用API实现指定共享用户访问权限的方法
2012-03-07 16:04
459 查看
思想是首先获得指定用户的SID,建立一个共享资源的访问控制列表,把SID加入访问控制列表,初始化共享资源的安全描述符
void AddShareDir(VectorShareDir& vecShareDir)
{
for (VectorShareDir::iterator iter = vecShareDir.begin(); iter != vecShareDir.end(); iter++)
{
SECURITY_DESCRIPTOR
sd;
PACL pDacl = NULL;
DWORD dwAclSize = 0;
DWORD dwAccess;
// 如果没有任何权限则不添加共享
if (iter->nPermission == 1) // 读
dwAccess = 0x001200a9;
else if (iter->nPermission == 2) // 更改
dwAccess = 0x001301bf;
else if (iter->nPermission == 3) // 完全控制
dwAccess = GENERIC_ALL;
else
return;
SHARE_INFO_502 si502;
NET_API_STATUS status;
_bstr_t bstrShareName(iter->strNetname.c_str());
_bstr_t bstrSharePath(iter->strPath.c_str());
vector<PSID> vecSid;
dwAclSize = sizeof(ACL);
GetSidByAccountName(iter->strUsers, vecSid, dwAclSize);
// 计算所需要的存储空间 add by wl
VectorShareDir::iterator _iter;
for (_iter = iter+1; _iter != vecShareDir.end(); _iter++)
{
if (strcmp(iter->strPath.c_str(), _iter->strPath.c_str()) != 0)
continue;
DWORD dwAcc;
if (_iter->nPermission == 1)
dwAcc = 0x001200a9;
else if (_iter->nPermission == 2)
dwAcc = 0x001301bf;
else if (_iter->nPermission == 3)
dwAcc = GENERIC_ALL;
else
break;
vector<PSID> vecOtherSid;
GetSidByAccountName(_iter->strUsers, vecOtherSid, dwAclSize);
}
// 为Acl分配空间并初始化
pDacl = (PACL)malloc(dwAclSize);
if(pDacl == NULL)
return;
InitializeAcl(pDacl, dwAclSize, ACL_REVISION);
// 把SID放到ACL中
vector<PSID>::iterator it;
for (it = vecSid.begin(); it != vecSid.end(); it++)
{
BOOL bRet = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAccess, *it);
DWORD dwError = 0;
if (!bRet)
{
dwError = GetLastError();
gLogger.debug("[CSharedResourceMgr::AddShareDir] Add ace to acl error:%d", GetLastError());
}
}
for (_iter = iter+1; _iter != vecShareDir.end(); _iter++)
{
if (strcmp(iter->strPath.c_str(), _iter->strPath.c_str()) != 0)
continue;
DWORD dwAcc;
if (_iter->nPermission == 1)
dwAcc = 0x001200a9;
else if (_iter->nPermission == 2)
dwAcc = 0x001301bf;
else if (_iter->nPermission == 3)
dwAcc = GENERIC_ALL;
else
break;
vector<PSID> vecOtherSid;
DWORD dwTemp = 0;
GetSidByAccountName(_iter->strUsers, vecOtherSid, dwTemp);
for (it = vecOtherSid.begin(); it != vecOtherSid.end(); it++)
{
BOOL bRet = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAcc, *it);
DWORD dwError = 0;
if (!bRet)
{
dwError = GetLastError();
gLogger.debug("[CSharedResourceMgr::AddShareDir] Add ace to acl error:%d", GetLastError());
}
}
}
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, pDacl, FALSE);
si502.shi502_netname = bstrShareName;
si502.shi502_type = STYPE_DISKTREE;
si502.shi502_remark = NULL;
si502.shi502_max_uses = SHI_USES_UNLIMITED;
si502.shi502_permissions = ACCESS_ALL; // 此权限不起作用
si502.shi502_current_uses = 0;
si502.shi502_path = bstrSharePath;
si502.shi502_passwd = NULL;
si502.shi502_reserved = 0;
si502.shi502_security_descriptor = &sd;
status = NetShareAdd(NULL, 502, (LPBYTE)&si502,
NULL);
