This example uses the low-level access-control functions to attach an empty DACL to a file object. The effect of an empty DACL is to deny all access to the object.
The example allocates a buffer for the security descriptor and calls the InitializeSecurityDescriptor function to initialize the buffer. Then it allocates a buffer for the ACL and calls the InitializeAcl function to initialize that buffer. Next, it calls the SetSecurityDescriptorDacl function to attach the ACL to the security descriptor; and calls the SetFileSecurity function to attach the security descriptor to a file.
PSECURITY_DESCRIPTOR pSD;
PACL pACL;
DWORD cbACL = 1024;
// Initialize a security descriptor.
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH); // defined in WINNT.H
if (pSD == NULL) {
ErrorHandler("LocalAlloc");
goto Cleanup;
}
if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION)) { // defined in WINNT.H
ErrorHandler("InitializeSecurityDescriptor");
goto Cleanup;
}
// Initialize a DACL.
pACL = (PACL) LocalAlloc(LPTR, cbACL);
if (pACL == NULL) {
ErrorHandler("LocalAlloc");
goto Cleanup;
}
if (!InitializeAcl(pACL, cbACL, ACL_REVISION2)) {
ErrorHandler("InitializeAcl");
goto Cleanup;
}
// Add an empty ACL to the SD to deny access.
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // fDaclPresent flag
pACL,
FALSE)) { // not a default DACL
ErrorHandler("SetSecurityDescriptorDacl");
goto Cleanup;
}
// Use the new SD as the file's security info.
if (!SetFileSecurity(lpszTestFile,
DACL_SECURITY_INFORMATION,
pSD)) {
ErrorHandler("SetFileSecurity");
goto Cleanup;
}
Cleanup:
if(pSD != NULL)
LocalFree((HLOCAL) pSD);
if(pACL != NULL)
LocalFree((HLOCAL) pACL);