NetShareAdd with Read Only Access

Hi,

I am writing a function to add a network share point that allows everyone to have Read access.  The function (simplified) is shown here:

    NET_API_STATUS net_status = 0;
    SHARE_INFO_2   share_info = {0};
    DWORD          dwErr = 0;

    share_info.shi2_type         = STYPE_DISKTREE;
    share_info.shi2_netname      = L"My Share Point";
    share_info.shi2_remark       = L"This is a remark";
    share_info.shi2_permissions  = ACCESS_READ;
    share_info.shi2_max_uses     = -1;
    share_info.shi2_current_uses = 0;
    share_info.shi2_path         = L"C:\\Temp\\MyDir";
    share_info.shi2_passwd       = 0;

    net_status = NetShareAdd(L"Computer", 2, (LPBYTE)&share_info, &dwErr);

The share point is added with the correct remark but it gives everyone full control.  net_status is 0 after the call.

I need to run this on Windows NT and 2000 only.

Thank you,
Joe
joeslowAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
jkrConnect With a Mentor Commented:
Hmmm - try

BuildExplicitAccessWithName(
          &explicitaccess,
          TrusteeName,
          GENERIC_READ | STANDARD_RIGHTS_READ,
          SET_ACCESS,
          InheritFlag
          );

If that's not enough,

BuildExplicitAccessWithName(
          &explicitaccess,
          TrusteeName,
          GENERIC_READ | STANDARD_RIGHTS_READ | SPECIFIC_RIGHTS_ALL,
          SET_ACCESS,
          InheritFlag
          );

might be worth a try...
0
 
jkrCommented:
It won't work. The key is

"shi2_permissions
Specifies a DWORD value that indicates the shared resource's permissions for servers running with share-level security. A server running user-level security ignores this member" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi3_2kxe.asp)

NT/W2k machines use user-level security, so this value is ignored anyway - see also the docs for 'NetShareAdd()' at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi2_0bxg.asp stating:

"Windows NT/2000/XP: The following code sample demonstrates how to share a network resource using a call to the NetShareAdd function. The code sample fills in the members of the SHARE_INFO_2 structure and calls NetShareAdd, specifying information level 2. A password is not required because these platforms do not support share-level security."
0
 
jkrCommented:
BTW, as a workaraound - set the folder's access permissions to 'read-only' (or just the 'read-only' atttribute for the folder)
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
joeslowAuthor Commented:
Hi.  Thanks for the input but I guess I'm still a little confused...

What is actually happening when I manually do this?:

Go to the folder, right-click it select Sharing.
Click the Share as radio button, type in a share name and comment.
Click the Permissions button and on the next screen I deselect the Change and Full Control check boxes.

Are you saying the only way to do it is manually?  Or are you saying I should right-click it and go to Properties and set the attributes to Read-only.  In that case, I couldn't even write to it could I?

Thank you,
Joe
0
 
jkrCommented:
>>Are you saying the only way to do it is manually?

No - everything that you can do 'manually' of course has a code counterpart :o)

However, the ACL API is pretty cumbersome. Essentially, you'd revoke the WRITE_DAC for 'Everyone', e.g.

    LPTSTR FileName = "C:\\Temp\\MyDir";;
    LPTSTR TrusteeName = "Everyone";

    DWORD AccessMask = WRITE_DAC;
    DWORD InheritFlag = NO_INHERITANCE;
    ACCESS_MODE option = REVOKE_ACCESS;
    EXPLICIT_ACCESS explicitaccess;

    PACL ExistingDacl;
    PACL NewAcl = NULL;
    PSECURITY_DESCRIPTOR psd = NULL;

    DWORD dwError;

    dwError = GetNamedSecurityInfo(
                        FileName,
                        SE_FILE_OBJECT,
                        DACL_SECURITY_INFORMATION,
                        NULL,
                        NULL,
                        &ExistingDacl,
                        NULL,
                        &psd
                        );

    BuildExplicitAccessWithName(
            &explicitaccess,
            TrusteeName,
            AccessMask,
            option,
            InheritFlag
            );

    //
    // add specified access to the object
    //

    dwError = SetEntriesInAcl(
            1,
            &explicitaccess,
            ExistingDacl,
            &NewAcl
            );

    //
    // apply new security to file
    //

    dwError = SetNamedSecurityInfo(
                    FileName,
                    SE_FILE_OBJECT, // object type
                    DACL_SECURITY_INFORMATION,
                    NULL,
                    NULL,
                    NewAcl,
                    NULL
                    );

(This is a stripped down version of the MS' AclAPI sample)
0
 
joeslowAuthor Commented:
When I ran this code on an NT station, it did something.  What it did I'm not quite sure.  If I right-click the folder, and select Sharing, then bring up the Permissions dialog, I see Everyone still has Full Control.  If instead, I pick the Security tab, (I get General, Sharing, and Security on NT), then select the Permissions button, I can see that Everyone has been removed.  In fact if I left click the folder, I get an accessed denied error.

Anyway, on Windows 2000 I only get the General and Sharing tabs.  The sharing tab's permission button still shows Everyone with Full Control.

Am I completely missing the boat here?  I've never messed with this kind of stuff.  Why is the default of a shared directory to allow Everyone Full Control?

Thank you,
Joe
0
 
joeslowAuthor Commented:
Hi,

In your sample code I just tried changing SE_FILE_OBJECT to SE_LMSHARE and changing the value of FileName to "\\\\Computer\\My Share Point".  I then ran it after I ran the original code I posted (using NetShareAdd).  I think it is a little closer to what I want.  No, after I run the code, the share is created but in there are no permissions for anyone.  Maybe I need to add them for Everyone to have read control?

Thank you,
Joe
0
 
joeslowAuthor Commented:
Almost there...

I can get the permissions to "Special" for Everyone if I change the code to:

BuildExplicitAccessWithName(
           &explicitaccess,
           TrusteeName,
           GENERIC_READ, //<------- changed
           SET_ACCESS,   //<------- changed
           InheritFlag
           );

I tried creating a new text doc and modifying and existing file from another machine and both were denied (which is what I want).  The only thing that concerns me is that it shows "Special" instead of "Read"...

Thank you,
Joe
0
 
jkrCommented:
Great. Sorry for not being bac earlier, but I had to leave my office at 11pm <s> - I'll take a look into that "Special" access tomorrow :o)
0
 
joeslowAuthor Commented:
Hi,

Using the second way on W2K, I get the following:
              Allow  Deny
Full Control
Change
Read            X

However, someone is still able to create new files, and change existing files from another computer...

I am experimenting with using a call to

BuildExplicitAccessWithName(
         &explicitaccess,
         TrusteeName,
         GENERIC_WRITE,
         DENY_ACCESS,
         InheritFlag
         );


right after the SET_ACCESS...

Thanks again,
Joe
0
 
joeslowAuthor Commented:
Hi,

Sorry for the delay.  I just realized the machine I am testing this on is FAT32 instead of NTFS.  That explains why I couldn't get it to work.  Anyway, you code sample does work on NTFS and I've figured out how to do it on a FAT machine.

Thank you for the help,
Joe
0
 
jkrCommented:
Great :o)

Thank you!
0
 
jkrCommented:
BTW: The first snipped should have worked also if I hadn't made the mistake of using WRITE_DAC intead of GENERIC_WRITE...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.