AccessControl plug-in: Difference between revisions

Links

AccessControl.zip (48 KB) (includes NSIS-Unicode variant)
Well-known security identifiers in Windows operating systems

Description

Version: 23rd January 2008.
Supported on: Windows ME+, Windows 2000+.

The AccessControl plugin for NSIS provides a set of functions related to Windows NT access control list (ACL) management.

- 20th April 2006 ~ Mathias Hasselmann
First version.

- 30th June 2006 ~ Afrow UK
Error MessageBox removed. Error messages are now just returned on NSIS stack.

- 13th July 2007 ~ kichik
Return proper error codes (return value instead of GetLastError()).

- 21st August 2007 ~ Afrow UK
Added /NOINHERIT, EnableInheritance, DisableInheritance.

- 8th November 2007 ~ Afrow UK
EnableInheritance/DisableInheritance names changed.
Functions added:

• EnableFileInheritance
• DisableFileInheritance
• EnableRegKeyInheritance
• DisableRegKeyInheritance
• GetFileOwner
• GetFileGroup
• GetRegKeyOwner
• GetRegKeyGroup
• ClearOnFile
• ClearOnRegKey
• SidToName
• GetCurrentUserName

- 7th January 2008 ~ Afrow UK
Fixed registry instructions.

- 23rd January 2008 ~ Afrow UK
Added function IsUserTheAdministrator.
Cleaned up code. Rebuilt as pure cpp, decreasing DLL size.
No longer using gobal temp variable for strings.

- 19nth September 2008 ~ Balena
Added support for NSIS-Unicode.

Usage Example

# Give ownership for file C:\test.txt to Waterloo\Mathias
  AccessControl::SetFileOwner \
    "C:\test.txt" "Waterloo\Mathias"
 
# Make the directory "$INSTDIR\database" read write accessible by all users
  AccessControl::GrantOnFile \
    "$INSTDIR\database" "(BU)" "GenericRead + GenericWrite"
 
# Give all authentificated users (BUILTIN\Users) full access on
# the registry key HKEY_LOCAL_MACHINE\Software\Vendor\SomeApp
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(BU)" "FullAccess"
 
# Same as above, but with a numeric string SID
  AccessControl::GrantOnRegKey \
    HKLM "Software\Vendor\SomeApp" "(S-1-5-32-545)" "FullAccess"

Detailed usage instructions can be found in the package.

CONVENTIONS

<filename>

A valid Windows(tm) filename (ie. "C:\WINDOWS\" or "\\HOSTNAME\SHARE").

<rootkey>

The well-known root of a registry key. Following values are defined:

HKCR - HKEY_CLASSES_ROOT
HKLM - HKEY_LOCAL_MACHINE
HKCU - HKEY_CURRENT_USER
HKU - HKEY_USERS

<regkey>

The name of the registry to alter (ie. "Software\Microsoft\Windows").

<trustee>

A valid Windows account. The account can be specified as relative account name 
(ie.Administrator" or "Everyone"), a qualified account name (ie. "Domain\Administrator")
or as Security identifier (SID, ie. "(S-1-5-32-545)"). "BUILTIN\USERS" is also a valid account
name. For a list of trustee names, open up Control Panel > Administrative Tools
> Computer Management > Local Users and Groups.

See also Well-known security identifiers in Windows operating systems

<permissions>

A combination of access rights (ie. "FullAccess" or "GenericRead + GenericWrite").
For a full list of access rights, open the AccessControl.c source file
in Notepad.

Functions

• GrantOnFile [/NOINHERIT] <filename> <trustee> <permissions>
• GrantOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>

Makes sure that the trustee get the requested access rights on 
that object.

• SetOnFile [/NOINHERIT] <filename> <trustee> <permissions>
• SetOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>

Deletes all permissions on the object and replaces them
with the specified access right.

• DenyOnFile [/NOINHERIT] <filename> <trustee> <permissions>
• DenyOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>

Explicitly denies an access right on a object.

• RevokeOnFile [/NOINHERIT] <filename> <trustee> <permissions>
• RevokeOnRegKey [/NOINHERIT] <rootkey> <regkey> <trustee> <permissions>

Removes a formerly defined access right for that object.
Note that permissions will still be revoked even if they are
inherited.

• SetFileOwner <filename> <trustee>
• SetRegKeyOwner <rootkey> <regkey> <trustee>

Changes the owner of an object.

• SetFileGroup <filename> <trustee>
• SetRegKeyGroup <rootkey> <regkey> <trustee>

Changes the primary group of the object.

• EnableFileInheritance <filename>
• EnableRegKeyInheritance <rootkey> <regkey>

Enables inheritance of parent object permissions.

• DisableFileInheritance <filename>
• DisableRegKeyInheritance <rootkey> <regkey>

Disables inheritance of parent object permissions.

File and Directory Permission List

File Permissions

• ReadData
• WriteData
• AppendData
• ReadEA
• WriteEA
• Execute
• ReadAttributes
• WriteAttributes
• Delete
• ReadControl
• WriteDAC
• WriteOwner
• Synchronize
• FullAccess
• GenericRead
• GenericWrite
• GenericExecute
• NULL

Directory Permissions

• ListDirectory
• AddFile
• AddSubdirectory
• ReadEA
• WriteEA
• Traverse
• DeleteChild
• ReadAttributes
• WriteAttributes
• Delete
• ReadControl
• WriteDAC
• WriteOwner
• Synchronize
• FullAccess
• GenericRead
• GenericWrite
• GenericExecute
• NULL

Registry Permissions

• QueryValue
• SetValue
• CreateSubKey
• EnumerateSubKeys
• Notify
• CreateLink
• Delete
• ReadControl
• WriteDAC
• WriteOwner
• Synchronize
• GenericRead
• GenericWrite
• GenericExecute
• FullAccess
• NULL

See also: File Security and Access Rights
See also: Set the append/modify flag for ACLs
Comment: The GenericWrite permission isn't the same like the one on the microsoft page.

Credits

Written by Mathias Hasselmann NSIS-Unicode port by Olivier Marcoux