if (NERR_DuplicateShare==status)
{
PSHARE_INFO_502 bufPtr;
if (NERR_Success == NetShareGetInfo(NULL, bstrShareName, 502, (LPBYTE*)&bufPtr))
{
bufPtr->shi502_security_descriptor = &sd;
if (NERR_Success == NetShareSetInfo(NULL, bstrShareName, 502, (LPBYTE)bufPtr, NULL))
{
status = NERR_Success;
}
else
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]Set share info erroe:%d\n", GetLastError());
}
}
else
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]Get share info erroe:%d\n", GetLastError());
}
}
if (pDacl != NULL)
free(pDacl);
if(status==NERR_Success)
gLogger.debug("[CSharedResourceMgr::AddShareDir] Create share:%s successed.", iter->strNetname);
else
gLogger.debug("[CSharedResourceMgr::AddShareDir].Create share:%s meets an error:%d.", iter->strNetname, status);
}
}
void GetSidByAccountName(string strUsers, vector<PSID>& vecSid, DWORD& dwAclSize)
{
TCHAR RefDomain[64];
DWORD cchDomain = 64;
DWORD cbSid = 96;
SID_NAME_USE peUse = SidTypeUser;
vector<string> vecUsers;
Linkwork::String::SplitString(strUsers, ',', vecUsers);
size_t nSize = vecUsers.size();
for (int i = 0; i < nSize; i++)
{
PSID pSid = (PSID)malloc(cbSid);
if(pSid == NULL)
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]HeapAlloc memory for user:%s error.", vecUsers[i]);
continue;
}
if(!LookupAccountName(NULL, //[in] 这个参数指明查找的用户或组在哪个系统上,为NULL表示本地系统
vecUsers[i].c_str(),
//[in] 欲授予访问权限的用户或组
pSid, //[out] 存放返回的SID值
&cbSid,
//[in,out]进去的是你设定的缓冲区长度,出来的是实际SID的长度
RefDomain,
//[out] 域名
&cchDomain,
//[in,out]长度
&peUse))
//[out] 结构,用来指示用户的类型
{
free(pSid);
pSid = NULL;
if(GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
pSid = (PSID)malloc(cbSid);
if(pSid == NULL)
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]HeapAlloc memory for user:%s error.", vecUsers[i]);
continue;
}
cchDomain = DNLEN + 1;
if(!LookupAccountName(NULL, vecUsers[i].c_str(), pSid, &cbSid, RefDomain, &cchDomain, &peUse))
{
free(pSid);
pSid = NULL;
gLogger.debug("[CSharedResourceMgr::AddShareDir]LookupAccountName error:%d!", GetLastError());
continue;
}
}
else
{
if(!IsValidSid(pSid))
gLogger.debug("[CSharedResourceMgr::AddShareDir]SID is NOT valid!");
else
gLogger.debug("[CSharedResourceMgr::AddShareDir]Lookup Account Name error:%d!", GetLastError());
continue;
}
}
char* pszStringSid;
if (ConvertSidToStringSid(pSid, &pszStringSid))
gLogger.info("The sid of %s is %s", vecUsers[i].c_str(), pszStringSid);
vecSid.push_back(pSid);
dwAclSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) + GetLengthSid(pSid);
LocalFree(pszStringSid);
pszStringSid = NULL;
}
}
void AddShareDir(VectorShareDir& vecShareDir)
{
for (VectorShareDir::iterator iter = vecShareDir.begin(); iter != vecShareDir.end(); iter++)
{
SECURITY_DESCRIPTOR
sd;
PACL pDacl = NULL;
DWORD dwAclSize = 0;
DWORD dwAccess;
// 如果没有任何权限则不添加共享
if (iter->nPermission == 1) // 读
dwAccess = 0x001200a9;
else if (iter->nPermission == 2) // 更改
dwAccess = 0x001301bf;
