AccessControl plug-in: Difference between revisions

From NSIS Wiki
Jump to navigationJump to search
No edit summary
m (→‎Description: v1.0.8.3)
 
(11 intermediate revisions by 7 users not shown)
Line 2: Line 2:


== Links ==
== Links ==
<attach>AccessControl.zip</attach> (includes NSIS-Unicode variant)<br />
<attach>AccessControl.zip</attach> (includes NSIS-Unicode variant)
Run with <code>conda execute</code> or install with <code>conda install</code> (see [[Conda]]).
 
[http://support.microsoft.com/kb/243330 Well-known security identifiers in Windows operating systems]
[http://support.microsoft.com/kb/243330 Well-known security identifiers in Windows operating systems]


== Description ==
== Description ==


'''Version:''' 23rd January 2008.<br />
'''Version:''' 1.0.8.3 (20210224)
'''Supported on:''' ''Windows ME+, Windows 2000+''.
 
The AccessControl plugin for NSIS provides a set of functions related Windows NT access control list (ACL) management.
 
<p>'''- 20th April 2006 ~ Mathias Hasselmann'''<br />
First version.</p>
 
<p>'''- 30th June 2006 ~ Afrow UK'''<br />
Error MessageBox removed. Error messages are now just returned on NSIS stack.</p>


<p>'''- 13th July 2007 ~ kichik'''<br />
'''Supported on:''' ''WinNT4+''.
Return proper error codes (return value instead of GetLastError()).</p>


<p>'''- 21st August 2007 ~ Afrow UK'''<br />
The AccessControl plugin for NSIS provides a set of functions related to Windows NT access control list (ACL) management.
Added /NOINHERIT, EnableInheritance, DisableInheritance.</p>
 
<p>'''- 8th November 2007 ~ Afrow UK'''<br />
EnableInheritance/DisableInheritance names changed.<br />
Functions added:<br />
* EnableFileInheritance
* DisableFileInheritance
* EnableRegKeyInheritance
* DisableRegKeyInheritance
* GetFileOwner
* GetFileGroup
* GetRegKeyOwner
* GetRegKeyGroup
* ClearOnFile
* ClearOnRegKey
* SidToName
* GetCurrentUserName</p>
 
<p>'''- 7th January 2008 ~ Afrow UK'''<br />
Fixed registry instructions.</p>
 
<p>'''- 23rd January 2008 ~ Afrow UK'''<br />
Added function IsUserTheAdministrator.<br />
Cleaned up code. Rebuilt as pure cpp, decreasing DLL size.<br />
No longer using gobal temp variable for strings.</p>
 
<p>'''- 19nth September 2008 ~ Balena'''<br />
Added support for NSIS-Unicode.<br />


== Usage Example ==
== Usage Example ==
Line 56: Line 21:
   AccessControl::SetFileOwner \
   AccessControl::SetFileOwner \
     "C:\test.txt" "Waterloo\Mathias"
     "C:\test.txt" "Waterloo\Mathias"
  Pop $0 ; "error" on errors


# Make the directory "$INSTDIR\database" read write accessible by all users
# Make the directory "$INSTDIR\database" read write accessible by all users
   AccessControl::GrantOnFile \
   AccessControl::GrantOnFile \
     "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite"
     "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite"
  Pop $0


# Give all authentificated users (BUILTIN\Users) full access on
# Give all authentificated users (BUILTIN\Users) full access on
Line 65: Line 32:
   AccessControl::GrantOnRegKey \
   AccessControl::GrantOnRegKey \
     HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess"
     HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess"
  Pop $0


# Same as above, but with a numeric string SID
# Same as above, but with a numeric string SID
   AccessControl::GrantOnRegKey \
   AccessControl::GrantOnRegKey \
     HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"
     HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"
  Pop $0
</highlight-nsis>
</highlight-nsis>


Detailed usage instructions can be found in the package.
''Detailed usage instructions and a list of functions can be found in the package readme Docs\AccessControl\AccessControl.txt.''
 
== CONVENTIONS ==
 
'''<filename>'''
A valid Windows(tm) filename (ie. "C:\WINDOWS\" or "\\HOSTNAME\SHARE").
 
'''<rootkey>'''
The well-known root of a registry key. Following values are defined:
HKCR - HKEY_CLASSES_ROOT
HKLM - HKEY_LOCAL_MACHINE
HKCU - HKEY_CURRENT_USER
HKU - HKEY_USERS
<br>
'''<regkey>'''
The name of the registry to alter (ie. "Software\Microsoft\Windows").
 
'''<trustee>'''
A valid Windows account. The account can be specified as relative account name
(ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator")
or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account
name. For a list of trustee names, open up Control Panel > Administrative Tools
> Computer Management > Local Users and Groups.
See also [http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330 Well-known security identifiers in Windows operating systems]
 
'''<permissions>'''
A combination of access rights (ie. "FullAccess" or "GenericRead + GenericWrite").
For a full list of access rights, open the AccessControl.c source file
in Notepad.
 
