7 releases

Uses old Rust 2015

0.3.0 Jan 11, 2021
0.2.2 Jun 29, 2020
0.2.1 May 15, 2020
0.2.0 Mar 16, 2020
0.1.0 Aug 20, 2018

#27 in Windows APIs

Download history 4534/week @ 2024-01-22 5088/week @ 2024-01-29 5219/week @ 2024-02-05 4389/week @ 2024-02-12 5463/week @ 2024-02-19 4879/week @ 2024-02-26 5932/week @ 2024-03-04 5004/week @ 2024-03-11 5420/week @ 2024-03-18 4827/week @ 2024-03-25 4120/week @ 2024-04-01 5711/week @ 2024-04-08 4616/week @ 2024-04-15 5415/week @ 2024-04-22 5551/week @ 2024-04-29 3806/week @ 2024-05-06

19,542 downloads per month
Used in 11 crates (2 directly)

MIT license

610KB
2K SLoC

Contains (WOFF font, 120KB) docs/Heuristica-Italic.woff, (WOFF font, 90KB) docs/FiraSans-Medium.woff, (WOFF font, 92KB) docs/FiraSans-Regular.woff, (WOFF font, 56KB) docs/SourceCodePro-Regular.woff, (WOFF font, 56KB) docs/SourceCodePro-Semibold.woff, (WOFF font, 49KB) docs/SourceSerifPro-Bold.woff and 1 more.

windows-acl

Build Status Crates.io

Rust library to simplify Windows ACL operations.

Using windows-acl

First, add the following line to the dependencies section of the project’s Cargo.toml file.

winapi =0.3.5”
windows-acl =0.1.0

In the main Rust source code file, add the windows-acl external crate and import the symbols as follows:

extern crate winapi;
extern crate windows_acl;

use winapi::um::winnt::{
    PSID, FILE_GENERIC_READ, FILE_GENERIC_EXECUTE, FILE_GENERIC_WRITE,
    FILE_ALL_ACCESS, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,
    SYSTEM_MANDATORY_LABEL_NO_READ_UP, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
};
use windows_acl::acl::ACL;

NOTE: Altering system ACL entries require either Administrator privileges or the ability to acquire the SeSecurityPrivilege privilege.

Adding a mandatory integrity label

    let high_integrity_level_sid = string_to_sid("S-1-16-12288").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\high_il", true).unwrap();

    // Set high_il to be a high integrity level directory
    match acl.integrity_level(
                high_integrity_level_sid.as_ptr() as PSID,
                true,
                SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |
                    SYSTEM_MANDATORY_LABEL_NO_READ_UP |
                    SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP
            ) {
        Ok(status) => {
            if !status {
                println!("We had an internal issue trying to add high integrity level to high_il");
            }
        },
        Err(code) => {
            println!("Failed to add high integrity level to high_il: error={}", code);
        }
    }

Adding an audit entry

    let world_sid = string_to_sid("S-1-1-0").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", true).unwrap();

    // Audit every file operation in sensitive_files from anyone in the Everyone group
    match acl.audit(
                world_sid.as_ptr() as PSID,
                true,
                FILE_ALL_ACCESS,
                true,
                true
            ) {
        Ok(status) => {
            if !status {
                println!("We had an internal issue trying to add audit entry to sensitive_files");
            }
        },
        Err(code) => {
            println!("Failed to add audit entry to sensitive_files: error={}", code);
        }
    }

Denying guest access to a directory

    let guests = string_to_sid("S-1-5-32-546").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", false).unwrap();

    // Guests cannot read anything in this directory. However, they can still drop files there
    match acl.deny(guests.as_ptr() as PSID, true, FILE_GENERIC_READ) {
        Ok(status) => {
            if !status {
                println!("We had an internal issue trying to add a deny entry to sensitive_files");
            }
        },
        Err(code) => {
            println!("Failed to add deny entry: error={}", code);
        }
    }

Removing entries

    let world_sid = string_to_sid("S-1-1-0").unwrap();

    let mut acl = ACL::from_file_path("C:\\Users\\andy\\work\\sensitive_files", true).unwrap();

    // Remove a SystemAudit entry; remove() can also remove DACL entries as well
    match acl.remove(world_sid.as_ptr() as PSID, Some(AceType::SystemAudit), None) {
        Ok(removed) => {
            println!("Removed {} entries", removed);
        },
        Err(code) => {
            println!("Failed to remove entry: error={}", code);
        }
    }

Example Applications

See query_acl.rs in the example/ directory.

Unit Tests

The current unit tests expect to be run in a single threaded environment with elevated privileges. By default, Rust executes unit tests with multiple threads. To successfully run tests, the following must be done:

  1. Open an elevated privilege/Administrator Command Prompt or Powershell Terminal.
  2. Set the RUST_TEST_THREADS environment variable to 1.
  3. Run cargo test

Dependencies