else if (iter->nPermission == 3) // 完全控制
dwAccess = GENERIC_ALL;
else
return;
SHARE_INFO_502 si502;
NET_API_STATUS status;
_bstr_t bstrShareName(iter->strNetname.c_str());
_bstr_t bstrSharePath(iter->strPath.c_str());
vector<PSID> vecSid;
dwAclSize = sizeof(ACL);
GetSidByAccountName(iter->strUsers, vecSid, dwAclSize);
// 计算所需要的存储空间 add by wl
VectorShareDir::iterator _iter;
for (_iter = iter+1; _iter != vecShareDir.end(); _iter++)
{
if (strcmp(iter->strPath.c_str(), _iter->strPath.c_str()) != 0)
continue;
DWORD dwAcc;
if (_iter->nPermission == 1)
dwAcc = 0x001200a9;
else if (_iter->nPermission == 2)
dwAcc = 0x001301bf;
else if (_iter->nPermission == 3)
dwAcc = GENERIC_ALL;
else
break;
vector<PSID> vecOtherSid;
GetSidByAccountName(_iter->strUsers, vecOtherSid, dwAclSize);
}
// 为Acl分配空间并初始化
pDacl = (PACL)malloc(dwAclSize);
if(pDacl == NULL)
return;
InitializeAcl(pDacl, dwAclSize, ACL_REVISION);
// 把SID放到ACL中
vector<PSID>::iterator it;
for (it = vecSid.begin(); it != vecSid.end(); it++)
{
BOOL bRet = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAccess, *it);
DWORD dwError = 0;
if (!bRet)
{
dwError = GetLastError();
gLogger.debug("[CSharedResourceMgr::AddShareDir] Add ace to acl error:%d", GetLastError());
}
}
for (_iter = iter+1; _iter != vecShareDir.end(); _iter++)
{
if (strcmp(iter->strPath.c_str(), _iter->strPath.c_str()) != 0)
continue;
DWORD dwAcc;
if (_iter->nPermission == 1)
dwAcc = 0x001200a9;
else if (_iter->nPermission == 2)
dwAcc = 0x001301bf;
else if (_iter->nPermission == 3)
dwAcc = GENERIC_ALL;
else
break;
vector<PSID> vecOtherSid;
DWORD dwTemp = 0;
GetSidByAccountName(_iter->strUsers, vecOtherSid, dwTemp);
for (it = vecOtherSid.begin(); it != vecOtherSid.end(); it++)
{
BOOL bRet = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAcc, *it);
DWORD dwError = 0;
if (!bRet)
{
dwError = GetLastError();
gLogger.debug("[CSharedResourceMgr::AddShareDir] Add ace to acl error:%d", GetLastError());
}
}
}
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, pDacl, FALSE);
si502.shi502_netname = bstrShareName;
si502.shi502_type = STYPE_DISKTREE;
si502.shi502_remark = NULL;
si502.shi502_max_uses = SHI_USES_UNLIMITED;
si502.shi502_permissions = ACCESS_ALL; // 此权限不起作用
si502.shi502_current_uses = 0;
si502.shi502_path = bstrSharePath;
si502.shi502_passwd = NULL;
si502.shi502_reserved = 0;
si502.shi502_security_descriptor = &sd;
status = NetShareAdd(NULL, 502, (LPBYTE)&si502,
NULL);
if (NERR_DuplicateShare==status)
{
PSHARE_INFO_502 bufPtr;
if (NERR_Success == NetShareGetInfo(NULL, bstrShareName, 502, (LPBYTE*)&bufPtr))
{
bufPtr->shi502_security_descriptor = &sd;
if (NERR_Success == NetShareSetInfo(NULL, bstrShareName, 502, (LPBYTE)bufPtr, NULL))
{
status = NERR_Success;
}
else
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]Set share info erroe:%d\n", GetLastError());
}
}
else
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]Get share info erroe:%d\n", GetLastError());
