AccessControl plug-in: Difference between revisions
From NSIS Wiki
Jump to navigationJump to search
F.rochlitzer (talk | contribs) (Updated List of functions and conventions) |
|||
| Line 39: | Line 39: | ||
Detailed usage instructions can be found in the package. | Detailed usage instructions can be found in the package. | ||
== CONVENTIONS == | |||
'''<filename>''' | |||
A valid Windows(tm) filename (ie. "C:\WINDOWS\" or "\\HOSTNAME\SHARE"). | |||
'''<rootkey>''' | |||
The well-known root of a registry key. Following values are defined: | |||
HKCR - HKEY_CLASSES_ROOT | |||
HKLM - HKEY_LOCAL_MACHINE | |||
HKCU - HKEY_CURRENT_USER | |||
HKU - HKEY_USERS | |||
<br> | |||
'''<regkey>''' | |||
The name of the registry to alter (ie. "Software\Microsoft\Windows"). | |||
'''<trustee>''' | |||
A valid Windows(tm) account. The account can be specified as relative account name | |||
(ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator") | |||
or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account | |||
name. For a list of trustee names, open up Control Panel > Administrative Tools | |||
> Computer Management > Local Users and Groups. | |||
See also [http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330 Well-known security identifiers in Windows operating systems] | |||
'''<permissions>''' | |||
A combination of access rights (ie. "FullAccess" or "GenericRead + GenericWrite"). | |||
For a full list of access rights, open the AccessControl.c source file | |||
in Notepad. | |||
== Functions == | |||
* GrantOnFile [/NOINHERIT] <filename> <trustee> <permissions> | |||
* GrantOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions> | |||
Makes sure that the trustee get the requested access rights on | |||
that object. | |||
* SetOnFile [/NOINHERIT] <filename> <trustee> <permissions> | |||
* SetOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions> | |||
Deletes all permissions on the object and replaces them | |||
with the specified access right. | |||
* DenyOnFile [/NOINHERIT] <filename> <trustee> <permissions> | |||
* DenyOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions> | |||
Explicitly denies an access right on a object. | |||
* RevokeOnFile [/NOINHERIT] <filename> <trustee> <permissions> | |||
* RevokeOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions> | |||
Removes a formerly defined access right for that object. | |||
Note that permissions will still be revoked even if they are | |||
inherited. | |||
* SetFileOwner <filename> <trustee> | |||
* SetRegKeyOwner <rootkey> <regkey> <trustee> | |||
Changes the owner of an object. | |||
* SetFileGroup <filename> <trustee> | |||
* SetRegKeyGroup <rootkey> <regkey> <trustee> | |||
Changes the primary group of the object. | |||
* EnableInheritance <filename> | |||
* EnableInheritance <rootkey> <regkey> | |||
Enables inheritance of parent object permissions. | |||
* DisableInheritance <filename> | |||
* DisableInheritance <rootkey> <regkey> | |||
Disables inheritance of parent object permissions. | |||
== File and Directory Permission List == | |||
=== File Permissions === | |||
* ReadData | |||
* WriteData | |||
* AppendData | |||
* ReadEA | |||
* WriteEA | |||
* Execute | |||
* ReadAttributes | |||
* WriteAttributes | |||
* Delete | |||
* ReadControl | |||
* WriteDAC | |||
* WriteOwner | |||
* Synchronize | |||
* FullAccess | |||
* GenericRead | |||
* GenericWrite | |||
* GenericExecute | |||
* NULL | |||
=== Directory Permissions === | |||
* ListDirectory | |||
* AddFile | |||
* AddSubdirectory | |||
* ReadEA | |||
* WriteEA | |||
* Traverse | |||
* DeleteChild | |||
* ReadAttributes | |||
* WriteAttributes | |||
* Delete | |||
* ReadControl | |||
* WriteDAC | |||
* WriteOwner | |||
* Synchronize | |||
* FullAccess | |||
* GenericRead | |||
* GenericWrite | |||
* GenericExecute | |||
* NULL | |||
See also [http://msdn2.microsoft.com/en-us/library/aa364399.aspx File Security and Access Rights]<br> | |||
'''Comment:''' The GenericWrite permission isn't the same like the one on the microsoft page. | |||
== Credits == | == Credits == | ||
Revision as of 13:54, 10 September 2007
| Author: tbf (talk, contrib) |
Links
AccessControl.zip (48 KB)
Description
Version: 21st August 2007.
