首页
社区
课程
招聘
[分享]FileFilter文件保护
发表于: 2012-8-29 12:18 13331

[分享]FileFilter文件保护

2012-8-29 12:18
13331
收藏
免费 6
支持
分享
最新回复 (27)
雪    币: 585
活跃值: (568)
能力值: ( LV13,RANK:290 )
在线值:
发帖
回帖
粉丝
26
DesiredAccess
Specifies an ACCESS_MASK value that determines the requested access to the object. In addition to the access rights that are defined for all types of objects (see ACCESS_MASK), the caller can specify any of the following access rights, which are specific to files: ACCESS_MASK Flag Allows Caller to Do This
FILE_READ_DATA Read data from the file.
FILE_READ_ATTRIBUTES Read the file's attributes. (For more information, see the description of the FileAttributes parameter.)
FILE_READ_EA Read the file's extended attributes (EAs). This flag is irrelevant for device and intermediate drivers.
FILE_WRITE_DATA Write data to the file.
FILE_WRITE_ATTRIBUTES Write the file's attributes. (For more information, see the description of the FileAttributes parameter.)
FILE_WRITE_EA  Change the file's extended attributes (EAs). This flag is irrelevant for device and intermediate drivers.
FILE_APPEND_DATA Append data to the file.
FILE_EXECUTE Use system paging I/O to read data from the file into memory. This flag is irrelevant for device and intermediate drivers.

Caution Do not specify FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, or FILE_EXECUTE when creating or opening a directory.

The caller can only specifies a generic access right, GENERIC_XXX, for a file, not a directory. Generic access rights corresponds to specific access rights as follows:

Generic Access Right Set of Specific Access Rights
GENERIC_READ STANDARD_RIGHTS_READ, FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_READ_EA, and SYNCHRONIZE.
GENERIC_WRITE STANDARD_RIGHTS_WRITE, FILE_WRITE_DATA, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, FILE_APPEND_DATA, and SYNCHRONIZE.
GENERIC_EXECUTE STANDARD_RIGHTS_EXECUTE, FILE_EXECUTE, FILE_READ_ATTRIBUTES, and SYNCHRONIZE. This value is irrelevant for device and intermediate drivers.
GENERIC_ALL FILE_ALL_ACCESS.  //这个权限你怎么判断后续操作  

If the file is actually a directory, the caller can also specify the following generic access rights:

DesiredAccess Flag Allows Caller to Do This
FILE_LIST_DIRECTORY List the files in the directory.
FILE_TRAVERSE Traverse the directory—in other words, include the directory in the path of a file.
2012-9-1 22:54
0
雪    币: 4817
活跃值: (23)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
27
读文件,那么权限是FILE_READ_DATA,如果还有FILE_WRITE_DATA,那就出了读,还要求写啦,这个时候,可以不管他是否要写,直接拒绝。为什么要这么做,你就想想只读的光盘吧,难道他是在写的时候拒绝的??只读,都是在PreCreate里判断的。
2012-9-2 00:39
0
雪    币: 4817
活跃值: (23)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
28
ALL权限直接拒绝,不信啊,你试试拿着这个权限去打开只读光盘的内容啊,看看是不是能打开。可能你会想,我使用FILE_WRITE_DATA去打开呀,但我后边没有写操作,那你就可以想想这个事情,微软为啥在CreateFile要指定权限呀,干嘛不你去写的时候再指定权限呀。其实整个系统就是这么设计,所有的对象被打开,都是要指定权限的,也就是说系统在这个对象被打开的时候,做了权限检查,看看你的操作是否合法,如果通过了检查,那么你以后的操作只要在你打开的请求范围之内,那就没有问题了,这个时候就检查就简单了,不会像打开那样了。

或许你又特定需求,其实设计软件,何尝没有自己的特别需求呢,但系统不提供或者系统的架构就是那样的,你要在他的框架之内完成自己的事情,就要遵循一定规律,否则就算你做到了,也不一定能稳定啊,除非操作系统是你从头到尾是自己设计的,那你除了受硬件的限制,你爱怎么就能怎么样了。

假如是你设计的操作系统,那你在写的时候进行权限检查也行,这样大家在你的操作系统里开发程序,也会遵循你的规则。

我就随便说说自己的愚见,说错了,还请见谅啊。
2012-9-2 00:54
0
游客
登录 | 注册 方可回帖
返回
//