Solved

NetShareAdd with Read Only Access

Posted on 2002-07-23
13
1,256 Views
Last Modified: 2013-12-03
Hi,

I am writing a function to add a network share point that allows everyone to have Read access.  The function (simplified) is shown here:

    NET_API_STATUS net_status = 0;
    SHARE_INFO_2   share_info = {0};
    DWORD          dwErr = 0;

    share_info.shi2_type         = STYPE_DISKTREE;
    share_info.shi2_netname      = L"My Share Point";
    share_info.shi2_remark       = L"This is a remark";
    share_info.shi2_permissions  = ACCESS_READ;
    share_info.shi2_max_uses     = -1;
    share_info.shi2_current_uses = 0;
    share_info.shi2_path         = L"C:\\Temp\\MyDir";
    share_info.shi2_passwd       = 0;

    net_status = NetShareAdd(L"Computer", 2, (LPBYTE)&share_info, &dwErr);

The share point is added with the correct remark but it gives everyone full control.  net_status is 0 after the call.

I need to run this on Windows NT and 2000 only.

Thank you,
Joe
0
Comment
Question by:joeslow
  • 7
  • 6
13 Comments
 
LVL 86

Expert Comment

by:jkr
ID: 7172332
It won't work. The key is

"shi2_permissions
Specifies a DWORD value that indicates the shared resource's permissions for servers running with share-level security. A server running user-level security ignores this member" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi3_2kxe.asp)

NT/W2k machines use user-level security, so this value is ignored anyway - see also the docs for 'NetShareAdd()' at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi2_0bxg.asp stating:

"Windows NT/2000/XP: The following code sample demonstrates how to share a network resource using a call to the NetShareAdd function. The code sample fills in the members of the SHARE_INFO_2 structure and calls NetShareAdd, specifying information level 2. A password is not required because these platforms do not support share-level security."
0
 
LVL 86

Expert Comment

by:jkr
ID: 7172336
BTW, as a workaraound - set the folder's access permissions to 'read-only' (or just the 'read-only' atttribute for the folder)
0
 

Author Comment

by:joeslow
ID: 7172498
Hi.  Thanks for the input but I guess I'm still a little confused...

What is actually happening when I manually do this?:

Go to the folder, right-click it select Sharing.
Click the Share as radio button, type in a share name and comment.
Click the Permissions button and on the next screen I deselect the Change and Full Control check boxes.

Are you saying the only way to do it is manually?  Or are you saying I should right-click it and go to Properties and set the attributes to Read-only.  In that case, I couldn't even write to it could I?

Thank you,
Joe
0
 
LVL 86

Expert Comment

by:jkr
ID: 7172540
>>Are you saying the only way to do it is manually?

No - everything that you can do 'manually' of course has a code counterpart :o)

However, the ACL API is pretty cumbersome. Essentially, you'd revoke the WRITE_DAC for 'Everyone', e.g.

    LPTSTR FileName = "C:\\Temp\\MyDir";;
    LPTSTR TrusteeName = "Everyone";

    DWORD AccessMask = WRITE_DAC;
    DWORD InheritFlag = NO_INHERITANCE;
    ACCESS_MODE option = REVOKE_ACCESS;
    EXPLICIT_ACCESS explicitaccess;

    PACL ExistingDacl;
    PACL NewAcl = NULL;
    PSECURITY_DESCRIPTOR psd = NULL;

    DWORD dwError;

    dwError = GetNamedSecurityInfo(
                        FileName,
                        SE_FILE_OBJECT,
                        DACL_SECURITY_INFORMATION,
                        NULL,
                        NULL,
                        &ExistingDacl,
                        NULL,
                        &psd
                        );

    BuildExplicitAccessWithName(
            &explicitaccess,
            TrusteeName,
            AccessMask,
            option,
            InheritFlag
            );

    //
    // add specified access to the object
    //

    dwError = SetEntriesInAcl(
            1,
            &explicitaccess,
            ExistingDacl,
            &NewAcl
            );

