SetSecurityDescriptorDacl - Win32 API Documentation

Function

The SetSecurityDescriptorDacl function associates a discretionary access control list (DACL) with a security descriptor.

Syntax

BOOL SetSecurityDescriptorDacl(
  _Inout_ PSECURITY_DESCRIPTOR pSecurityDescriptor,
  _In_    BOOL               bDaclPresent,
  _In_    PACL               pDacl,
  _In_    BOOL               bDaclDefaulted
);

Parameters

pSecurityDescriptor
[in, out] A pointer to a SECURITY_DESCRIPTOR structure.
bDaclPresent
[in] A boolean value that indicates whether the DACL is present in the security descriptor. If this parameter is TRUE, the DACL is present. If this parameter is FALSE, the DACL is not present.
pDacl
[in] A pointer to an ACL structure. This DACL is copied into the security descriptor. If pDacl is NULL, the security descriptor has a NULL DACL. A NULL DACL is different from an empty DACL. A NULL DACL means that no DACL is specified. An empty DACL (an ACL with zero ACEs) grants all access rights to everyone and denies access to no one.
bDaclDefaulted
[in] A boolean value that indicates whether the DACL information is inherited from a parent object. If this parameter is TRUE, the DACL information is inherited. If this parameter is FALSE, the DACL information is not inherited.

Return value

TRUE
The function was successful. The DACL was successfully applied to the security descriptor.
FALSE
The function failed. To get extended error information, call GetLastError.

Remarks

To set the DACL for a security descriptor, you must first initialize the security descriptor by calling InitializeSecurityDescriptor.
When you are finished with the security descriptor, you must free its memory.
The SetSecurityDescriptorDacl function allocates memory to hold the DACL.

Requirements

Component	Value
Minimum supported client	Windows 2000 Professional
Minimum supported server	Windows 2000 Server
Redistributable	None
Header file	securitybaseapi.h (include Securitybaseapi.h)
Library	Advapi32.lib
DLL	Advapi32.dll

Example

For a sample code snippet demonstrating how to use this function, please refer to the Security Descriptor Sample.

// This is a placeholder for an actual code example.
// Real examples would be much more involved,
// demonstrating the creation of ACLs and Security Descriptors.

#include <windows.h>
#include <aclapi.h>
#include <stdio.h>

// Function to create a simple DACL
BOOL CreateSimpleDacl(PACL* ppAcl) {
    ACL_SIZE_INFORMATION aclSizeInfo;
    DWORD aclBytesNeeded = 0;
    BOOL bRet = FALSE;

    // Calculate the size needed for the ACL
    if (!GetAclInformation(*ppAcl, &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) {
        if (GetLastError() == ERROR_INVALID_HANDLE) { // ACL is NULL, we need to create it
            aclBytesNeeded = 1024; // Initial guess, adjust as needed
            *ppAcl = (PACL)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, aclBytesNeeded);
            if (*ppAcl == NULL) return FALSE;
            if (!InitializeAcl(*ppAcl, aclBytesNeeded, ACL_REVISION)) return FALSE;
            if (!GetAclInformation(*ppAcl, &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation)) return FALSE;
        } else {
            return FALSE;
        }
    }

    // Add an ACE (Access Allowed) for the current user
    // In a real scenario, you'd use LookupAccountName or similar to get SID
    // For demonstration, we'll assume a simple SID structure is available.

    // Placeholder for SID and ACE addition logic
    printf("Placeholder: Adding ACE to DACL.\n");

    bRet = TRUE;
    return bRet;
}


int main() {
    SECURITY_DESCRIPTOR sd;
    ACL dacl;
    PACL pDacl = &dacl;
    BOOL bDaclPresent = FALSE;
    BOOL bDaclDefaulted = FALSE;

    // Initialize the security descriptor
    if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION)) {
        fprintf(stderr, "InitializeSecurityDescriptor failed with error %d\n", GetLastError());
        return 1;
    }

    // Prepare a DACL (simplified, requires more complex logic for real use)
    // In a real app, you would typically use AllocateAndInitializeSid, AddAccessAllowedAce, etc.
    // and ensure sufficient memory is allocated for the ACL.
    printf("Attempting to set DACL...\n");

    // For demonstration, let's assume we want to create a DACL
    // A more robust solution would allocate memory for the DACL using HeapAlloc or LocalAlloc.
    // This example uses a stack-allocated ACL for simplicity, which is not recommended for production.
    if (!CreateSimpleDacl(&pDacl)) {
         fprintf(stderr, "Failed to prepare DACL.\n");
         // Clean up if HeapAlloc was used
         if (pDacl != &dacl && pDacl != NULL) HeapFree(GetProcessHeap(), 0, pDacl);
         return 1;
    }

    bDaclPresent = TRUE;
    bDaclDefaulted = FALSE; // Indicate that the DACL is explicitly set

    // Associate the DACL with the security descriptor
    if (!SetSecurityDescriptorDacl(&sd, bDaclPresent, pDacl, bDaclDefaulted)) {
        fprintf(stderr, "SetSecurityDescriptorDacl failed with error %d\n", GetLastError());
        // Clean up if HeapAlloc was used
        if (pDacl != &dacl && pDacl != NULL) HeapFree(GetProcessHeap(), 0, pDacl);
        return 1;
    }

    printf("SetSecurityDescriptorDacl succeeded.\n");

    // In a real application, you would then typically apply this security descriptor
    // to an object using functions like SetKernelObjectSecurity.

    // Clean up allocated memory for DACL if it was dynamically allocated
    if (pDacl != &dacl && pDacl != NULL) {
        HeapFree(GetProcessHeap(), 0, pDacl);
        pDacl = NULL;
    }

    return 0;
}