(). The
    DACL_SECURITY_INFORMATION parameter indicates that we want the
    DACL in the provided SD applied to the file's SD. Please note that
    only the file's DACL is set, the other security information in the
    file's SD remains unchanged.

17. Here we free the memory that was allocated for the new DACL.

The below sample demonstrates the basic steps required to add an access-
allowed ACE to a file's DACL. Please note that this same process can be
used to add an access-denied ACE to a file's DACL. Because the access-
denied ACE should appear before access-allowed ACEs, it is suggested that
the call to AddAccessDeniedAce() precede the code that copies the existing
ACEs to the new DACL.

Sample Code
-----------

#define SD_SIZE (65536 + SECURITY_DESCRIPTOR_MIN_LENGTH)

BOOL AddAccessRights(CHAR *pFileName, DWORD dwAcessMask)
{
   // SID variables

   UCHAR          psnuType[2048];
   UCHAR          lpszDomain[2048];
   DWORD          dwDomainLength = 250;
   UCHAR          UserSID[1024];
   DWORD          dwSIDBufSize=1024;

   // User name variables

   UCHAR          lpszUserName[250];
   DWORD          dwUserNameLength = 250;

   // File SD variables

   UCHAR          ucSDbuf[SD_SIZE];
   PSECURITY_DESCRIPTOR pFileSD=(PSECURITY_DESCRIPTOR)ucSDbuf;
   DWORD          dwSDLengthNeeded;

   // ACL variables

   PACL           pACL;
   BOOL           bDaclPresent;
   BOOL           bDaclDefaulted;
   ACL_SIZE_INFORMATION AclInfo;

   // New ACL variables

   PACL           pNewACL;
   DWORD          dwNewACLSize;

   // New SD variables

   UCHAR                NewSD[SECURITY_DESCRIPTOR_MIN_LENGTH];
   PSECURITY_DESCRIPTOR psdNewSD=(PSECURITY_DESCRIPTOR)NewSD;

   // Temporary ACE

   PVOID          pTempAce;
   UINT           CurrentAceIndex;

   // STEP 1: Get the logged on user name

   if(!GetUserName(lpszUserName,&dwUserNameLength))
   {
      printf("Error %d:GetUserName\n",GetLastError());
      return(FALSE);
   }

   // STEP 2: Get SID for current user

   if (!LookupAccountName((LPSTR) NULL,
       lpszUserName,
       UserSID,
       &dwSIDBufSize,
       lpszDomain,
       &dwDomainLength,
       (PSID_NAME_USE)psnuType))
   {
      printf("Error %d:LookupAccountName\n",GetLastError());
      return(FALSE);
   }

   // STEP 3: Get security descriptor (SD) for file

   if(!GetFileSecurity(pFileName,
                 (SECURITY_INFORMATION)(DACL_SECURITY_INFORMATION),
                 pFileSD,
                 SD_SIZE,
                 (LPDWORD)&dwSDLengthNeeded))
   {
      printf("Error %d:GetFileSecurity\n",GetLastError());
      return(FALSE);
   }

   // STEP 4: Initialize new SD

   if(!InitializeSecurityDescriptor(psdNewSD,SECURITY_DESCRIPTOR_REVISION))
   {
      printf("Error %d:InitializeSecurityDescriptor\n",GetLastError());
      return(FALSE);
   }

   // STEP 5: Get DACL from SD

   if (!GetSecurityDescriptorDacl(pFileSD,
                    &bDaclPresent,
                    &pACL,
                    &bDaclDefaulted))
   {
      printf("Error %d:GetSecurityDescriptorDacl\n",GetLastError());
      return(FALSE);
   }

   // STEP 6: Get file ACL size information

   if(!GetAclInformation(pACL,&AclInfo,sizeof(ACL_SIZE_INFORMATION),
      AclSizeInformation))
   {
      printf("Error %d:GetAclInformation\n",GetLastError());
      return(FALSE);
   }

