Access Control List (ACL)
The Access Control List (ACL) structure defines the security permissions attached to an object. ACLs are used throughout the Windows operating system to protect resources such as files, registry keys, and kernel objects.
Header
#include <windows.h>
#include <aclapi.h>Key Structures
| Structure | Definition |
|---|---|
ACL | Contains a variable‑length array of ACE entries that define allowed or denied access. |
ACE_HEADER | Header common to all ACE types. Holds ACE type, flags, and size. |
ACCESS_ALLOWED_ACE | Specifies an allowed access mask for a given SID. |
ACCESS_DENIED_ACE | Specifies a denied access mask for a given SID. |
Creating an ACL
DWORD dwError = 0;
PACL pAcl = NULL;
EXPLICIT_ACCESS ea[2];
ZeroMemory(&ea, sizeof(ea));
SID_IDENTIFIER_AUTHORITY NTAuthority = SECURITY_NT_AUTHORITY;
PSID pSid = NULL;
AllocateAndInitializeSid(&NTAuthority, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,0,0,0,0,0,
&pSid);
ea[0].grfAccessPermissions = GENERIC_READ | GENERIC_WRITE;
ea[0].grfAccessMode = SET_ACCESS;
ea[0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[0].Trustee.ptstrName = (LPWSTR)pSid;
ea[1].grfAccessPermissions = GENERIC_READ;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = L"Everyone";
dwError = SetEntriesInAcl(2, ea, NULL, &pAcl);
if (dwError != ERROR_SUCCESS) {
// handle error
}
Applying an ACL to an Object
SECURITY_DESCRIPTOR sd;
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, pAcl, FALSE);
SECURITY_ATTRIBUTES sa = {0};
sa.nLength = sizeof(sa);
sa.lpSecurityDescriptor = &sd;
sa.bInheritHandle = FALSE;
HANDLE hFile = CreateFileW(L"C:\\Temp\\example.txt",
GENERIC_READ | GENERIC_WRITE,
0,
&sa,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
Common Functions
InitializeAcl– Initializes an ACL structure.AddAccessAllowedAce– Adds an ACCESS_ALLOWED_ACE to an ACL.AddAccessDeniedAce– Adds an ACCESS_DENIED_ACE to an ACL.SetSecurityInfo– Applies a security descriptor to an object.GetSecurityInfo– Retrieves a security descriptor from an object.