0

ERROR_BAD_INHERITANCE_ACLSetNamedSecurityInfo 返回的含义是什么?在这种情况下,我将用户添加到目录的 ACL。我已经查看了有问题的目录,在通话之前它的权利似乎是合理的。但通话失败。

有什么想法吗?

这是执行工作的代码片段(当我将其粘贴到此处时,我想知道该NO_MULTIPLE_TRUSTEE值):

pAAP is a pointer to a structure with the following members:
CString objName;          // name of object
SE_OBJECT_TYPE ObjectType;  // type of object
CString trustee;            // trustee for new ACE (explicit user name)
CString targetComputer;
bool bNeedWrite;

    DWORD dwRes = 0;
    PACL pOldDACL = NULL, pNewDACL = NULL;
    PSECURITY_DESCRIPTOR pSD = NULL;
    EXPLICIT_ACCESS ea = {0};
    CSID trusteeSID;

    bool bGotSID = false;
    if(0 == wcsncmp(pAAP->trustee, L"SID:", 4)) //4 = len of SID: //GLOK
        bGotSID = CSID::FromString((LPWSTR)((LPCWSTR)pAAP->trustee + 4), trusteeSID);
    else
        bGotSID = CSID::FromAccount(pAAP->targetComputer, pAAP->trustee, trusteeSID);

    if(false == bGotSID)
    {
        Log(logDEBUG, L"CSID::FromAccount failed for [%s] on [%s].  GLE=%s", pAAP->trustee, pAAP->targetComputer, GetSystemErrorMessage(GetLastError()));
        _ASSERT(0);
        goto Cleanup;
    }

    // Get a pointer to the existing DACL.
    dwRes = GetNamedSecurityInfo(pAAP->objName.LockBuffer(), pAAP->ObjectType, DACL_SECURITY_INFORMATION,
                                NULL, NULL, &pOldDACL, NULL, &pSD);
    pAAP->objName.UnlockBuffer();
    if (ERROR_SUCCESS != dwRes)
    {
        Log(logDEBUG, L"GetNamedSecurityInfo failed on [%s] for [%s] on [%s].  GLE=%s", pAAP->objName, pAAP->trustee, pAAP->targetComputer, GetSystemErrorMessage(dwRes));
        //_ASSERT(ERROR_FILE_NOT_FOUND == dwRes);
        goto Cleanup; 
    }  

    // Initialize an EXPLICIT_ACCESS structure for the new ACE. 
    ea.grfAccessPermissions = pAAP->bNeedWrite ? GENERIC_ALL : GENERIC_READ;
    ea.grfAccessMode = GRANT_ACCESS;
    ea.grfInheritance= CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE;
    ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
    ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
    ea.Trustee.ptstrName = (LPWSTR)(PSID)trusteeSID;
    ea.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;

    // Create a new ACL that merges the new ACE into the existing DACL.
    dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
    if (ERROR_SUCCESS != dwRes)  
    {
        Log(logDEBUG, L"SetEntriesInAcl failed on [%s] for [%s] on [%s].  GLE=%s", pAAP->objName, pAAP->trustee, pAAP->targetComputer, GetSystemErrorMessage(dwRes));
        //_ASSERT(0);
        goto Cleanup; 
    }  

    // Attach the new ACL as the object's DACL.
    dwRes = SetNamedSecurityInfo(pAAP->objName.LockBuffer(), pAAP->ObjectType, DACL_SECURITY_INFORMATION,
                                NULL, NULL, pNewDACL, NULL);
    if (ERROR_SUCCESS != dwRes)  
    {
        Log(logDEBUG, L"SetNamedSecurityInfo failed on [%s] for [%s] on [%s].  GLE=%s", pAAP->objName, pAAP->trustee, pAAP->targetComputer, GetSystemErrorMessage(dwRes));
        //_ASSERT(dwRes == ERROR_BAD_INHERITANCE_ACL);
        goto Cleanup; 
    }  

Cleanup:
    if(pSD != NULL) 
        LocalFree((HLOCAL) pSD); 
    if(pNewDACL != NULL) 
        LocalFree((HLOCAL) pNewDACL);
4

1 回答 1

0

代码示例肯定会有所帮助。很容易获得构建和设置 ACL 的逻辑错误。

我面前没有代码,但基本逻辑是:

  1. 获取具有足够访问掩码的进程令牌
  2. 获取命名安全信息
  3. 为新的 ACE 分配一个足够大的新 ACL,从旧的复制到新的,并调用 AddAccessAllowedAceEx 添加用户的 SID
  4. 设置命名安全信息
于 2009-07-07T03:24:54.940 回答