6 releases

0.2.2 Jun 29, 2020
0.2.1 May 15, 2020
0.2.0 Mar 16, 2020
0.1.0 Aug 20, 2018

#7 in Windows APIs

Download history 1269/week @ 2020-03-16 715/week @ 2020-03-23 721/week @ 2020-03-30 1368/week @ 2020-04-06 1036/week @ 2020-04-13 589/week @ 2020-04-20 1393/week @ 2020-04-27 1233/week @ 2020-05-04 1101/week @ 2020-05-11 1246/week @ 2020-05-18 695/week @ 2020-05-25 893/week @ 2020-06-01 460/week @ 2020-06-08 535/week @ 2020-06-15 941/week @ 2020-06-22 1006/week @ 2020-06-29

4,022 downloads per month

MIT license

610KB
2K SLoC

windows-acl

Build Status Crates.io

Rust library to simplify Windows ACL operations.

Using windows-acl

First, add the following line to the dependencies section of the project’s Cargo.toml file.

winapi =0.3.5”
windows-acl =0.1.0

In the main Rust source code file, add the windows-acl external crate and import the symbols as follows:

extern crate winapi;
extern crate windows_acl;

use winapi::um::winnt::{
    PSID, FILE_GENERIC_READ, FILE_GENERIC_EXECUTE, FILE_GENERIC_WRITE,
    FILE_ALL_ACCESS, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
    SYSTEM_MANDATORY_LABEL_NO_READ_UP, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
};
use windows_acl::acl::ACL;

NOTE: Altering system ACL entries require either Administrator privileges or the ability to acquire the SeSecurityPrivilege privilege.

Adding a mandatory integrity label

    let high_integrity_level_sid = string_to_sid("S-1-16-12288").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\high_il", true).unwrap();

    // Set high_il to be a high integrity level directory
    match acl.integrity_level(
                high_integrity_level_sid.as_ptr() as PSID,
                true,
                SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
                    SYSTEM_MANDATORY_LABEL_NO_READ_UP |
                    SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
            ) {
        Ok(status) => {
            if !status {
                println!("We had an internal issue trying to add high integrity level to high_il");
            }
        },
        Err(code) => {
            println!("Failed to add high integrity level to high_il: error={}", code);
        }
    }

Adding an audit entry

    let world_sid = string_to_sid("S-1-1-0").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", true).unwrap();

    // Audit every file operation in sensitive_files from anyone in the Everyone group
    match acl.audit(
                world_sid.as_ptr() as PSID,
                true,
                FILE_ALL_ACCESS,
                true,
                true
            ) {
        Ok(status) => {
            if !status {
                println!("We had an internal issue trying to add audit entry to sensitive_files");
            }
        },
        Err(code) => {
            println!("Failed to add audit entry to sensitive_files: error={}", code);
        }
    }

Denying guest access to a directory

    let guests = string_to_sid("S-1-5-32-546").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", false).unwrap();

    // Guests cannot read anything in this directory. However, they can still drop files there
    match acl.deny(guests.as_ptr() as PSID, true, FILE_GENERIC_READ) {
        Ok(status) => {
            if !status {
                println!("We had an internal issue trying to add a deny entry to sensitive_files");
            }
        },
        Err(code) => {
            println!("Failed to add deny entry: error={}", code);
        }
    }

Removing entries

    let world_sid = string_to_sid("S-1-1-0").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", true).unwrap();

    // Remove a SystemAudit entry; remove() can also remove DACL entries as well
    match acl.remove(world_sid.as_ptr() as PSID, Some(AceType::SystemAudit), None) {
        Ok(removed) => {
            println!("Removed {} entries", removed);
        },
        Err(code) => {
            println!("Failed to remove entry: error={}", code);
        }
    }

Example Applications

See query_acl.rs in the example/ directory.

Unit Tests

The current unit tests expect to be run in a single threaded environment with elevated privileges. By default, Rust executes unit tests with multiple threads. To successfully run tests, the following must be done:

  1. Open an elevated privilege/Administrator Command Prompt or Powershell Terminal.
  2. Set the RUST_TEST_THREADS environment variable to 1.
  3. Run cargo test

Dependencies