   // STEP 7: Compute size needed for the new ACL

   dwNewACLSize = AclInfo.AclBytesInUse +
                  sizeof(ACCESS_ALLOWED_ACE) +
                  GetLengthSid(UserSID) - sizeof(DWORD);

   // STEP 8: Allocate memory for new ACL

   pNewACL = (PACL)LocalAlloc(LPTR, dwNewACLSize);

   // STEP 9: Initialize the new ACL

   if(!InitializeAcl(pNewACL, dwNewACLSize, ACL_REVISION2))
   {
      printf("Error %d:InitializeAcl\n",GetLastError());
      LocalFree((HLOCAL) pNewACL);
      return(FALSE);
   }

   // STEP 10: If DACL is present, copy it to a new DACL

   if(bDaclPresent)  // only copy if DACL was present
   {
      // STEP 11: Copy the file's ACEs to our new ACL

      if(AclInfo.AceCount)
      {
         for(CurrentAceIndex = 0; CurrentAceIndex < AclInfo.AceCount;
            CurrentAceIndex++)
         {
            // STEP 12: Get an ACE

            if(!GetAce(pACL,CurrentAceIndex,&pTempAce))
            {
              printf("Error %d: GetAce\n",GetLastError());
              LocalFree((HLOCAL) pNewACL);
              return(FALSE);
            }

             // STEP 13: Add the ACE to the new ACL

            if(!AddAce(pNewACL, ACL_REVISION, MAXDWORD, pTempAce,
               ((PACE_HEADER)pTempAce)->AceSize))
            {
               printf("Error %d:AddAce\n",GetLastError());
               LocalFree((HLOCAL) pNewACL);
               return(FALSE);
            }
          }
      }
   }

   // STEP 14: Add the access-allowed ACE to the new DACL

   if(!AddAccessAllowedAce(pNewACL,ACL_REVISION2,dwAcessMask, &UserSID))
   {
      printf("Error %d:AddAccessAllowedAce",GetLastError());
      LocalFree((HLOCAL) pNewACL);
      return(FALSE);
   }

   // STEP 15: Set our new DACL to the file SD

   if (!SetSecurityDescriptorDacl(psdNewSD,
                     TRUE,
                     pNewACL,
                     FALSE))
   {
      printf("Error %d:SetSecurityDescriptorDacl",GetLastError());
      LocalFree((HLOCAL) pNewACL);
      return(FALSE);
   }

   // STEP 16: Set the SD to the File

   if (!SetFileSecurity(pFileName, DACL_SECURITY_INFORMATION,psdNewSD))
   {
      printf("Error %d:SetFileSecurity\n",GetLastError());
      LocalFree((HLOCAL) pNewACL);
      return(FALSE);
   }

   // STEP 17: Free the memory allocated for the new ACL

   LocalFree((HLOCAL) pNewACL);
   return(TRUE);
}

NOTE: Security descriptors have two possible formats: self-relative and
absolute. GetFileSecurity() returns an SD in self-relative format, but
SetFileSecurity() expects and absolute SD. This is one reason that the code
must create a new SD and copy the information, instead of simply modifying
the SD from GetFileSecurity() and passing it to SetFileSecurity(). It is
possible to call MakeAbsoluteSD() to do the conversion, but there may not
be enough room in the current ACL anyway, as mentioned above.

Additional reference words: 3.10 3.50
KBCategory: kbprg
KBSubcategory: BseSecurity

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:gideon
ID: 1344403
Thanks, this works. BTW, I have been working on NT security stuff for the past week or so, and have created 18 VCL components that deal with security, networking, event logging etc. As soon as they are "ready" I will post it to DSP. This might be usefull for other people as well. Thanks !
0
 
LVL 3

Expert Comment

by:mirek071497
ID: 1344404
So i can submit answer or not ?
0
 
LVL 3

Accepted Solution

by:
mirek071497 earned 10 total points
ID: 1344405
I think so 17pt is good in exchange of my suggestions.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now