我正在使用 CreateFile 来获取文件的句柄以将 ACE 添加到其 DACL。问题是,当文件没有权限时,当我调用函数 CreateFile 时出现访问被拒绝错误,我是文件的所有者和管理员。如果我使用资源管理器,我可以添加权限。
我对 OpenFile 或直接设置安全描述符等其他功能不感兴趣,我对打开此类文件的正确组合感兴趣。
我在 MSDN 中读到我必须使用特定的访问权限,我试过:
CreateFile(lpFileName, READ_CONTROL | WRITE_DAC, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS);
CreateFile(lpFileName, READ_CONTROL | WRITE_DAC, 0, NULL, OPEN_EXISTING, ACCESS_SYSTEM_SEURITY);
我都拒绝访问。有任何想法吗?
谢谢,加比
This should work as the owner is always implicitly granted READ_CONTROL and WRITE_DAC, but I verified the same behavior on my machine. Out of curiosity I ran Process Monitor on it and found something a bit odd. When Explorer is opening the file to read the security information, it goes through NtOpenFile(READ_CONTROL). When my test program which calls CreateFile() is opening the file, it goes through NtCreateFile(READ_CONTROL | SYNCHRONIZE). Obviously this is going to fail as there are no ACEs granting me SYNCHRONIZE access. I have no idea where this extra access flag is coming from, though. The only thing I can think of is maybe it has something to do with WOW64 (this is a 32-bit test program running as administrator on a 64-bit machine), but I wasn't motivated enough to research it further.