1

When calling Get/Set[Named]SecurityInfo with SE_LMSHARE, how are the type specific access rights in a ACE interpreted?

I'm guessing I should use the directory version of the File Access Rights Constants but is this documented anywhere?

Anders
  • 97,548
  • 12
  • 110
  • 164
  • 3
    [WMI to the rescue](http://msdn.microsoft.com/en-us/library/aa390438%28v=vs.85%29.aspx). I never thought I'd say that. – arx Mar 22 '14 at 19:19
  • Curious; I wonder if this interface allows you to set more granular permissions than the GUI allows? – Harry Johnston Mar 23 '14 at 22:09
  • @HarryJohnston: I would imagine so, the ACLUI editor is a very stripped down useless version when viewing the shares. Full control seems to end up as "Allow: 0x001f01ff S-1-..." – Anders Mar 23 '14 at 22:25

1 Answers1

3

For the benefit of anybody else that, like me, is trying to set permissions on Windows shares and stumbles upon this old question, I've put together the following:

[Flags]
public enum ACCESS_MASK : uint
{
    READ_FILE =         0x000001, // 0b000000000000000000001, 1 << 0
    WRITE_FILE =        0x000002, // 0b000000000000000000010, 1 << 1
    CREATE_SUBDIR =     0x000004, // 0b000000000000000000100, 1 << 2
    READ_EXT_ATTR =     0x000008, // 0b000000000000000001000, 1 << 3 
    WRITE_EXT_ATTR =    0x000010, // 0b000000000000000010000, 1 << 4
    EXECUTE =           0x000020, // 0b000000000000000100000, 1 << 5
    DELETE_DIR =        0x000040, // 0b000000000000001000000, 1 << 6
    READ_FILE_ATTR =    0x000080, // 0b000000000000010000000, 1 << 7
    WRITE_FILE_ATTR =   0x000100, // 0b000000000000100000000, 1 << 8

    DELETE =            0x010000, // 0b000010000000000000000, 1 << 16
    READ_SD =           0x020000, // 0b000100000000000000000, 1 << 17
    WRITE_DACL =        0x040000, // 0b001000000000000000000, 1 << 18
    WRITE_OWNER =       0x080000, // 0b010000000000000000000, 1 << 19
    SYNCHRONIZE =       0x100000, // 0b100000000000000000000, 1 << 20
                                  //   2         1
                                  //   098765432109876543210
                                  
    // These combinations of the above flags correspond to the preset control levels in the relevant Windows dialogs.
    SHARE_READ =    READ_FILE | READ_EXT_ATTR | EXECUTE | READ_FILE_ATTR | READ_SD | SYNCHRONIZE,
    SHARE_CHANGE =  SHARE_READ | WRITE_FILE | CREATE_SUBDIR | WRITE_EXT_ATTR | WRITE_FILE_ATTR | DELETE,
    SHARE_FULL =    SHARE_CHANGE | DELETE_DIR | WRITE_DACL | WRITE_OWNER
}

Note that this is not an exhaustive list - it contains the minimal subset of flags required to provide the three Windows presets for share permissions (i.e. the final three members above).

StackzOfZtuff
  • 2,534
  • 1
  • 28
  • 25
nick_b
  • 61
  • 4