Method: File.set_permissions

Defined in:
lib/win32/file/security.rb

.set_permissions(file, perms) ⇒ Object

Sets the file permissions for the given file name. The ‘permissions’ argument is a hash with an account name as the key, and the various permission constants as possible values. The possible constant values are:

  • FILE_READ_DATA

  • FILE_WRITE_DATA

  • FILE_APPEND_DATA

  • FILE_READ_EA

  • FILE_WRITE_EA

  • FILE_EXECUTE

  • FILE_DELETE_CHILD

  • FILE_READ_ATTRIBUTES

  • FILE_WRITE_ATTRIBUTES

  • FULL

  • READ

  • ADD

  • CHANGE

  • DELETE

  • READ_CONTROL

  • WRITE_DAC

  • WRITE_OWNER

  • SYNCHRONIZE

  • STANDARD_RIGHTS_ALL

  • STANDARD_RIGHTS_REQUIRED

  • STANDARD_RIGHTS_READ

  • STANDARD_RIGHTS_WRITE

  • STANDARD_RIGHTS_EXECUTE

  • SPECIFIC_RIGHTS_ALL

  • ACCESS_SYSTEM_SECURITY

  • MAXIMUM_ALLOWED

  • GENERIC_READ

  • GENERIC_WRITE

  • GENERIC_EXECUTE

  • GENERIC_ALL

Example:

# Set locally
File.set_permissions(file, "userid" => File::GENERIC_ALL)

# Set a remote system
File.set_permissions(file, "host\\userid" => File::GENERIC_ALL)

Raises:

  • (TypeError) 


379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
 
# File 'lib/win32/file/security.rb', line 379

def set_permissions(file, perms)
  # Check local filesystem to see if it supports ACL's. If not, bail early

  # because the GetFileSecurity function will not fail on an unsupported FS.

  unless supports_acls?(file)
    raise ArgumentError, "Filesystem does not implement ACL support"
  end

  wide_file = string_check(file).wincode
  raise TypeError unless perms.kind_of?(Hash)

  sec_desc = FFI::MemoryPointer.new(:pointer, SECURITY_DESCRIPTOR_MIN_LENGTH)

  unless InitializeSecurityDescriptor(sec_desc, 1)
    raise SystemCallError.new("InitializeSecurityDescriptor", FFI.errno)
  end

  acl_new = FFI::MemoryPointer.new(ACL, 100)

  unless InitializeAcl(acl_new, acl_new.size, ACL_REVISION2)
    raise SystemCallError.new("InitializeAcl", FFI.errno)
  end

  perms.each{ |, mask|
    next if mask.nil?

    # reset account_rights for each entry in perms:

     = 0

    server,  = .split("\\")

    if ['BUILTIN', 'NT AUTHORITY'].include?(server.upcase)
      wide_server = nil
    elsif .nil?
      wide_server = nil
       = server
    else
      wide_server = server.wincode
    end

     = .wincode

    sid = FFI::MemoryPointer.new(:uchar, 1024)
    sid_size = FFI::MemoryPointer.new(:ulong)
    sid_size.write_ulong(sid.size)

    domain = FFI::MemoryPointer.new(:uchar, 260)
    domain_size = FFI::MemoryPointer.new(:ulong)
    domain_size.write_ulong(domain.size)

    use_ptr = FFI::MemoryPointer.new(:ulong)

    val = LookupAccountNameW(
       wide_server,
       ,
       sid,
       sid_size,
       domain,
       domain_size,
       use_ptr
    )

    raise SystemCallError.new("LookupAccountName", FFI.errno) unless val

    all_ace = ACCESS_ALLOWED_ACE2.new

    val = CopySid(
      ALLOW_ACE_LENGTH - ACCESS_ALLOWED_ACE.size,
      all_ace.to_ptr+8,
      sid
    )

    raise SystemCallError.new("CopySid", FFI.errno) unless val

    if (GENERIC_ALL & mask).nonzero?
       = GENERIC_ALL & mask
    elsif (GENERIC_RIGHTS_CHK & mask).nonzero?
       = GENERIC_RIGHTS_MASK & mask
    else
      # Do nothing, leave it set to zero.

    end

    all_ace[:Header][:AceFlags] = INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE

    2.times{
      if  != 0
        all_ace[:Header][:AceSize] = 8 + GetLengthSid(sid)
        all_ace[:Mask] = 

        val = AddAce(
          acl_new,
          ACL_REVISION2,
          MAXDWORD,
          all_ace,
          all_ace[:Header][:AceSize]
        )

        raise SystemCallError.new("AddAce", FFI.errno) unless val

        all_ace[:Header][:AceFlags] = CONTAINER_INHERIT_ACE
      else
        all_ace[:Header][:AceFlags] = 0
      end

       = REST_RIGHTS_MASK & mask
    }
  }

  unless SetSecurityDescriptorDacl(sec_desc, 1, acl_new, 0)
    raise SystemCallError.new("SetSecurityDescriptorDacl", FFI.errno)
  end

  unless SetFileSecurityW(wide_file, DACL_SECURITY_INFORMATION, sec_desc)
    raise SystemCallError.new("SetFileSecurity", FFI.errno)
  end

  self
end