    //
    // apply new security to file
    //

    dwError = SetNamedSecurityInfo(
                    FileName,
                    SE_FILE_OBJECT, // object type
                    DACL_SECURITY_INFORMATION,
                    NULL,
                    NULL,
                    NewAcl,
                    NULL
                    );

(This is a stripped down version of the MS' AclAPI sample)
0
 

Author Comment

by:joeslow
ID: 7172955
When I ran this code on an NT station, it did something.  What it did I'm not quite sure.  If I right-click the folder, and select Sharing, then bring up the Permissions dialog, I see Everyone still has Full Control.  If instead, I pick the Security tab, (I get General, Sharing, and Security on NT), then select the Permissions button, I can see that Everyone has been removed.  In fact if I left click the folder, I get an accessed denied error.

Anyway, on Windows 2000 I only get the General and Sharing tabs.  The sharing tab's permission button still shows Everyone with Full Control.

Am I completely missing the boat here?  I've never messed with this kind of stuff.  Why is the default of a shared directory to allow Everyone Full Control?

Thank you,
Joe
0
 

Author Comment

by:joeslow
ID: 7173042
Hi,

In your sample code I just tried changing SE_FILE_OBJECT to SE_LMSHARE and changing the value of FileName to "\\\\Computer\\My Share Point".  I then ran it after I ran the original code I posted (using NetShareAdd).  I think it is a little closer to what I want.  No, after I run the code, the share is created but in there are no permissions for anyone.  Maybe I need to add them for Everyone to have read control?

Thank you,
Joe
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:joeslow
ID: 7173073
Almost there...

I can get the permissions to "Special" for Everyone if I change the code to:

BuildExplicitAccessWithName(
           &explicitaccess,
           TrusteeName,
           GENERIC_READ, //<------- changed
           SET_ACCESS,   //<------- changed
           InheritFlag
           );

I tried creating a new text doc and modifying and existing file from another machine and both were denied (which is what I want).  The only thing that concerns me is that it shows "Special" instead of "Read"...

Thank you,
Joe
0
 
LVL 86

Expert Comment

by:jkr
ID: 7173159
Great. Sorry for not being bac earlier, but I had to leave my office at 11pm <s> - I'll take a look into that "Special" access tomorrow :o)
0
 
LVL 86

Accepted Solution

by:
jkr earned 215 total points
ID: 7174990
Hmmm - try

BuildExplicitAccessWithName(
          &explicitaccess,
          TrusteeName,
          GENERIC_READ | STANDARD_RIGHTS_READ,
          SET_ACCESS,
          InheritFlag
          );

If that's not enough,

BuildExplicitAccessWithName(
          &explicitaccess,
          TrusteeName,
          GENERIC_READ | STANDARD_RIGHTS_READ | SPECIFIC_RIGHTS_ALL,
          SET_ACCESS,
          InheritFlag
          );

might be worth a try...
0
 

Author Comment

by:joeslow
ID: 7175089
Hi,

Using the second way on W2K, I get the following:
              Allow  Deny
Full Control
Change
Read            X

However, someone is still able to create new files, and change existing files from another computer...

I am experimenting with using a call to

BuildExplicitAccessWithName(
         &explicitaccess,
         TrusteeName,
         GENERIC_WRITE,
         DENY_ACCESS,
         InheritFlag
         );


right after the SET_ACCESS...

Thanks again,
Joe
0
 

Author Comment

by:joeslow
ID: 7189238
Hi,

Sorry for the delay.  I just realized the machine I am testing this on is FAT32 instead of NTFS.  That explains why I couldn't get it to work.  Anyway, you code sample does work on NTFS and I've figured out how to do it on a FAT machine.

Thank you for the help,
Joe
0
 
LVL 86

Expert Comment

by:jkr
ID: 7189396
Great :o)

Thank you!
0
 
LVL 86

Expert Comment

by:jkr
ID: 7189399
BTW: The first snipped should have worked also if I hadn't made the mistake of using WRITE_DAC intead of GENERIC_WRITE...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article describes a technique for converting RTF (Rich Text Format) data to HTML and provides C++ source that does it all in just a few lines of code. Although RTF is coming to be considered a "legacy" format, it is still in common use... po…
Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now