AccessControl plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
Line 57: Line 57:


'''<trustee>'''
'''<trustee>'''
  A valid Windows(tm) account. The account can be specified as relative account name  
  A valid Windows account. The account can be specified as relative account name  
  (ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator")
  (ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator")
  or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account
  or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account

Revision as of 11:33, 12 September 2007

Author: tbf (talk, contrib)


Links

AccessControl.zip (48 KB)

Description

Version: 21st August 2007.
Supported on: Windows ME+, Windows 2000+.

The AccessControl plugin for NSIS provides a set of functions related Windows NT access control list (ACL) management.

Original: 20th April 2006
Updated: 30th June 2006 ~ Afrow UK
Changes: Error MessageBox removed. Error messages are now just returned on NSIS stack.
Updated: 13th July 2007 ~ kichik
Changes: Return proper error codes (return value instead of GetLastError()).
Updated: 21st August 2007 ~ Afrow UK
Changes: Added /NOINHERIT, EnableInheritance, DisableInheritance.

Usage Example

# Give ownership for file C:\test.txt to Waterloo\Mathias
  AccessControl::SetFileOwner \
    "C:\test.txt" "Waterloo\Mathias"
 
# Make the directory "$INSTDIR\database" read write accessible by all users
  AccessControl::GrantOnFile \
    "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite"
 
# Give all authentificated users (BUILTIN\Users) full access on
# the registry key HKEY_LOCAL_MACHINE\Software\Vendor\SomeApp
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess"
 
# Same as above, but with a numeric string SID
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"

Detailed usage instructions can be found in the package.

CONVENTIONS

<filename> 

A valid Windows(tm) filename (ie. "C:\WINDOWS\" or "\\HOSTNAME\SHARE").

<rootkey> 

The well-known root of a registry key. Following values are defined:

HKCR - HKEY_CLASSES_ROOT
HKLM - HKEY_LOCAL_MACHINE
HKCU - HKEY_CURRENT_USER
HKU - HKEY_USERS


<regkey> 

The name of the registry to alter (ie. "Software\Microsoft\Windows").

<trustee> 

A valid Windows account. The account can be specified as relative account name 
(ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator")
or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account
name. For a list of trustee names, open up Control Panel > Administrative Tools
> Computer Management > Local Users and Groups.

See also Well-known security identifiers in Windows operating systems

<permissions> 

A combination of access rights (ie. "FullAccess" or "GenericRead + GenericWrite").
For a full list of access rights, open the AccessControl.c source file
in Notepad.

Functions

  • GrantOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • GrantOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Makes sure that the trustee get the requested access rights on 
that object.
  • SetOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • SetOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Deletes all permissions on the object and replaces them
with the specified access right.
  • DenyOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • DenyOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Explicitly denies an access right on a object.
  • RevokeOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • RevokeOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Removes a formerly defined access right for that object.
Note that permissions will still be revoked even if they are
inherited.
  • SetFileOwner <filename> <trustee>
  • SetRegKeyOwner <rootkey> <regkey> <trustee>
Changes the owner of an object.
  • SetFileGroup <filename> <trustee>
  • SetRegKeyGroup <rootkey> <regkey> <trustee>
Changes the primary group of the object.
  • EnableInheritance <filename>
  • EnableInheritance <rootkey> <regkey>
Enables inheritance of parent object permissions.
  • DisableInheritance <filename>
  • DisableInheritance <rootkey> <regkey>
Disables inheritance of parent object permissions.

File and Directory Permission List

File Permissions

  • ReadData
  • WriteData
  • AppendData
  • ReadEA
  • WriteEA
  • Execute
  • ReadAttributes
  • WriteAttributes
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • FullAccess
  • GenericRead
  • GenericWrite
  • GenericExecute
  • NULL

Directory Permissions

  • ListDirectory
  • AddFile
  • AddSubdirectory
  • ReadEA
  • WriteEA
  • Traverse
  • DeleteChild
  • ReadAttributes
  • WriteAttributes
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • FullAccess
  • GenericRead
  • GenericWrite
  • GenericExecute
  • NULL

See also: File Security and Access Rights
See also: Set the append/modify flag for ACLs

Comment: The GenericWrite permission isn't the same like the one on the microsoft page.

Credits

Written by Mathias Hasselmann

Retrieved from "https://nsis.sourceforge.io/mediawiki/index.php?title=AccessControl_plug-in&oldid=13275"