Solved

NetShareAdd with Read Only Access

Posted on 2002-07-23
13
1,301 Views
Last Modified: 2013-12-03
Hi,

I am writing a function to add a network share point that allows everyone to have Read access.  The function (simplified) is shown here:

    NET_API_STATUS net_status = 0;
    SHARE_INFO_2   share_info = {0};
    DWORD          dwErr = 0;

    share_info.shi2_type         = STYPE_DISKTREE;
    share_info.shi2_netname      = L"My Share Point";
    share_info.shi2_remark       = L"This is a remark";
    share_info.shi2_permissions  = ACCESS_READ;
    share_info.shi2_max_uses     = -1;
    share_info.shi2_current_uses = 0;
    share_info.shi2_path         = L"C:\\Temp\\MyDir";
    share_info.shi2_passwd       = 0;

    net_status = NetShareAdd(L"Computer", 2, (LPBYTE)&share_info, &dwErr);

The share point is added with the correct remark but it gives everyone full control.  net_status is 0 after the call.

I need to run this on Windows NT and 2000 only.

Thank you,
Joe
0
Comment
Question by:joeslow
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
13 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 7172332
It won't work. The key is

"shi2_permissions
Specifies a DWORD value that indicates the shared resource's permissions for servers running with share-level security. A server running user-level security ignores this member" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi3_2kxe.asp)

NT/W2k machines use user-level security, so this value is ignored anyway - see also the docs for 'NetShareAdd()' at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi2_0bxg.asp stating:

"Windows NT/2000/XP: The following code sample demonstrates how to share a network resource using a call to the NetShareAdd function. The code sample fills in the members of the SHARE_INFO_2 structure and calls NetShareAdd, specifying information level 2. A password is not required because these platforms do not support share-level security."
0
 
LVL 86

Expert Comment

by:jkr
ID: 7172336
BTW, as a workaraound - set the folder's access permissions to 'read-only' (or just the 'read-only' atttribute for the folder)
0
 

Author Comment

by:joeslow
ID: 7172498
Hi.  Thanks for the input but I guess I'm still a little confused...

What is actually happening when I manually do this?:

Go to the folder, right-click it select Sharing.
Click the Share as radio button, type in a share name and comment.
Click the Permissions button and on the next screen I deselect the Change and Full Control check boxes.

Are you saying the only way to do it is manually?  Or are you saying I should right-click it and go to Properties and set the attributes to Read-only.  In that case, I couldn't even write to it could I?

Thank you,
Joe
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 86

Expert Comment

by:jkr
ID: 7172540
>>Are you saying the only way to do it is manually?

No - everything that you can do 'manually' of course has a code counterpart :o)

However, the ACL API is pretty cumbersome. Essentially, you'd revoke the WRITE_DAC for 'Everyone', e.g.

    LPTSTR FileName = "C:\\Temp\\MyDir";;
    LPTSTR TrusteeName = "Everyone";

    DWORD AccessMask = WRITE_DAC;
    DWORD InheritFlag = NO_INHERITANCE;
    ACCESS_MODE option = REVOKE_ACCESS;
    EXPLICIT_ACCESS explicitaccess;

    PACL ExistingDacl;
    PACL NewAcl = NULL;
    PSECURITY_DESCRIPTOR psd = NULL;

    DWORD dwError;

    dwError = GetNamedSecurityInfo(
                        FileName,
                        SE_FILE_OBJECT,
                        DACL_SECURITY_INFORMATION,
                        NULL,
                        NULL,
                        &ExistingDacl,
                        NULL,
                        &psd
                        );

    BuildExplicitAccessWithName(
            &explicitaccess,
            TrusteeName,
            AccessMask,
            option,
            InheritFlag
            );

    //
    // add specified access to the object
    //

    dwError = SetEntriesInAcl(
            1,
            &explicitaccess,
            ExistingDacl,
            &NewAcl
            );

    //
    // apply new security to file
    //

    dwError = SetNamedSecurityInfo(
                    FileName,
                    SE_FILE_OBJECT, // object type
                    DACL_SECURITY_INFORMATION,
                    NULL,
                    NULL,
                    NewAcl,
                    NULL
                    );

(This is a stripped down version of the MS' AclAPI sample)
0
 

Author Comment

by:joeslow
ID: 7172955
When I ran this code on an NT station, it did something.  What it did I'm not quite sure.  If I right-click the folder, and select Sharing, then bring up the Permissions dialog, I see Everyone still has Full Control.  If instead, I pick the Security tab, (I get General, Sharing, and Security on NT), then select the Permissions button, I can see that Everyone has been removed.  In fact if I left click the folder, I get an accessed denied error.

