joeslow
asked on
NetShareAdd with Read Only Access
Hi,
I am writing a function to add a network share point that allows everyone to have Read access. The function (simplified) is shown here:
NET_API_STATUS net_status = 0;
SHARE_INFO_2 share_info = {0};
DWORD dwErr = 0;
share_info.shi2_type = STYPE_DISKTREE;
share_info.shi2_netname = L"My Share Point";
share_info.shi2_remark = L"This is a remark";
share_info.shi2_permission s = ACCESS_READ;
share_info.shi2_max_uses = -1;
share_info.shi2_current_us es = 0;
share_info.shi2_path = L"C:\\Temp\\MyDir";
share_info.shi2_passwd = 0;
net_status = NetShareAdd(L"Computer", 2, (LPBYTE)&share_info, &dwErr);
The share point is added with the correct remark but it gives everyone full control. net_status is 0 after the call.
I need to run this on Windows NT and 2000 only.
Thank you,
Joe
I am writing a function to add a network share point that allows everyone to have Read access. The function (simplified) is shown here:
NET_API_STATUS net_status = 0;
SHARE_INFO_2 share_info = {0};
DWORD dwErr = 0;
share_info.shi2_type = STYPE_DISKTREE;
share_info.shi2_netname = L"My Share Point";
share_info.shi2_remark = L"This is a remark";
share_info.shi2_permission
share_info.shi2_max_uses = -1;
share_info.shi2_current_us
share_info.shi2_path = L"C:\\Temp\\MyDir";
share_info.shi2_passwd = 0;
net_status = NetShareAdd(L"Computer", 2, (LPBYTE)&share_info, &dwErr);
The share point is added with the correct remark but it gives everyone full control. net_status is 0 after the call.
I need to run this on Windows NT and 2000 only.
Thank you,
Joe
BTW, as a workaraound - set the folder's access permissions to 'read-only' (or just the 'read-only' atttribute for the folder)
ASKER
Hi. Thanks for the input but I guess I'm still a little confused...
What is actually happening when I manually do this?:
Go to the folder, right-click it select Sharing.
Click the Share as radio button, type in a share name and comment.
Click the Permissions button and on the next screen I deselect the Change and Full Control check boxes.
Are you saying the only way to do it is manually? Or are you saying I should right-click it and go to Properties and set the attributes to Read-only. In that case, I couldn't even write to it could I?
Thank you,
Joe
What is actually happening when I manually do this?:
Go to the folder, right-click it select Sharing.
Click the Share as radio button, type in a share name and comment.
Click the Permissions button and on the next screen I deselect the Change and Full Control check boxes.
Are you saying the only way to do it is manually? Or are you saying I should right-click it and go to Properties and set the attributes to Read-only. In that case, I couldn't even write to it could I?
Thank you,
Joe
>>Are you saying the only way to do it is manually?
No - everything that you can do 'manually' of course has a code counterpart :o)
However, the ACL API is pretty cumbersome. Essentially, you'd revoke the WRITE_DAC for 'Everyone', e.g.
LPTSTR FileName = "C:\\Temp\\MyDir";;
LPTSTR TrusteeName = "Everyone";
DWORD AccessMask = WRITE_DAC;
DWORD InheritFlag = NO_INHERITANCE;
ACCESS_MODE option = REVOKE_ACCESS;
EXPLICIT_ACCESS explicitaccess;
PACL ExistingDacl;
PACL NewAcl = NULL;
PSECURITY_DESCRIPTOR psd = NULL;
DWORD dwError;
dwError = GetNamedSecurityInfo(
FileName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&ExistingDacl,
NULL,
&psd
);
BuildExplicitAccessWithNam e(
&explicitaccess,
TrusteeName,
AccessMask,
option,
InheritFlag
);
//
// add specified access to the object
//
dwError = SetEntriesInAcl(
1,
&explicitaccess,
ExistingDacl,
&NewAcl
);
//
// apply new security to file
//
dwError = SetNamedSecurityInfo(
FileName,
SE_FILE_OBJECT, // object type
DACL_SECURITY_INFORMATION,
NULL,
NULL,
NewAcl,
NULL
);
(This is a stripped down version of the MS' AclAPI sample)
No - everything that you can do 'manually' of course has a code counterpart :o)
However, the ACL API is pretty cumbersome. Essentially, you'd revoke the WRITE_DAC for 'Everyone', e.g.
LPTSTR FileName = "C:\\Temp\\MyDir";;
LPTSTR TrusteeName = "Everyone";
DWORD AccessMask = WRITE_DAC;
DWORD InheritFlag = NO_INHERITANCE;
ACCESS_MODE option = REVOKE_ACCESS;
EXPLICIT_ACCESS explicitaccess;
PACL ExistingDacl;
PACL NewAcl = NULL;
PSECURITY_DESCRIPTOR psd = NULL;
DWORD dwError;
dwError = GetNamedSecurityInfo(
FileName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&ExistingDacl,
NULL,
&psd
);
BuildExplicitAccessWithNam
&explicitaccess,
TrusteeName,
AccessMask,
option,
InheritFlag
);
//
// add specified access to the object
//
dwError = SetEntriesInAcl(
1,
&explicitaccess,
ExistingDacl,
&NewAcl
);
//
// apply new security to file
//
dwError = SetNamedSecurityInfo(
FileName,
SE_FILE_OBJECT, // object type
DACL_SECURITY_INFORMATION,
NULL,
NULL,
NewAcl,
NULL
);
(This is a stripped down version of the MS' AclAPI sample)
ASKER
When I ran this code on an NT station, it did something. What it did I'm not quite sure. If I right-click the folder, and select Sharing, then bring up the Permissions dialog, I see Everyone still has Full Control. If instead, I pick the Security tab, (I get General, Sharing, and Security on NT), then select the Permissions button, I can see that Everyone has been removed. In fact if I left click the folder, I get an accessed denied error.
