amn · March 15, 2019 09:19
diff --git a/set-security-info-by-sddl.c b/set-security-info-by-sddl.c
 /*
 	Demonstrates how using SetFileSecurity does not result in a [file] ACL with ACEs inherited from parent [folder], while using SetNamedSecurityInfo does, as is proper.
 	
 	Disable (comment) the `SetNamedSecurityInfo` call along with its parent `if` statement and enable (uncomment) the following `SetFileSecurity` call (and its parent `if` statement, obviously) to switch the behavior and observe different resultant ACL on the file.
 	
 	The Windows application entry point in this snippet expects two command line arguments -- the file path of the file you want to set security information on, and the actual security (specified in SDDL format) information desired for the file.
 */

 #include <windows.h>
 #include <shellapi.h>
 #include <sddl.h>
 #include <aclapi.h>

 int APIENTRY wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nCmdShow)
 {
 	int argc;

 	LPWSTR * argv = CommandLineToArgvW(lpCmdLine, &argc);

 	if(argv == NULL) {
 		return -1;
 	}

 	if(argc < 2) {
 		MessageBox(NULL, L"Invalid command line.", NULL, MB_ICONERROR);
 		return -2;
 	}

 	PSECURITY_DESCRIPTOR p_sd;

 	if(ConvertStringSecurityDescriptorToSecurityDescriptor(argv[1], SDDL_REVISION_1, &p_sd, NULL) == 0) {
 		return -3;
 	}

 	PACL p_dacl;
 	BOOL p_dacl_present, p_dacl_defaulted;

 	if(GetSecurityDescriptorDacl(p_sd, &p_dacl_present, &p_dacl, &p_dacl_defaulted) == 0) {
 		return -5;
 	}

 	if(SetNamedSecurityInfo(argv[0], SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, p_dacl, NULL) != 0) {
 		return -6;
 	}

 	/*if(SetFileSecurity(argv[0], DACL_SECURITY_INFORMATION, p_sd) == 0) {
 		return -4;
 	}*/

 	LocalFree(p_sd);
 	LocalFree(argv);

 	return 0;
 }
	/*
	Demonstrates how using SetFileSecurity does not result in a [file] ACL with ACEs inherited from parent [folder], while using SetNamedSecurityInfo does, as is proper.

	Disable (comment) the `SetNamedSecurityInfo` call along with its parent `if` statement and enable (uncomment) the following `SetFileSecurity` call (and its parent `if` statement, obviously) to switch the behavior and observe different resultant ACL on the file.

	The Windows application entry point in this snippet expects two command line arguments -- the file path of the file you want to set security information on, and the actual security (specified in SDDL format) information desired for the file.
	*/

	#include <windows.h>
	#include <shellapi.h>
	#include <sddl.h>
	#include <aclapi.h>

	int APIENTRY wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nCmdShow)
	{
	int argc;

	LPWSTR * argv = CommandLineToArgvW(lpCmdLine, &argc);

	if(argv == NULL) {
	return -1;
	}

	if(argc < 2) {
	MessageBox(NULL, L"Invalid command line.", NULL, MB_ICONERROR);
	return -2;
	}

	PSECURITY_DESCRIPTOR p_sd;

	if(ConvertStringSecurityDescriptorToSecurityDescriptor(argv[1], SDDL_REVISION_1, &p_sd, NULL) == 0) {
	return -3;
	}

	PACL p_dacl;
	BOOL p_dacl_present, p_dacl_defaulted;

	if(GetSecurityDescriptorDacl(p_sd, &p_dacl_present, &p_dacl, &p_dacl_defaulted) == 0) {
	return -5;
	}

	if(SetNamedSecurityInfo(argv[0], SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, p_dacl, NULL) != 0) {
	return -6;
	}

	/*if(SetFileSecurity(argv[0], DACL_SECURITY_INFORMATION, p_sd) == 0) {
	return -4;
	}*/

	LocalFree(p_sd);
	LocalFree(argv);

	return 0;
	}