Win32API ファイルやディレクトリのACEを列挙する GetNamedSecurityInfo

ファイルやディレクトリのセキュリティ情報(セキュリティ記述子やACL)は、GetFileSecurity関数で取得可能であるが、GetNamedSecurityInfo関数でも取得可能である。


GetNamedSecurityInfo関数で、セキュリティ情報(セキュリティ記述子)を取得し、ACEを列挙する手順は以下のとおり

No項目
1GetNamedSecurityInfo関数で、ディレクトリのセキュリティ記述子とDACLを取得する
2GetAclInformation関数で、DACLのサイズ情報を取得する
3GetAce関数で、DACLからACEを取得する
4LookupAccountSid関数で、ACEのアカウント情報を取得する



  • GetNamedSecurityInfo関数でディレクトリのACEを列挙する例

  • 「C:\\Program Files」ディレクトリのACEをを列挙する

    #include <windows.h>
    #include <aclapi.h>
    #include <stdio.h>
    
    int main()
    {
        PSECURITY_DESCRIPTOR pSD;
        DWORD nLengthNeeded = 0;
        PACL pDacl;
        ACL_SIZE_INFORMATION aclSize;
        ACCESS_ALLOWED_ACE *pAce;
        char szAccountName[256];
        DWORD dwAccountNameSize;
        char szDomainName[256];
        DWORD dwDomainNameSize;
        SID_NAME_USE snu;
        char *lpDirectoryName = "C:\\Program Files";
    
        //1.GetNamedSecurityInfo関数で、ディレクトリのセキュリティ記述子とDACLを取得する
        GetNamedSecurityInfoA(lpDirectoryName,
            SE_FILE_OBJECT,
            DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
            NULL,
            NULL,
            &pDacl,
            NULL,
            &pSD);
    
        //2.GetAclInformation関数で、DACLのサイズ情報を取得する
        GetAclInformation(pDacl, &aclSize, sizeof(aclSize), AclSizeInformation);
    
        for (DWORD i = 0; i < aclSize.AceCount; i++) {
    
            //3.GetAce関数で、DACLからACEを取得する
            GetAce(pDacl, i, (LPVOID*)&pAce);
            
            dwAccountNameSize = sizeof(szAccountName)/sizeof(szAccountName[0]);
            dwDomainNameSize = sizeof(szDomainName)/sizeof(szDomainName[0]);
    
            //4.LookupAccountSid関数で、ACEのアカウント情報を取得する
            LookupAccountSidA(NULL,
                &pAce->SidStart,
                szAccountName,
                &dwAccountNameSize,
                szDomainName,
                &dwDomainNameSize,
                &snu);
    
            puts("==========================================================");
            printf("AccountName:%s, DomainName:%s\n",szAccountName, szDomainName);
    
            puts("\n===AccessMask===");
    
            //固有のアクセス権
            puts("\n#Specific Access Rights");
            if ((pAce->Mask & FILE_LIST_DIRECTORY) == FILE_LIST_DIRECTORY)
                puts("FILE_LIST_DIRECTORY");
            if ((pAce->Mask & FILE_ADD_FILE) == FILE_ADD_FILE)
                puts("FILE_ADD_FILE");
            if ((pAce->Mask & FILE_ADD_SUBDIRECTORY) == FILE_ADD_SUBDIRECTORY)
                puts("FILE_ADD_SUBDIRECTORY");
            if ((pAce->Mask & FILE_READ_EA) == FILE_READ_EA)
                puts("FILE_READ_EA");
            if ((pAce->Mask & FILE_WRITE_EA) == FILE_WRITE_EA)
                puts("FILE_WRITE_EA");
            if ((pAce->Mask & FILE_TRAVERSE) == FILE_TRAVERSE)
                puts("FILE_TRAVERSE");
            if ((pAce->Mask & FILE_DELETE_CHILD) == FILE_DELETE_CHILD)
                puts("FILE_DELETE_CHILD");
            if ((pAce->Mask & FILE_READ_ATTRIBUTES) == FILE_READ_ATTRIBUTES)
                puts("FILE_READ_ATTRIBUTES");
            if ((pAce->Mask & FILE_WRITE_ATTRIBUTES) == FILE_WRITE_ATTRIBUTES)
                puts("FILE_WRITE_ATTRIBUTES");
            if ((pAce->Mask & FILE_ALL_ACCESS) == FILE_ALL_ACCESS)
                puts("FILE_ALL_ACCESS");
            if ((pAce->Mask & FILE_GENERIC_READ) == FILE_GENERIC_READ)
                puts("FILE_GENERIC_READ");
            if ((pAce->Mask & FILE_GENERIC_WRITE) == FILE_GENERIC_WRITE)
                puts("FILE_GENERIC_WRITE");
            if ((pAce->Mask & FILE_GENERIC_EXECUTE) == FILE_GENERIC_EXECUTE)
                puts("FILE_GENERIC_EXECUTE");
    
