CreateDirectory using specific rights !

I have to create a directory on a NTFS disk.

This directory must have the Everyone Group and all permissions checked but not Full Control.

Therefore, I have create this function (see below) but have problems with the security descriptor.

The directory is correctly created and the Everyone group is the only one present (is correct)
but nothing is checked in Permissions !

Did someone has an idea ?


BOOL CCleanEditMediaServerDirSharesDlg::MyCreateDirectory(LPCTSTR lpszPathName)
 {
  // ----- CREATE SECURITY DESCRIPTOR -----

  PSID                 pstSIDEveryone = NULL;
  PACL                 pstACL         = NULL;
  PSECURITY_DESCRIPTOR pstSecDesc     = NULL;

  if (1)
   {
    BOOL bRet;

    // Create a well-known SID for the everyone group

    SID_IDENTIFIER_AUTHORITY stSIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;

    bRet = AllocateAndInitializeSid(&stSIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pstSIDEveryone);

    if (!bRet) return FALSE;

    // Initialize an EXPLICIT_ACCESS structure for an ACE

    EXPLICIT_ACCESS stEA[1];

    memset(stEA, 0, sizeof(stEA));

    // The ACE will allow everyone full access to the shared directory

    stEA[0].grfAccessPermissions             = SPECIFIC_RIGHTS_ALL | DELETE | READ_CONTROL | SYNCHRONIZE;
    stEA[0].grfAccessMode                    = SET_ACCESS;
    stEA[0].grfInheritance                   = NO_INHERITANCE;
    //stEA[0].Trustee.pMultipleTrustee         = NULL;
    //stEA[0].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
    stEA[0].Trustee.TrusteeForm              = TRUSTEE_IS_SID;
    stEA[0].Trustee.TrusteeType              = TRUSTEE_IS_WELL_KNOWN_GROUP;
    stEA[0].Trustee.ptstrName                = (LPTSTR)pstSIDEveryone;

    // Create a new ACL that contains the new ACEs

    DWORD nRet = SetEntriesInAcl(1, stEA, NULL, &pstACL);

    if (nRet != ERROR_SUCCESS)
     {
      FreeSid(pstSIDEveryone);
      return FALSE;
     }

    // Allocate a security descriptor

    pstSecDesc = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);

    if (!pstSecDesc)
     {
      FreeSid(pstSIDEveryone);
      LocalFree(pstACL);
      return FALSE;
     }

    // Initialize security descriptor

    bRet = InitializeSecurityDescriptor(pstSecDesc, SECURITY_DESCRIPTOR_REVISION);

    if (!bRet)
     {
      FreeSid(pstSIDEveryone);
      LocalFree(pstACL);
      LocalFree(pstSecDesc);
      return FALSE;
     }

    // Add the ACL to the security descriptor

    bRet = SetSecurityDescriptorDacl(pstSecDesc, TRUE, pstACL, FALSE);

    if (!bRet)
     {
      FreeSid(pstSIDEveryone);
      LocalFree(pstACL);
      LocalFree(pstSecDesc);
      return FALSE;
     }
   }

  // ----- CREATE SECURITY ATTRIBUTES -----

  SECURITY_ATTRIBUTES stSA;

  stSA.nLength              = sizeof(stSA);
  stSA.bInheritHandle       = FALSE;
  stSA.lpSecurityDescriptor = pstSecDesc;

  // ----- CREATE DIRECTORY -----

  BOOL bRet = CreateDirectory(lpszPathName, &stSA);

  if (pstSecDesc)
   {
    FreeSid(pstSIDEveryone);
    LocalFree(pstACL);
    LocalFree(pstSecDesc);
   }

  return bRet;
 }
mike_marquetAsked:
Who is Participating?
 
jkrConnect With a Mentor Commented:
OK, this one might be more what you want:

  LPTSTR FileName = "C:\\MyNewDirectory";
  LPTSTR TrusteeName = "Everyone";

  DWORD InheritFlag = NO_INHERITANCE;
  ACCESS_MODE option = GRANT_ACCESS;
  EXPLICIT_ACCESS explicitaccess;

  PACL ExistingDacl;
  PACL NewAcl = NULL;
  PSECURITY_DESCRIPTOR psd = NULL;

  DWORD dwError;

  dwError = GetNamedSecurityInfo(
                      FileName,
                      SE_FILE_OBJECT,
                      DACL_SECURITY_INFORMATION,
                      NULL,
                      NULL,
                      &ExistingDacl,
                      NULL,
                      &psd
                      );

  BuildExplicitAccessWithName(
        &explicitaccess,
        TrusteeName,
        GENERIC_READ | GENERIC_WRITE | STANDARD_RIGHTS_ALL,
        SET_ACCESS,
        InheritFlag
        );

  //
  // add specified access to the object
  //

  dwError = SetEntriesInAcl(
          1,
          &explicitaccess,
          ExistingDacl,
          &NewAcl
          );

  //
  // apply new security to file
  //

  dwError = SetNamedSecurityInfo(
                  FileName,
                  SE_FILE_OBJECT, // object type
                  DACL_SECURITY_INFORMATION,
                  NULL,
                  NULL,
                  NewAcl,
                  NULL
                  );
0
 
jkrCommented:
Have you tried

stEA[0].grfAccessPermissions             = SPECIFIC_RIGHTS_ALL | STANDARD_RIGHTS_REQUIRED;

?
0
 
mike_marquetAuthor Commented:
I have tried it but it is the same.

The only difference, is that after directory creation, I can no more delete it.
To delete it, I must delete it from an other computer running NT4
0
 
mike_marquetAuthor Commented:
Thanks, it's working
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.