思想是首先获得指定用户的SID,建立一个共享资源的访问控制列表,把SID加入访问控制列表,初始化共享资源的安全描述符
void AddShareDir(VectorShareDir& vecShareDir)
{
for (VectorShareDir::iterator iter = vecShareDir.begin(); iter != vecShareDir.end(); iter++)
{
SECURITY_DESCRIPTOR sd;
PACL pDacl = NULL;
DWORD dwAclSize = 0;
DWORD dwAccess;
// 如果没有任何权限则不添加共享
if (iter->nPermission == 1) // 读
dwAccess = 0x001200a9;
else if (iter->nPermission == 2) // 更改
dwAccess = 0x001301bf;
else if (iter->nPermission == 3) // 完全控制
dwAccess = GENERIC_ALL;
else
return;
SHARE_INFO_502 si502;
NET_API_STATUS status;
_bstr_t bstrShareName(iter->strNetname.c_str());
_bstr_t bstrSharePath(iter->strPath.c_str());
vector<PSID> vecSid;
dwAclSize = sizeof(ACL);
GetSidByAccountName(iter->strUsers, vecSid, dwAclSize);
// 计算所需要的存储空间 add by wl
VectorShareDir::iterator _iter;
for (_iter = iter+1; _iter != vecShareDir.end(); _iter++)
{
if (strcmp(iter->strPath.c_str(), _iter->strPath.c_str()) != 0)
continue;
DWORD dwAcc;
if (_iter->nPermission == 1)
dwAcc = 0x001200a9;
else if (_iter->nPermission == 2)
dwAcc = 0x001301bf;
else if (_iter->nPermission == 3)
dwAcc = GENERIC_ALL;
else
break;
vector<PSID> vecOtherSid;
GetSidByAccountName(_iter->strUsers, vecOtherSid, dwAclSize);
}
// 为Acl分配空间并初始化
pDacl = (PACL)malloc(dwAclSize);
if(pDacl == NULL)
return;
InitializeAcl(pDacl, dwAclSize, ACL_REVISION);
// 把SID放到ACL中
vector<PSID>::iterator it;
for (it = vecSid.begin(); it != vecSid.end(); it++)
{
BOOL bRet = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAccess, *it);
DWORD dwError = 0;
if (!bRet)
{
dwError = GetLastError();
gLogger.debug("[CSharedResourceMgr::AddShareDir] Add ace to acl error:%d", GetLastError());
}
}
for (_iter = iter+1; _iter != vecShareDir.end(); _iter++)
{
if (strcmp(iter->strPath.c_str(), _iter->strPath.c_str()) != 0)
continue;
DWORD dwAcc;
if (_iter->nPermission == 1)
dwAcc = 0x001200a9;
else if (_iter->nPermission == 2)
dwAcc = 0x001301bf;
else if (_iter->nPermission == 3)
dwAcc = GENERIC_ALL;
else
break;
vector<PSID> vecOtherSid;
DWORD dwTemp = 0;
GetSidByAccountName(_iter->strUsers, vecOtherSid, dwTemp);
for (it = vecOtherSid.begin(); it != vecOtherSid.end(); it++)
{
BOOL bRet = AddAccessAllowedAce(pDacl, ACL_REVISION, dwAcc, *it);
DWORD dwError = 0;
if (!bRet)
{
dwError = GetLastError();
gLogger.debug("[CSharedResourceMgr::AddShareDir] Add ace to acl error:%d", GetLastError());
}
}
}
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, pDacl, FALSE);
si502.shi502_netname = bstrShareName;
si502.shi502_type = STYPE_DISKTREE;
si502.shi502_remark = NULL;
si502.shi502_max_uses = SHI_USES_UNLIMITED;
si502.shi502_permissions = ACCESS_ALL; // 此权限不起作用
si502.shi502_current_uses = 0;
si502.shi502_path = bstrSharePath;
si502.shi502_passwd = NULL;
si502.shi502_reserved = 0;
si502.shi502_security_descriptor = &sd;
status = NetShareAdd(NULL, 502, (LPBYTE)&si502, NULL);
if (NERR_DuplicateShare==status)
{
PSHARE_INFO_502 bufPtr;
if (NERR_Success == NetShareGetInfo(NULL, bstrShareName, 502, (LPBYTE*)&bufPtr))
{
bufPtr->shi502_security_descriptor = &sd;
if (NERR_Success == NetShareSetInfo(NULL, bstrShareName, 502, (LPBYTE)bufPtr, NULL))
{
status = NERR_Success;
}
else
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]Set share info erroe:%d\n", GetLastError());
}
}
else
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]Get share info erroe:%d\n", GetLastError());
}
}
if (pDacl != NULL)
free(pDacl);
if(status==NERR_Success)
gLogger.debug("[CSharedResourceMgr::AddShareDir] Create share:%s successed.", iter->strNetname);
else
gLogger.debug("[CSharedResourceMgr::AddShareDir].Create share:%s meets an error:%d.", iter->strNetname, status);
}
}
void GetSidByAccountName(string strUsers, vector<PSID>& vecSid, DWORD& dwAclSize)
{
TCHAR RefDomain[64];
DWORD cchDomain = 64;
DWORD cbSid = 96;
SID_NAME_USE peUse = SidTypeUser;
vector<string> vecUsers;
Linkwork::String::SplitString(strUsers, ',', vecUsers);
size_t nSize = vecUsers.size();
for (int i = 0; i < nSize; i++)
{
PSID pSid = (PSID)malloc(cbSid);
if(pSid == NULL)
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]HeapAlloc memory for user:%s error.", vecUsers[i]);
continue;
}
if(!LookupAccountName(NULL, //[in] 这个参数指明查找的用户或组在哪个系统上,为NULL表示本地系统
vecUsers[i].c_str(), //[in] 欲授予访问权限的用户或组
pSid, //[out] 存放返回的SID值
&cbSid, //[in,out]进去的是你设定的缓冲区长度,出来的是实际SID的长度
RefDomain, //[out] 域名
&cchDomain, //[in,out]长度
&peUse)) //[out] 结构,用来指示用户的类型
{
free(pSid);
pSid = NULL;
if(GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
pSid = (PSID)malloc(cbSid);
if(pSid == NULL)
{
gLogger.debug("[CSharedResourceMgr::AddShareDir]HeapAlloc memory for user:%s error.", vecUsers[i]);
continue;
}
cchDomain = DNLEN + 1;
if(!LookupAccountName(NULL, vecUsers[i].c_str(), pSid, &cbSid, RefDomain, &cchDomain, &peUse))
{
free(pSid);
pSid = NULL;
gLogger.debug("[CSharedResourceMgr::AddShareDir]LookupAccountName error:%d!", GetLastError());
continue;
}
}
else
{
if(!IsValidSid(pSid))
gLogger.debug("[CSharedResourceMgr::AddShareDir]SID is NOT valid!");
else
gLogger.debug("[CSharedResourceMgr::AddShareDir]Lookup Account Name error:%d!", GetLastError());
continue;
}
}
char* pszStringSid;
if (ConvertSidToStringSid(pSid, &pszStringSid))
gLogger.info("The sid of %s is %s", vecUsers[i].c_str(), pszStringSid);
vecSid.push_back(pSid);
dwAclSize += (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) + GetLengthSid(pSid);
LocalFree(pszStringSid);
pszStringSid = NULL;
}
}
用API实现指定共享用户访问权限的方法
最新推荐文章于 2022-11-25 09:34:12 发布