    
            //標準のアクセス権
            puts("\n#Standard Access Rights");
            if ( (pAce->Mask & DELETE) == DELETE )                    
                puts("DELETE");
            if ( (pAce->Mask & READ_CONTROL) == READ_CONTROL )              
                puts("READ_CONTROL");
            if ( (pAce->Mask & WRITE_DAC) == WRITE_DAC )
                puts("WRITE_DAC");
            if ( (pAce->Mask & WRITE_OWNER) == WRITE_OWNER )               
                puts("WRITE_OWNER");
            if ( (pAce->Mask & SYNCHRONIZE) == SYNCHRONIZE )               
                puts("SYNCHRONIZE");
            if ( (pAce->Mask & STANDARD_RIGHTS_REQUIRED) == STANDARD_RIGHTS_REQUIRED )
                puts("STANDARD_RIGHTS_REQUIRED");
            if ( (pAce->Mask & STANDARD_RIGHTS_READ) == STANDARD_RIGHTS_READ )
                puts("STANDARD_RIGHTS_READ");
            if ( (pAce->Mask & STANDARD_RIGHTS_WRITE) == STANDARD_RIGHTS_WRITE ) 
                puts("STANDARD_RIGHTS_WRITE");
            if ( (pAce->Mask & STANDARD_RIGHTS_EXECUTE) == STANDARD_RIGHTS_EXECUTE )
                puts("STANDARD_RIGHTS_EXECUTE");
            if ( (pAce->Mask & STANDARD_RIGHTS_ALL) == STANDARD_RIGHTS_ALL )
                puts("STANDARD_RIGHTS_ALL");
            if ((pAce->Mask & SPECIFIC_RIGHTS_ALL) == SPECIFIC_RIGHTS_ALL )      
                puts("SPECIFIC_RIGHTS_ALL");
    
    
            puts("\n===AceType===");
            switch (pAce->Header.AceType) {
            case ACCESS_ALLOWED_ACE_TYPE:
                puts("ACCESS_ALLOWED_ACE_TYPE");
                break;
    
            case ACCESS_DENIED_ACE_TYPE:
                puts("ACCESS_DENIED_ACE_TYPE");
                break;
    
            case SYSTEM_AUDIT_ACE_TYPE:
                puts("SYSTEM_AUDIT_ACE_TYPE");
                break;
    
            default:
                puts("Unknown ACE type");
                break;
            }
            puts("\n\n");
        }
    
        LocalFree(pSD);
        
        return 0;
    }



  • 実行結果
  • ==========================================================
    AccountName:TrustedInstaller, DomainName:NT SERVICE
    
    ===AccessMask===
    
    #Specific Access Rights
    FILE_LIST_DIRECTORY
    FILE_ADD_FILE
    FILE_ADD_SUBDIRECTORY
    FILE_READ_EA
    FILE_WRITE_EA
    FILE_TRAVERSE
    FILE_DELETE_CHILD
    FILE_READ_ATTRIBUTES
    FILE_WRITE_ATTRIBUTES
    FILE_ALL_ACCESS
    FILE_GENERIC_READ
    FILE_GENERIC_WRITE
    FILE_GENERIC_EXECUTE
    
    #Standard Access Rights
    DELETE
    READ_CONTROL
    WRITE_DAC
    WRITE_OWNER
    SYNCHRONIZE
    STANDARD_RIGHTS_REQUIRED
    STANDARD_RIGHTS_READ
    STANDARD_RIGHTS_WRITE
    STANDARD_RIGHTS_EXECUTE
    STANDARD_RIGHTS_ALL
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:TrustedInstaller, DomainName:NT SERVICE
    
    ===AccessMask===
    
    #Specific Access Rights
    
    #Standard Access Rights
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:SYSTEM, DomainName:NT AUTHORITY
    
    ===AccessMask===
    
    #Specific Access Rights
    FILE_LIST_DIRECTORY
    FILE_ADD_FILE
    FILE_ADD_SUBDIRECTORY
    FILE_READ_EA
    FILE_WRITE_EA
    FILE_TRAVERSE
    FILE_READ_ATTRIBUTES
    FILE_WRITE_ATTRIBUTES
    FILE_GENERIC_READ
    FILE_GENERIC_WRITE
    FILE_GENERIC_EXECUTE
    
    #Standard Access Rights
    DELETE
    READ_CONTROL
    SYNCHRONIZE
    STANDARD_RIGHTS_READ
    STANDARD_RIGHTS_WRITE
    STANDARD_RIGHTS_EXECUTE
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:SYSTEM, DomainName:NT AUTHORITY
    
    ===AccessMask===
    
    #Specific Access Rights
    
    #Standard Access Rights
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:Administrators, DomainName:BUILTIN
    
    ===AccessMask===
    
    #Specific Access Rights
    FILE_LIST_DIRECTORY
    FILE_ADD_FILE
    FILE_ADD_SUBDIRECTORY
    FILE_READ_EA
    FILE_WRITE_EA
    FILE_TRAVERSE
    FILE_READ_ATTRIBUTES
    FILE_WRITE_ATTRIBUTES
    FILE_GENERIC_READ
    FILE_GENERIC_WRITE
    FILE_GENERIC_EXECUTE
    
    #Standard Access Rights
    DELETE
    READ_CONTROL
    SYNCHRONIZE
    STANDARD_RIGHTS_READ
    STANDARD_RIGHTS_WRITE
    STANDARD_RIGHTS_EXECUTE
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:Administrators, DomainName:BUILTIN
    
    ===AccessMask===
    
    #Specific Access Rights
    
    #Standard Access Rights
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:Users, DomainName:BUILTIN
    
    ===AccessMask===
    
    #Specific Access Rights
    FILE_LIST_DIRECTORY
    FILE_READ_EA
    FILE_TRAVERSE
    FILE_READ_ATTRIBUTES
    FILE_GENERIC_READ
    FILE_GENERIC_EXECUTE
    
    #Standard Access Rights
    READ_CONTROL
    SYNCHRONIZE
    STANDARD_RIGHTS_READ
    STANDARD_RIGHTS_WRITE
    STANDARD_RIGHTS_EXECUTE
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:Users, DomainName:BUILTIN
    
    ===AccessMask===
    
    #Specific Access Rights
    
    #Standard Access Rights
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE
    
    
    
    ==========================================================
    AccountName:CREATOR OWNER, DomainName:
    
    ===AccessMask===
    
    #Specific Access Rights
    
    #Standard Access Rights
    
    ===AceType===
    ACCESS_ALLOWED_ACE_TYPE