Anyway, on Windows 2000 I only get the General and Sharing tabs.  The sharing tab's permission button still shows Everyone with Full Control.

Am I completely missing the boat here?  I've never messed with this kind of stuff.  Why is the default of a shared directory to allow Everyone Full Control?

Thank you,
Joe
0
 

Author Comment

by:joeslow
ID: 7173042
Hi,

In your sample code I just tried changing SE_FILE_OBJECT to SE_LMSHARE and changing the value of FileName to "\\\\Computer\\My Share Point".  I then ran it after I ran the original code I posted (using NetShareAdd).  I think it is a little closer to what I want.  No, after I run the code, the share is created but in there are no permissions for anyone.  Maybe I need to add them for Everyone to have read control?

Thank you,
Joe
0
 

Author Comment

by:joeslow
ID: 7173073
Almost there...

I can get the permissions to "Special" for Everyone if I change the code to:

BuildExplicitAccessWithName(
           &explicitaccess,
           TrusteeName,
           GENERIC_READ, //<------- changed
           SET_ACCESS,   //<------- changed
           InheritFlag
           );

I tried creating a new text doc and modifying and existing file from another machine and both were denied (which is what I want).  The only thing that concerns me is that it shows "Special" instead of "Read"...

Thank you,
Joe
0
 
LVL 86

Expert Comment

by:jkr
ID: 7173159
Great. Sorry for not being bac earlier, but I had to leave my office at 11pm <s> - I'll take a look into that "Special" access tomorrow :o)
0
 
LVL 86

Accepted Solution

by:
jkr earned 215 total points
ID: 7174990
Hmmm - try

BuildExplicitAccessWithName(
          &explicitaccess,
          TrusteeName,
          GENERIC_READ | STANDARD_RIGHTS_READ,
          SET_ACCESS,
          InheritFlag
          );

If that's not enough,

BuildExplicitAccessWithName(
          &explicitaccess,
          TrusteeName,
          GENERIC_READ | STANDARD_RIGHTS_READ | SPECIFIC_RIGHTS_ALL,
          SET_ACCESS,
          InheritFlag
          );

might be worth a try...
0
 

Author Comment

by:joeslow
ID: 7175089
Hi,

Using the second way on W2K, I get the following:
              Allow  Deny
Full Control
Change
Read            X

However, someone is still able to create new files, and change existing files from another computer...

I am experimenting with using a call to

BuildExplicitAccessWithName(
         &explicitaccess,
         TrusteeName,
         GENERIC_WRITE,
         DENY_ACCESS,
         InheritFlag
         );


right after the SET_ACCESS...

Thanks again,
Joe
0
 

Author Comment

by:joeslow
ID: 7189238
Hi,

Sorry for the delay.  I just realized the machine I am testing this on is FAT32 instead of NTFS.  That explains why I couldn't get it to work.  Anyway, you code sample does work on NTFS and I've figured out how to do it on a FAT machine.

Thank you for the help,
Joe
0
 
LVL 86

Expert Comment

by:jkr
ID: 7189396
Great :o)

Thank you!
0
 
LVL 86

Expert Comment

by:jkr
ID: 7189399
BTW: The first snipped should have worked also if I hadn't made the mistake of using WRITE_DAC intead of GENERIC_WRITE...
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows how to make a Windows 7 gadget that extends its U/I with a flyout panel -- a window that pops out next to the gadget.  The example gadget shows several additional techniques:  How to automatically resize a gadget or flyout panel t…
This article surveys and compares options for encoding and decoding base64 data.  It includes source code in C++ as well as examples of how to use standard Windows API functions for these tasks. We'll look at the algorithms — how encoding and decodi…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question