}
}
if (pDacl != NULL)
free(pDacl);
if(status==NERR_Success)
gLogger.debug("[CSharedResourceMgr::AddShareDir] Create share:%s successed.", iter->strNetname);
else
gLogger.debug("[CSharedResourceMgr::AddShareDir].Create share:%s meets an error:%d.", iter->strNetname, status);
}
}
void GetSidByAccountName(string strUsers, vector<PSID>& vecSid, DWORD& dwAclSize)
{
TCHAR RefDomain[64];
DWORD cchDomain = 64;
DWORD cbSid = 96;
SID_NAME_USE peUse = SidTypeUser;
vector<string> vecUsers;
Linkwork::String::SplitString(strUsers, ',', vecUsers);
size_t nSize = vecUsers.size();
for (int i = 0; i < nSize; i++)
{
PSID pSid = (PSID)malloc(cbSid);
if(pSid == NULL)
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]HeapAlloc memory for user:%s error.", vecUsers[i]);
continue;
}
if(!LookupAccountName(NULL, //[in] 这个参数指明查找的用户或组在哪个系统上,为NULL表示本地系统
vecUsers[i].c_str(),
//[in] 欲授予访问权限的用户或组
pSid, //[out] 存放返回的SID值
&cbSid,
//[in,out]进去的是你设定的缓冲区长度,出来的是实际SID的长度
RefDomain,
//[out] 域名
&cchDomain,
//[in,out]长度
&peUse))
//[out] 结构,用来指示用户的类型
{
free(pSid);
pSid = NULL;
if(GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
pSid = (PSID)malloc(cbSid);
if(pSid == NULL)
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]HeapAlloc memory for user:%s error.", vecUsers[i]);
continue;
}
cchDomain = DNLEN + 1;
if(!LookupAccountName(NULL, vecUsers[i].c_str(), pSid, &cbSid, RefDomain, &cchDomain, &peUse))
{
free(pSid);
pSid = NULL;
gLogger.debug("[CSharedResourceMgr::AddShareDir]LookupAccountName error:%d!", GetLastError());
continue;
}
}
else
{
if(!IsValidSid(pSid))
gLogger.debug("[CSharedResourceMgr::AddShareDir]SID is NOT valid!");
else
gLogger.debug("[CSharedResourceMgr::AddShareDir]Lookup Account Name error:%d!", GetLastError());
continue;
}
}
char* pszStringSid;
if (ConvertSidToStringSid(pSid, &pszStringSid))
gLogger.info("The sid of %s is %s", vecUsers[i].c_str(), pszStringSid);
vecSid.push_back(pSid);
dwAclSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) + GetLengthSid(pSid);
LocalFree(pszStringSid);
pszStringSid = NULL;
}
}
相关文章推荐
- Linux三大共享文件的方法 只让指定用户访问一个samba共享
- Oracle 中,获取指定用户所有有权限访问的表的基本信息、分页实现
- AD域-让共享目录只显示用户有权限访问的文件夹
- linux下创建用户组与用户 只能访问指定目录的方法 以及FTP用户配置详解
- C#实现微信结合百度api获取当前用户地理位置的方法
- nginx用cookie控制访问权限实现方法
- Mysql 新增用户可访问指定数据库所有权限
- virtualbox安装ubuntu共享文件夹无访问权限问题解决方法
- php简单实现屏蔽指定ip段用户的访问
- Win7旗舰版系统访问共享计算机提示"您可能没有权限使用网络资源"的解决方法
- 无法访问.您可能没有权限使用网络资源.局域网无法访问共享,局域网无法访问打印机的一些方法
- 登录用户权限限制访问指定路由(路由拦截CanActived)
- 只有经过验证的用户才能访问某个页面实现方法
- linux下访问window的共享文件,在命令行实现方法
- Laravel 5.3 使用内置的 Auth 组件实现多用户认证功能以及登陆才能访问后台的功能的一种实现方法
- C:/Program Files/Microsoft SQL Server/MSSQL.1/MSSQL/DATA 无法在服务器上访问指定的路径或文件。请确保您具有必需的安全权限且该路径或文件存在。 解决方法
- salesforce 零基础学习(五十一)使用 Salesforce.com SOAP API 实现用户登录以及简单的增删改查(JAVA访问salesforce)
- 使用navicat 8实现创建数据库和导入数据 管理用户与权限[图文方法]
- 不使用 java.awt.Desktop API,打开默认浏览器访问指定链接的方法
- 无法访问.您可能没有权限使用网络资源.局域网无法访问共享,局域网无法访问打印机的一些方法