Anyway, on Windows 2000 I only get the General and Sharing tabs. The sharing tab's permission button still shows Everyone with Full Control.
Am I completely missing the boat here? I've never messed with this kind of stuff. Why is the default of a shared directory to allow Everyone Full Control?
Thank you,
Joe
Anyway, on Windows 2000 I only get the General and Sharing tabs. The sharing tab's permission button still shows Everyone with Full Control.
Am I completely missing the boat here? I've never messed with this kind of stuff. Why is the default of a shared directory to allow Everyone Full Control?
Thank you,
Joe
ASKER
Hi,
In your sample code I just tried changing SE_FILE_OBJECT to SE_LMSHARE and changing the value of FileName to "\\\\Computer\\My Share Point". I then ran it after I ran the original code I posted (using NetShareAdd). I think it is a little closer to what I want. No, after I run the code, the share is created but in there are no permissions for anyone. Maybe I need to add them for Everyone to have read control?
Thank you,
Joe
In your sample code I just tried changing SE_FILE_OBJECT to SE_LMSHARE and changing the value of FileName to "\\\\Computer\\My Share Point". I then ran it after I ran the original code I posted (using NetShareAdd). I think it is a little closer to what I want. No, after I run the code, the share is created but in there are no permissions for anyone. Maybe I need to add them for Everyone to have read control?
Thank you,
Joe
ASKER
Almost there...
I can get the permissions to "Special" for Everyone if I change the code to:
BuildExplicitAccessWithNam e(
&explicitaccess,
TrusteeName,
GENERIC_READ, //<------- changed
SET_ACCESS, //<------- changed
InheritFlag
);
I tried creating a new text doc and modifying and existing file from another machine and both were denied (which is what I want). The only thing that concerns me is that it shows "Special" instead of "Read"...
Thank you,
Joe
I can get the permissions to "Special" for Everyone if I change the code to:
BuildExplicitAccessWithNam
&explicitaccess,
TrusteeName,
GENERIC_READ, //<------- changed
SET_ACCESS, //<------- changed
InheritFlag
);
I tried creating a new text doc and modifying and existing file from another machine and both were denied (which is what I want). The only thing that concerns me is that it shows "Special" instead of "Read"...
Thank you,
Joe
Great. Sorry for not being bac earlier, but I had to leave my office at 11pm <s> - I'll take a look into that "Special" access tomorrow :o)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Using the second way on W2K, I get the following:
Allow Deny
Full Control
Change
Read X
However, someone is still able to create new files, and change existing files from another computer...
I am experimenting with using a call to
BuildExplicitAccessWithNam e(
&explicitaccess,
TrusteeName,
GENERIC_WRITE,
DENY_ACCESS,
InheritFlag
);
right after the SET_ACCESS...
Thanks again,
Joe
Using the second way on W2K, I get the following:
Allow Deny
Full Control
Change
Read X
However, someone is still able to create new files, and change existing files from another computer...
I am experimenting with using a call to
BuildExplicitAccessWithNam
&explicitaccess,
TrusteeName,
GENERIC_WRITE,
DENY_ACCESS,
InheritFlag
);
right after the SET_ACCESS...
Thanks again,
Joe
ASKER
Hi,
Sorry for the delay. I just realized the machine I am testing this on is FAT32 instead of NTFS. That explains why I couldn't get it to work. Anyway, you code sample does work on NTFS and I've figured out how to do it on a FAT machine.
Thank you for the help,
Joe
Sorry for the delay. I just realized the machine I am testing this on is FAT32 instead of NTFS. That explains why I couldn't get it to work. Anyway, you code sample does work on NTFS and I've figured out how to do it on a FAT machine.
Thank you for the help,
Joe
Great :o)
Thank you!
Thank you!
BTW: The first snipped should have worked also if I hadn't made the mistake of using WRITE_DAC intead of GENERIC_WRITE...
"shi2_permissions
Specifies a DWORD value that indicates the shared resource's permissions for servers running with share-level security. A server running user-level security ignores this member" (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi3_2kxe.asp)
NT/W2k machines use user-level security, so this value is ignored anyway - see also the docs for 'NetShareAdd()' at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/ntlmapi2_0bxg.asp stating:
"Windows NT/2000/XP: The following code sample demonstrates how to share a network resource using a call to the NetShareAdd function. The code sample fills in the members of the SHARE_INFO_2 structure and calls NetShareAdd, specifying information level 2. A password is not required because these platforms do not support share-level security."