Windows访问控制模型的创建一个自由访问控制列表

16. Creating a discretionary access control list.创建一个自由访问控制列表

This part assumes you already know what your Access Control list contains (refer back to part 1  for advice on choosing a good DACL). Please note, that each security descriptor has a tightly-coupled relationship with the object it is securing. The reason is that each ACE bears an ACCESS_MASK member, an object dependent value.本部分假定您已经知道访问控制列表包含的内容（有关选择良好DACL的建议，请参阅第1部分）。请注意，每个安全描述符与其要保护的对象都具有紧密耦合的关系。原因是每个ACE都有一个ACCESS_MASK成员，一个对象相关值。

Q. You now know the contents of your discretionary Access Control List. You are now required to build it.问：现在您知道您的自由访问控制列表的内容。现在需要构建它。

Here is the example ACL we will build from. This is a typical DACL for a file under the user profile:这是我们将构建的示例ACL。这是用户配置文件下文件的典型DACL：

Allow LocalSystem: Full Control (FILE_ALL_ACCESS), and propagate to all children. 
Allow Admins: Full Control (FILE_ALL_ACCESS), and propagate to all children.
Allow CurrentUser: Read Write & Execute (FILE_GENERIC_READ | 
FILE_GENERIC_EXECUTE | FILE_GENERIC_WRITE), and propagate to all children.

Figure 20a: Build this example DACL.

In SDDL that is:

"(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)(A;OICI;GRGX;;;<CurrentUserSid>)"

Figure 20b: The example DACL in SDDL

1. This is perhaps the toughest part of Access Control. If you are editing a security descriptor rather than creating one from scratch, you need to get the old security descriptor first. Then when you are adding the entries for the DACL, make sure you add the ACEs in the preferred order of ACEs.这也许是访问控制中最困难的部分。如果要编辑安全描述符而不是从头开始创建一个安全描述符，则需要首先获取旧的安全描述符。然后，当您添加DACL的条目时，请确保按ACE的首选顺序添加ACE。
   1. Calculate the total size for the ACL (the ACL needs to be a contiguous block that can hold an ACL structure, the size of all the simple ACEs minus the SidStart member, the size of all the object ACEs minus the SidStart member, and the size of all the SIDs).
   2. Allocate a buffer for the ACL_HEADER, which will most likely have to be LocalAlloc()ed.
   3. If you are building a security descriptor from scratch, call InitializeAcl() to initialize the ACL headers. Otherwise, you can copy the information from an existing ACL.
   4. Build up an array of your access denied ACEs.
   5. Reallocate your ACL so it can hold this ACE array after it.
   6. (may not require this step) Get a pointer to the free space after your ACL (either by calling FindFirstFreeAce(), or by moving the pointer yourself).
   7. Add the Denied ACEs to the ACL by calling AddAccessDeniedAce().
   8. Repeat steps 3-7 for the Allowed ACEs (call AddAccessAllowedAce() instead of AddAccessDeniedAce()).
   9. With the ACL now built, set the Dacl member of the absolute security descriptor to this member by calling SetSecurityDescriptorDacl().
   10. 计算ACL的总大小（ACL必须是可以容纳ACL结构的连续块，所有简单ACESidStart的大小减去成员的大小，所有对象ACESidStart的大小减去成员的大小，以及所有SID）。
   11. 为分配一个缓冲区ACL_HEADER，很可能必须LocalAlloc()编辑该缓冲区。
   12. 如果要从头开始构建安全描述符，请调用InitializeAcl()初始化ACL标头。否则，您可以从现有ACL复制信息。
   13. 建立一系列拒绝访问的ACE。
   14. 重新分配您的ACL，以便它可以在其后保留此ACE数组。
   15. （可能不需要此步骤）在ACL之后获得一个指向空闲空间的指针（通过调用FindFirstFreeAce()，或者自己移动指针）。
   16. 通过调用将拒绝的ACE添加到ACL AddAccessDeniedAce()。
   17. 对允许的ACE重复步骤3-7（呼叫AddAccessAllowedAce()而不是AddAccessDeniedAce()）。
   18. 现在已经构建了ACL，Dacl可以通过调用将绝对安全描述符的成员设置为此成员SetSecurityDescriptorDacl()。

   It is interesting to note that this is the only method of the three that can make unordered DACLs, and NULL DACLs.有趣的是，这是三种可以制作无序DACL和NULLDACL的唯一方法。

2. In Windows 2000, editing a DACL is as simple as appending text to a string. Build up your access control list from an SDDL string. Once you have built up your SDDL, call the ConvertStringSecurityDescriptorToSecurityDescriptor() function to build a security descriptor. This will give you a security descriptor. Then just extract the DACL using GetSecurityDescriptorDacl(). If you are editing an existing security descriptor, you can either start from scratch, building an all new DACL, or you can take the existing SDDL, and build from there.
3. 在Windows 2000中，编辑DACL就像将文本附加到字符串一样简单。从SDDL字符串构建访问控制列表。一旦构建了SDDL，就调用该ConvertStringSecurityDescriptorToSecurityDescriptor()函数以构建安全描述符。这将为您提供安全描述符。然后使用提取DACL GetSecurityDescriptorDacl()。如果要编辑现有的安全描述符，则可以从头开始，构建所有新的DACL，也可以采用现有的SDDL，然后从那里构建。
4. You can build a security descriptor in ATL either by supplying your SDDL to CSecurityDesc::FromString(), or you can build it up using the CDacl class. If you are editing a security descriptor, you should obtain the security descriptor first and call its GetDacl() method. You can obtain a Dacl directly from an object by calling AtlGetDacl(). Otherwise instantiate a new Dacl object yourself. Regardless of the way it was created, you call AddDeniedAce() to add an access denied entry, then you call AddAllowedAce() to add an access allowed entry.
5. 您可以通过将SDDL提供给来在ATL中构建安全描述符CSecurityDesc::FromString()，也可以使用CDacl该类来构建它。如果要编辑安全描述符，则应首先获取安全描述符并调用其GetDacl()方法。您可以Dacl通过调用直接从对象获取AtlGetDacl()。否则，请Dacl自己实例化一个新对象。无论创建方式如何，您都调用AddDeniedAce()添加一个拒绝访问条目，然后调用AddAllowedAce()添加一个允许访问条目。

...
pDacl.AddAllowedAce(ATL::Sids::LocalSystem(), FILE_ALL_ACCESS,
  CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
pDacl.AddAllowedAce(ATL::Sids::Admins(), FILE_ALL_ACCESS,
  CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
pDacl.AddAllowedAce(ATL::CSid(CurrentUser), FILE_GENERIC_READ |
  FILE_GENERIC_WRITE | FILE_GENERIC_WRITE, CONTAINER_INHERIT_ACE |
  OBJECT_INHERIT_ACE);

ATL::AtlSetDacl(FileName, SE_FILE_OBJECT, pDacl);
...

Figure 20c: Creating the access control list to apply to a file.