== Functions ==
* GrantOnFile [/NOINHERIT] <filename> <trustee> <permissions>
* GrantOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Makes sure that the trustee get the requested access rights on
that object.
 
* SetOnFile [/NOINHERIT] <filename> <trustee> <permissions>
* SetOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Deletes all permissions on the object and replaces them
with the specified access right.
 
* DenyOnFile [/NOINHERIT] <filename> <trustee> <permissions>
* DenyOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Explicitly denies an access right on a object.
 
* RevokeOnFile [/NOINHERIT] <filename> <trustee> <permissions>
* RevokeOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Removes a formerly defined access right for that object.
Note that permissions will still be revoked even if they are
inherited.
 
* SetFileOwner <filename> <trustee>
* SetRegKeyOwner <rootkey> <regkey> <trustee>
Changes the owner of an object.
 
* SetFileGroup <filename> <trustee>
* SetRegKeyGroup <rootkey> <regkey> <trustee>
Changes the primary group of the object.
 
* EnableFileInheritance <filename>
* EnableRegKeyInheritance <rootkey> <regkey>
Enables inheritance of parent object permissions.
 
* DisableFileInheritance <filename>
* DisableRegKeyInheritance <rootkey> <regkey>
Disables inheritance of parent object permissions.


== File and Directory Permission List ==
== File and Directory Permission List ==
Line 201: Line 103:
* NULL
* NULL


'''See also:''' [http://msdn2.microsoft.com/en-us/library/aa364399.aspx File Security and Access Rights]<br>
'''See also:''' [http://msdn2.microsoft.com/en-us/library/aa364399.aspx File Security and Access Rights]<br />
'''See also:''' [http://nsis.sourceforge.net/Talk:AccessControl_plug-in  Set the append/modify flag for ACLs]<br>
'''See also:''' [http://nsis.sourceforge.net/Talk:AccessControl_plug-in  Set the append/modify flag for ACLs]<br />
'''Comment:''' The GenericWrite permission isn't the same like the one on the microsoft page.<br>
'''Comment:''' The GenericWrite permission isn't the same like the one on the microsoft page.


== Credits ==
== Credits ==
Written by [http://taschenorakel.de/mathias/ Mathias Hasselmann]
Written by [http://taschenorakel.de/mathias/ Mathias Hasselmann]<br />
NSIS-Unicode port by [http://wizou.fr Olivier Marcoux]
NSIS-Unicode port by [http://wizou.fr Olivier Marcoux]<br />
Major changes by [http://www.afrowsoft.co.uk Afrow UK]<br />
Win95/WinNT4 support and bugfixes by [[User:Anders|Anders]]


[[Category:Plugins]]
[[Category:Plugins]]

Latest revision as of 15:48, 24 February 2021

Author: tbf (talk, contrib)


Links

AccessControl.zip (48 KB) (includes NSIS-Unicode variant)

Run with conda execute or install with conda install (see Conda).

Well-known security identifiers in Windows operating systems

Description

Version: 1.0.8.3 (20210224)

Supported on: WinNT4+.

The AccessControl plugin for NSIS provides a set of functions related to Windows NT access control list (ACL) management.

Usage Example

# Give ownership for file C:\test.txt to Waterloo\Mathias
  AccessControl::SetFileOwner \
    "C:\test.txt" "Waterloo\Mathias"
  Pop $0 ; "error" on errors
 
# Make the directory "$INSTDIR\database" read write accessible by all users
  AccessControl::GrantOnFile \
    "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite"
  Pop $0
 
# Give all authentificated users (BUILTIN\Users) full access on
# the registry key HKEY_LOCAL_MACHINE\Software\Vendor\SomeApp
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess"
  Pop $0
 
# Same as above, but with a numeric string SID
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"
  Pop $0

Detailed usage instructions and a list of functions can be found in the package readme Docs\AccessControl\AccessControl.txt.

File and Directory Permission List

File Permissions

  • ReadData
  • WriteData
  • AppendData
  • ReadEA
  • WriteEA
  • Execute
  • ReadAttributes
  • WriteAttributes
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • FullAccess
  • GenericRead
  • GenericWrite
  • GenericExecute
  • NULL

Directory Permissions

  • ListDirectory
  • AddFile
  • AddSubdirectory
  • ReadEA
  • WriteEA
  • Traverse
  • DeleteChild
  • ReadAttributes
  • WriteAttributes
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • FullAccess
  • GenericRead
  • GenericWrite
  • GenericExecute
  • NULL

Registry Permissions

  • QueryValue
  • SetValue
  • CreateSubKey
  • EnumerateSubKeys
  • Notify
  • CreateLink
  • Delete
  • ReadControl
  • WriteDAC
  • WriteOwner
  • Synchronize
  • GenericRead
  • GenericWrite
  • GenericExecute
  • FullAccess
  • NULL

See also: File Security and Access Rights
See also: Set the append/modify flag for ACLs
Comment: The GenericWrite permission isn't the same like the one on the microsoft page.

Credits

Written by Mathias Hasselmann
NSIS-Unicode port by Olivier Marcoux
Major changes by Afrow UK
Win95/WinNT4 support and bugfixes by Anders