Windows Access Control List (ACL) Example 17

 

 

 

 

 

An Empty DACL Program Example

 

The following program example demonstrates creating an empty DACL.

Create a new empty Win32 console application project. Give a suitable project name and change the project location if needed.

 

An Empty DACL Program Example: Creating a new VC++ project

 

Then, add the source file and give it a suitable name.

 

An Empty DACL Program Example: Adding the C++ source file

 

Next, add the following source code.

 

// An empty DACL program example

// #define _WIN32_WINNT 0x0500

#include <windows.h>

#include <sddl.h>

#include <stdio.h>

 

// Prototype

BOOL CreateMyDACL(SECURITY_ATTRIBUTES *);

 

int main(int argc, WCHAR **argv)

{

     SECURITY_ATTRIBUTES  sa;

     // The SECURITY_ATTRIBUTE structure size

     sa.nLength = sizeof(SECURITY_ATTRIBUTES);

     // The return handle not inherited

     sa.bInheritHandle = FALSE;

       // Directory that will be assigned the empty DACL

       WCHAR DirName[] = L"\\\\?\\C:\\MyEmptyDACLDir";

      

     // Call CreateMyDACL() function to set the DACL. The DACL

     // is set in the SECURITY_ATTRIBUTES

     // lpSecurityDescriptor member

     if(!CreateMyDACL(&sa))

     {

         //Error encountered; generate message and just exit.

         wprintf(L"CreateMyDACL() failed, error %d\n", GetLastError());

         exit(1);

     }

     else

         wprintf(L"CreateMyDACL() - DACL was created successfully!\n");

 

     // Use the updated SECURITY_ATTRIBUTES to specify

     // security attributes for securable objects.

     // This example uses security attributes during

     // creation of a new directory.

     if(CreateDirectory(DirName, &sa) == 0)

     {

         // If error encountered; generate message and exit.

         wprintf(L"failed to create %s directory!, error %u\n", DirName, GetLastError());

         exit(1);

     }

     else

         wprintf(L"CreateDirectory() - %s was created successfully!\n", DirName);

 

     // Release the memory allocated for the SECURITY_DESCRIPTOR.

     if(LocalFree(sa.lpSecurityDescriptor) != NULL)

     {

         // Error encountered; generate message and exit.

         wprintf(L"LocalFree() failed, error %u.\n", GetLastError());

         exit(1);

     }

     else

        wprintf(L"LocalFree() - buffer was freed-up.\n");

       return 0;

}

 

// Create a security descriptor that contains the DACL you want.

BOOL CreateMyDACL(SECURITY_ATTRIBUTES * pSA)

{

      PULONG nSize = 0;

      // An empty DACL

      WCHAR * szSD = L"D:";

     

      if(pSA == NULL)

            return FALSE;

      else

            wprintf(L"SECURITY_ATTRIBUTES was passed properly!\n");

     

      // Do some verification

      wprintf(L"The ACE strings: %s \n", szSD);

      wprintf(L"Length: %u\n", pSA->nLength);

     

      // Convert the string to the security descriptor binary and return

      return ConvertStringSecurityDescriptorToSecurityDescriptor(

            szSD,                                     // The ACE strings

            SDDL_REVISION_1,                    // Standard revision level

            &(pSA->lpSecurityDescriptor), // Pointer to the converted security descriptor

            nSize);                                         // The size in byte the converted security descriptor

}

 

Build and run the project. The following screenshot is a sample output.

 

An Empty DACL Program Example: Asample console output

 

In this case, when user Mike spoon (a member of an Administrators group) tries to open (or delete) the C:\\MyEmptyDACLDir directory, the following message was displayed.

 

An Empty DACL Program Example: The folder cannot be accessed

 

When we verify through the MyEmptyDACLDir’s property page, there is no ACE at all.  Well, do not create an empty DACL.

 

An Empty DACL Program Example: There is no user and/or group

 

An Empty DACL Program Example: The detail permission also don't have any user or group (deny or allow)

 

By the way, Administrator user (also any user which is a member of Administrators group) still has the permission to modify the permission (use the Add button to add the permission) or he/she can take the ownership of this directory object.

 

 

 

 

< Windows ACL Example 16 | Windows Access Control List (ACL) Main | Win32 Programming | Windows ACL Example 18 >