Supported on: Windows ME+, Windows 2000+.
The AccessControl plugin for NSIS provides a set of functions related Windows NT access control list (ACL) management.
Original: 20th April 2006
Updated: 30th June 2006 ~ Afrow UK
Changes: Error MessageBox removed. Error messages are now just returned on NSIS stack.
Updated: 13th July 2007 ~ kichik
Changes: Return proper error codes (return value instead of GetLastError()).
Updated: 21st August 2007 ~ Afrow UK
Changes: Added /NOINHERIT, EnableInheritance, DisableInheritance.
Usage Example
# Give ownership for file C:\test.txt to Waterloo\Mathias AccessControl::SetFileOwner \ "C:\test.txt" "Waterloo\Mathias" # Make the directory "$INSTDIR\database" read write accessible by all users AccessControl::GrantOnFile \ "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite" # Give all authentificated users (BUILTIN\Users) full access on # the registry key HKEY_LOCAL_MACHINE\Software\Vendor\SomeApp AccessControl::GrantOnRegKey \ HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess" # Same as above, but with a numeric string SID AccessControl::GrantOnRegKey \ HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"
Detailed usage instructions can be found in the package.
CONVENTIONS
<filename>
A valid Windows(tm) filename (ie. "C:\WINDOWS\" or "\\HOSTNAME\SHARE").
<rootkey>
The well-known root of a registry key. Following values are defined: HKCR - HKEY_CLASSES_ROOT HKLM - HKEY_LOCAL_MACHINE HKCU - HKEY_CURRENT_USER HKU - HKEY_USERS
<regkey>
The name of the registry to alter (ie. "Software\Microsoft\Windows").
<trustee>
A valid Windows(tm) account. The account can be specified as relative account name (ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator") or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account name. For a list of trustee names, open up Control Panel > Administrative Tools > Computer Management > Local Users and Groups. See also Well-known security identifiers in Windows operating systems
<permissions>
A combination of access rights (ie. "FullAccess" or "GenericRead + GenericWrite"). For a full list of access rights, open the AccessControl.c source file in Notepad.
Functions
- GrantOnFile [/NOINHERIT] <filename> <trustee> <permissions>
- GrantOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Makes sure that the trustee get the requested access rights on that object.
- SetOnFile [/NOINHERIT] <filename> <trustee> <permissions>
- SetOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Deletes all permissions on the object and replaces them with the specified access right.
- DenyOnFile [/NOINHERIT] <filename> <trustee> <permissions>
- DenyOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Explicitly denies an access right on a object.
- RevokeOnFile [/NOINHERIT] <filename> <trustee> <permissions>
- RevokeOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>
Removes a formerly defined access right for that object. Note that permissions will still be revoked even if they are inherited.
- SetFileOwner <filename> <trustee>
- SetRegKeyOwner <rootkey> <regkey> <trustee>
Changes the owner of an object.
- SetFileGroup <filename> <trustee>
- SetRegKeyGroup <rootkey> <regkey> <trustee>
Changes the primary group of the object.
- EnableInheritance <filename>
- EnableInheritance <rootkey> <regkey>
Enables inheritance of parent object permissions.
- DisableInheritance <filename>
- DisableInheritance <rootkey> <regkey>
Disables inheritance of parent object permissions.
File and Directory Permission List
File Permissions
- ReadData
- WriteData
- AppendData
- ReadEA
- WriteEA
- Execute
- ReadAttributes
- WriteAttributes
- Delete
- ReadControl
- WriteDAC
- WriteOwner
- Synchronize
- FullAccess
- GenericRead
- GenericWrite
- GenericExecute
- NULL
Directory Permissions
- ListDirectory
- AddFile
- AddSubdirectory
- ReadEA
- WriteEA
- Traverse
- DeleteChild
- ReadAttributes
- WriteAttributes
- Delete
- ReadControl
- WriteDAC
- WriteOwner
- Synchronize
- FullAccess
- GenericRead
- GenericWrite
- GenericExecute
- NULL
See also File Security and Access Rights
Comment: The GenericWrite permission isn't the same like the one on the microsoft page.
Credits
Written by Mathias Hasselmann
