An Empty DACL Program Example
The following program example demonstrates creating an empty DACL.
Create a new empty Win32 console application project. Give a suitable project name and change the project location if needed.
Then, add the source file and give it a suitable name.
Next, add the following source code.
// An empty DACL program example
// #define _WIN32_WINNT 0x0500
#include <windows.h>
#include <sddl.h>
#include <stdio.h>
// Prototype
BOOL CreateMyDACL(SECURITY_ATTRIBUTES *);
int main(int argc, WCHAR **argv)
{
SECURITY_ATTRIBUTES sa;
// The SECURITY_ATTRIBUTE structure size
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
// The return handle not inherited
sa.bInheritHandle = FALSE;
// Directory that will be assigned the empty DACL
WCHAR DirName[] = L\\\\?\\C:\\MyEmptyDACLDir;
// Call CreateMyDACL() function to set the DACL. The DACL
// is set in the SECURITY_ATTRIBUTES
// lpSecurityDescriptor member
if(!CreateMyDACL(&sa))
{
//Error encountered; generate message and just exit.
wprintf(LCreateMyDACL() failed, error %d\n, GetLastError());
exit(1);
}
else
wprintf(LCreateMyDACL() - DACL was created successfully!\n);
// Use the updated SECURITY_ATTRIBUTES to specify
// security attributes for securable objects.
// This example uses security attributes during
// creation of a new directory.
if(CreateDirectory(DirName, &sa) == 0)
{
// If error encountered; generate message and exit.
wprintf(Lfailed to create %s directory!, error %u\n, DirName, GetLastError());
exit(1);
}
else
wprintf(LCreateDirectory() - %s was created successfully!\n, DirName);
// Release the memory allocated for the SECURITY_DESCRIPTOR.
if(LocalFree(sa.lpSecurityDescriptor) != NULL)
{
// Error encountered; generate message and exit.
wprintf(LLocalFree() failed, error %u.\n, GetLastError());
exit(1);
}
else
wprintf(LLocalFree() - buffer was freed-up.\n);
return 0;
}
// Create a security descriptor that contains the DACL you want.
BOOL CreateMyDACL(SECURITY_ATTRIBUTES * pSA)
{
PULONG nSize = 0;
// An empty DACL
WCHAR * szSD = LD:;
if(pSA == NULL)
return FALSE;
else
wprintf(LSECURITY_ATTRIBUTES was passed properly!\n);
// Do some verification
wprintf(LThe ACE strings: %s \n, szSD);
wprintf(LLength: %u\n, pSA->nLength);
// Convert the string to the security descriptor binary and return
return ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD, // The ACE strings
SDDL_REVISION_1, // Standard revision level
&(pSA->lpSecurityDescriptor), // Pointer to the converted security descriptor
nSize); // The size in byte the converted security descriptor
}
Build and run the project. The following screenshot is a sample output.
In this case, when user Mike spoon (a member of an Administrators group) tries to open (or delete) the C:\\MyEmptyDACLDir directory, the following message was displayed.
When we verify through the MyEmptyDACLDir’s property page, there is no ACE at all. Well, do not create an empty DACL.
By the way, Administrator user (also any user which is a member of Administrators group) still has the permission to modify the permission (use the Add button to add the permission) or he/she can take the ownership of this directory object.