AccessControl plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
Line 6: Line 6:
== Description ==
== Description ==


'''Version:''' 7th January 2008.<br />
'''Version:''' 23rd January 2008.<br />
'''Supported on:''' ''Windows ME+, Windows 2000+''.
'''Supported on:''' ''Windows ME+, Windows 2000+''.


The AccessControl plugin for NSIS provides a set of functions related Windows NT access control list (ACL) management.
The AccessControl plugin for NSIS provides a set of functions related Windows NT access control list (ACL) management.


'''Original:''' 20th April 2006<br />
<p>'''- 20th April 2006 ~ Mathias Hasselmann'''<br />
'''Updated:''' 30th June 2006 ~ Afrow UK<br />
First version.</p>
'''Changes:''' Error MessageBox removed. Error messages are now just returned on NSIS stack.<br />
'''Updated:''' 13th July 2007 ~ kichik<br />
'''Changes:''' Return proper error codes (return value instead of GetLastError()).<br />
'''Updated:''' 21st August 2007 ~ Afrow UK<br />
'''Changes:''' Added /NOINHERIT, EnableInheritance, DisableInheritance.<br />


'''- 8th November 2007 ~ Afrow UK'''<br />
<p>'''- 30th June 2006 ~ Afrow UK'''<br />
Error MessageBox removed. Error messages are now just returned on NSIS stack.</p>
 
<p>'''- 13th July 2007 ~ kichik'''<br />
Return proper error codes (return value instead of GetLastError()).</p>
 
<p>'''- 21st August 2007 ~ Afrow UK'''<br />
Added /NOINHERIT, EnableInheritance, DisableInheritance.</p>
 
<p>'''- 8th November 2007 ~ Afrow UK'''<br />
EnableInheritance/DisableInheritance names changed.<br />
EnableInheritance/DisableInheritance names changed.<br />
Functions added:<br />
Functions added:<br />
Line 33: Line 37:
* ClearOnRegKey
* ClearOnRegKey
* SidToName
* SidToName
* GetCurrentUserName
* GetCurrentUserName</p>
 
<p>'''- 7th January 2008 ~ Afrow UK'''<br />
Fixed registry instructions.</p>


'''- 7th January 2008 ~ Afrow UK'''<br />
<p>'''- 23rd January 2008 ~ Afrow UK'''<br />
Fixed registry instructions.
Added function IsUserTheAdministrator.<br />
Cleaned up code. Rebuilt as pure cpp, decreasing DLL size.<br />
No longer using gobal temp variable for strings.</p>


== Usage Example ==
== Usage Example ==

Revision as of 17:39, 17 February 2008

Author: tbf (talk, contrib)


Links

AccessControl.zip (48 KB)

Description

Version: 23rd January 2008.
Supported on: Windows ME+, Windows 2000+.

The AccessControl plugin for NSIS provides a set of functions related Windows NT access control list (ACL) management.

- 20th April 2006 ~ Mathias Hasselmann
First version.

- 30th June 2006 ~ Afrow UK
Error MessageBox removed. Error messages are now just returned on NSIS stack.

- 13th July 2007 ~ kichik
Return proper error codes (return value instead of GetLastError()).

- 21st August 2007 ~ Afrow UK
Added /NOINHERIT, EnableInheritance, DisableInheritance.

- 8th November 2007 ~ Afrow UK
EnableInheritance/DisableInheritance names changed.
Functions added:

  • EnableFileInheritance
  • DisableFileInheritance
  • EnableRegKeyInheritance
  • DisableRegKeyInheritance
  • GetFileOwner
  • GetFileGroup
  • GetRegKeyOwner
  • GetRegKeyGroup
  • ClearOnFile
  • ClearOnRegKey
  • SidToName
  • GetCurrentUserName

- 7th January 2008 ~ Afrow UK
Fixed registry instructions.

- 23rd January 2008 ~ Afrow UK
Added function IsUserTheAdministrator.
Cleaned up code. Rebuilt as pure cpp, decreasing DLL size.
No longer using gobal temp variable for strings.

Usage Example

# Give ownership for file C:\test.txt to Waterloo\Mathias
  AccessControl::SetFileOwner \
    "C:\test.txt" "Waterloo\Mathias"
 
# Make the directory "$INSTDIR\database" read write accessible by all users
  AccessControl::GrantOnFile \
    "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite"
 
# Give all authentificated users (BUILTIN\Users) full access on
# the registry key HKEY_LOCAL_MACHINE\Software\Vendor\SomeApp
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess"
 
# Same as above, but with a numeric string SID
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"

Detailed usage instructions can be found in the package.

CONVENTIONS

<filename> 

A valid Windows(tm) filename (ie. "C:\WINDOWS\" or "\\HOSTNAME\SHARE").

<rootkey> 

The well-known root of a registry key. Following values are defined:

HKCR - HKEY_CLASSES_ROOT
HKLM - HKEY_LOCAL_MACHINE
HKCU - HKEY_CURRENT_USER
HKU - HKEY_USERS


<regkey> 

The name of the registry to alter (ie. "Software\Microsoft\Windows").

<trustee> 

A valid Windows account. The account can be specified as relative account name 
(ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator")
or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account
name. For a list of trustee names, open up Control Panel > Administrative Tools
> Computer Management > Local Users and Groups.

See also Well-known security identifiers in Windows operating systems

<permissions> 

A combination of access rights (ie. "FullAccess" or "GenericRead + GenericWrite").
For a full list of access rights, open the AccessControl.c source file
in Notepad.

Functions

  • GrantOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • GrantOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Makes sure that the trustee get the requested access rights on 
that object.
  • SetOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • SetOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Deletes all permissions on the object and replaces them
with the specified access right.
  • DenyOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • DenyOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Explicitly denies an access right on a object.
  • RevokeOnFile [/NOINHERIT] <filename> <trustee> <permissions>
  • RevokeOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Removes a formerly defined access right for that object.
Note that permissions will still be revoked even if they are
inherited.
  • SetFileOwner <filename> <trustee>
  • SetRegKeyOwner <rootkey> <regkey> <trustee>
Changes the owner of an object.
  • SetFileGroup <filename> <trustee>
  • SetRegKeyGroup <rootkey> <regkey> <trustee>
Changes the primary group of the object.
  • EnableInheritance <filename>
  • EnableInheritance <rootkey> <regkey>
Enables inheritance of parent object permissions.
  • DisableInheritance <filename>
  • DisableInheritance <rootkey> <regkey>
Disables inheritance of parent object permissions.

File and Directory Permission List

File Permissions

  • ReadData
  • WriteData
  • AppendData
  • ReadEA
  • WriteEA
  • Execute
  • ReadAttributes
  • WriteAttributes
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • FullAccess
  • GenericRead
  • GenericWrite
  • GenericExecute
  • NULL

Directory Permissions

  • ListDirectory
  • AddFile
  • AddSubdirectory
  • ReadEA
  • WriteEA
  • Traverse
  • DeleteChild
  • ReadAttributes
  • WriteAttributes
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • FullAccess
  • GenericRead
  • GenericWrite
  • GenericExecute
  • NULL

See also: File Security and Access Rights
See also: Set the append/modify flag for ACLs

Comment: The GenericWrite permission isn't the same like the one on the microsoft page.

Credits

Written by Mathias Hasselmann

Retrieved from "https://nsis.sourceforge.io/mediawiki/index.php?title=AccessControl_plug-in&oldid=14757"