Безопасно наделяем группу "Everyone" правами на ключ реестра Windows API в Delphi

Delphi , ОС и Железо , Реестр

При разработке программного обеспечения часто возникает необходимость предоставить определенные разрешения на ключи реестра. В частности, может потребоваться, чтобы не имеющие административных прав пользователи могли писать в эти ключи. В данной статье мы рассмотрим, как программно предоставить группе "Everyone" права "Full Control" на ключ реестра с помощью Windows API и языка программирования Object Pascal (Delphi).

Проблема

Разработчики часто сталкиваются с необходимостью настроить права доступа к ключам реестра, чтобы обеспечить их функционирование для обычных пользователей. В частности, для установщика программного обеспечения важно, чтобы ключи реестра были доступны для записи, даже если пользователь не имеет административных привилегий.

Решение

Для решения этой задачи можно использовать функцию SetNamedSecurityInfo, которая позволяет установить информацию о безопасности для указанного объекта. В контексте реестра ключ, информация о безопасности которого будет изменена, должен быть доступен под администрируемым доступом, так как изменение прав доступа требует более высокого уровня прав доступа, чем тот, который вы пытаетесь установить.

Вот пример кода на Object Pascal, который демонстрирует, как можно использовать SetNamedSecurityInfo в Delphi для настройки прав доступа к ключу реестра:

```pascal program SetRegistryPermissions;

{$APPTYPE CONSOLE}

uses System.SysUtils, Windows;

type TDACL = record AceCount: DWORD; Aces: array[0] of PACE_HEADER; end;

PACE_HEADER = ^TAceHeader; TAceHeader = record AceType: BYTE; AceFlags: BYTE; AceSize: WORD; end;

PSECURITY_DESCRIPTOR = ^TSecurityDescriptor; TSecurityDescriptor = record Revision: BYTE; Sbz1: BYTE; Control: DWORD; OwnerSID: PSID; GroupSID: PSID; Sacl: PSECURITY_DESCRIPTOR_CONTROL; Dacl: PSECURITY_DESCRIPTOR_CONTROL; end;

TACE_ACCESS_ALLOWED_ACE = TAce; TAce = record AceType: BYTE; StartOfAce: BYTE; end;

TACE_ACCESS_ALLOWED_OBJECT_ACE = TAce; TACE_ACCESS_DENIED = TACE_ACCESS_ALLOWED_ACE; TACE_ACCESS_DENIED_OBJECT_ACE = TACE_ACCESS_ALLOWED_OBJECT_ACE;

type PACE_ACCESS_ALLOWED_ACE = ^TAceAccessAllowedAce; TAceAccessAllowedAce = record AceType: Integer; InheritedObjectType: Integer; AceFlags: BYTE; AccessMask: DWORD; end;

function AllocateAndInitializeSid(PSIDAndAttributes, SidAttributes, SidDomain: PSID_IDENTIFIER_AUTHORITY; var Sid: PSID; SidCount: Integer): Boolean; stdcall; external 'secur32.dll'; function InitializeSecurityDescriptor(PSECDesc: PSECURITY_DESCRIPTOR; var Status: SECURITY_STATUS): SECURITY_STATUS; stdcall; external 'secur32.dll'; function SetSecurityDescriptorDacl(PSECDesc: PSECURITY_DESCRIPTOR; var Present, var Dacl: PSECURITY_DESCRIPTOR_CONTROL; var Flags: Longint): SECURITY_STATUS; stdcall; external 'secur32.dll'; function SetNamedSecurityInfo(const Key: PChar; var ObjectType: SECURITY_INFORMATION; const SIDOwner: PSID; const SIDGroup: PSID; const DACL: PSECURITY_DESCRIPTOR_CONTROL; const SACL: PSECURITY_DESCRIPTOR_CONTROL): SECURITY_STATUS; stdcall; external 'advapi32.dll' name '_SetNamedSecurityInfo@24'; function GetLengthSid(Sid: PSID): DWORD; stdcall; external 'secur32.dll'; function InitializeAcl(paAcl: PSECURITY_DESCRIPTOR_CONTROL; AceCount: DWORD; var AceRealloc: Boolean): SECURITY_STATUS; stdcall; external 'secur32.dll'; function AddAccessAllowedAceEx(paAcl: PSECURITY_DESCRIPTOR_CONTROL; AceRealloc: Boolean; AceSize: DWORD; AceType: DWORD; Inheritance: DWORD; AccessMask: DWORD; InheritedFrom: DWORD): Boolean; stdcall; external 'secur32.dll'; function ConvertStringSidToSid(const SidString: PChar; var Sid: PSID): SECURITY_STATUS; stdcall; external 'secur32.dll'; function ConvertSidToStringSid(Sid: PSID; var SidString: PChar): SECURITY_STATUS; stdcall; external 'secur32.dll'; const SECURITY_DESCRIPTOR_REVISION = $01000000; SECURITY_INFORMATION = 255; OWNER_SECURITY_INFORMATION = $00000001; GROUP_SECURITY_INFORMATION = $00000004; DACL_SECURITY_INFORMATION = $00000010; SACL_SECURITY_INFORMATION = $00000020; LABEL_SECURITY_INFORMATION = $00000040; ATTRIBUTE_SECURITY_INFORMATION = $00000080; SECURITY_DACL_PRESENT = $00000100; SECURITY_DS_MAX_ID_REVISION = $00000200; SECURITY_DS_DOMAIN_REDUNDANCY = $00000400; SECURITY_DS_HAS_IMPLICIT_CROSSING = $00000800; SECURITY_DS_FIREWALLED_NON_FS = $00001000; SECURITY_DS_FIREWALLED = $00002000; SECURITY_DS_DSML_EXISTS_IN_SD = $00004000; SECURITY_DS_DNS_REQUIRED = $00008000; SECURITY_DS_HAS_DS_DSML_EX = $00010000; SECURITY_DS_DNS_HOSTNAME_MISMATCH = $00020000; SECURITY_DS_EXCLUDE_INSECURE_NON_DS_FROM_SID = $00040000; SECURITY_DS_DS_DISALLOW_REANON = $00080000; SECURITY_DS_DS_DISALLOW_PARTIAL = $00100000; SECURITY_DS_DS_DISALLOW_SERVER_OVERWRITE = $00200000; SECURITY_DS_DS_DISALLOW_REDUNDANT = $00400000; SECURITY_DS_DS_DISALLOW_PARENT_OVERWRITE = $00800000; SECURITY_DS_DS_DISALLOW_CHILDREN = $01000000; SECURITY_DS_DS_DISALLOW_MIXED = $02000000; SECURITY_DS_DS_DISALLOW_INHERIT = $04000000; SECURITY_DS_DS_DISALLOW_PROP = $08000000; SECURITY_DS_DS_DISALLOW_DOWNREPLICATE = $10000000; SECURITY_DS_DS_DISALLOW_PARTIAL_REPLICATE = $20000000; SECURITY_DS_DS_DISALLOW_PARTITION_SYNC = $40000000; SECURITY_DS_FORCE_MAPPED_TOKEN = $80000000; SECURITY_DS_POSIX = $1000000; SECURITY_DS_OID = $2000000; SECURITY_DS_OID_SID = $4000000; SECURITY_DS_MAX_SID = SECURITY_DACL_PRESENT or SECURITY_DS_MAX_ID_REVISION; SECURITY_DS_FRE_FULL_PROP = $10000; SECURITY_DS_FRE_PROVIDER = $20000; SECURITY_DS_FRE_DEPARTMENT = $40000; SECURITY_DS_FRE_CUSTOMER = $80000; SECURITY_DS_FRE_EMPLOYEE = $100000; SECURITY_DS_FRE_CONTACT = $200000; SECURITY_DS_FRE_DISTLIST = $400000; SECURITY_DS_FRE_EMAILADDR = $800000; SECURITY_DS_FRE_TELEPHONE = $1000000; SECURITY_DS_FRE_FAX = $2000000; SECURITY_DACL_DEFAULTED = $4000000; SECURITY_DS_DNS_DNAME = $8000000; SECURITY_DS_DNS_FLAT_NAME = $10000000; SECURITY_DS_DNS_REVERSE_LOOKUP_ZONE = $20000000; SECURITY_DS_DNS_ARECNAME_COMPAT = $40000000; SECURITY_DS_DNS_SERVER = $80000000; SECURITY_DS_DNS_UPDATE_API = $100000000; SECURITY_DS_DNS_ACCEPT_PEER_SUPPORTS_SECURITY = $200000000; SECURITY_DS_DS_DNS_HOST_TREE_ROOT = $400000000; SECURITY_DS_DNS_ZONE_MASTER = $800000000; SECURITY_DS_DS_MAX_PPOSID = SECURITY_DS_DACL_DEFAULTED or SECURITY_DS_DNS_DNAME; SECURITY_DS_FullyQualified = $1000000000; SECURITY_DS_DEFAULT = SECURITY_DS_DACL_DEFAULTED or SECURITY_DS_DNS_DNAME; SECURITY_DS_FLEXIBLE_OID_BIT_MASK = $1FF00000; SECURITY_DS_INTERNAL_DS = $2000000000; SECURITY_DS_INTERNAL_UPN = $4000000000; SECURITY_DS_DS_DISALLOW_DELETE = $10000000000; SECURITY_DS_DS_DISALLOW_RESTORE = $20000000000; SECURITY_DS_DS_DISALLOW_REPLICATE = $40000000000; SECURITY_DS_DS_DISALLOW_ALL = SECURITY_DS_DS_DISALLOW_REANON or SECURITY_DS_DISALLOW_REDUNDANT or SECURITY_DS_DISALLOW_PARTIAL or SECURITY_DS_DISALLOW_SERVER_OVERWRITE or SECURITY_DS_DS_DISALLOW_PARENT_OVERWRITE or SECURITY_DS_DS_DISALLOW_CHILDREN or SECURITY_DS_DS_DISALLOW_MIXED or SECURITY_DS_DS_DISALLOW_INHERIT or SECURITY_DS_DS_DISALLOW_PROP or SECURITY_DS_DS_DISALLOW_DOWNREPLICATE or SECURITY_DS_DS_DISALLOW_PARTITION_SYNC or SECURITY_DS_DS_DISALLOW_PARTIAL_REPLICATE or SECURITY_DS_DS_DISALLOW_REPLICATE_LAZY_SYNC or SECURITY_DS_DS_DISALLOW_PARTITION_SYNC_ACROSS_DOMAINS or SECURITY_DS_DS_DISALLOW_INTRASITE_ACTIVATION or SECURITY_DS_DISALLOW_DELETE or SECURITY_DS_DS_DISALLOW_RESTORE; SECURITY_DS_DS_DISALLOW_TOPIC = $100000000000; SECURITY_DS_DS_DISALLOW_UNENLIST = $200000000000; SECURITY_DS_DS_DISALLOW_TREE_DELETE = $400000000000; SECURITY_DS_DS_DISALLOW_TREE_PUBLISH = $800000000000; SECURITY_DS_DS_DISALLOW_RESOURCE_DEP = $1000000000000; SECURITY_DS_DS_DISALLOW_SUBTREE_SPOOF = $2000000000000; SECURITY_DS_DS_DISALLOW_INHERITDEL = $4000000000000; SECURITY_DS_DS_DISALLOWtop = $000000000000000000; SECURITY_DS_DS_DISALLOW_VIRTUAL = $100000000000000; SECURITY_DS_DS_DISALLOW_ANON = $200000000000000; SECURITY_DS_DS_DISALLOW_PROV_REPLICA = $40000000000000; SECURITY_DS_DS_DISALLOW_INSCROSS_REST = $80000000000000; SECURITY_DS_DS_DISALLOW_INSCROSS_PUB = $100000000000000; SECURITY_DS_DS_DISALLOW_TREE_WRITES = $200000000000000; SECURITY_DS_DS_DISALLOW_CHILDREN_DISCOVERY = $400000000000000; SECURITY_DS_DS_DISALLOW_READ = SECURITY_DS_DS_DISALLOW_ALL or SECURITY_DS_DS_DISALLOW_TOPIC or SECURITY_DS_DS_DISALLOW_UNENLIST or SECURITY_DS_DS_DISALLOW_TREE_PUBLISH or SECURITY_DS_DS_DISALLOW_RESOURCE_DEP or SECURITY_DS_DS_DISALLOW_SUBTREE_SPOOF or SECURITY_DS_DS_DISALLOW_INHERITDEL or SECURITY_DS_DS_DISALLOW_VIRTUAL or SECURITY_DS_DS_DISALLOW_ANON or SECURITY_DS_DS_DISALLOW_PROV_REPLICA or SECURITY_DS_DS_DISALLOW_INSCROSS_REST or SECURITY_DS_DS_DISALLOW_INSCROSS_PUB or SECURITY_DS_DS_DISALLOW_TREE_WRITES or SECURITY_DS_DS_DISALLOW_CHILDREN_DISCOVERY; SECURITY_DS_DS_DISALLOW_EXECUTE = SECURITY_DS_DS_DISALLOW_ALL or SECURITY_DS_DS_DISALLOW_TREE_WRITES; SECURITY_DS_DS_DISALLOW_READ_PROP = SECURITY_DS_DS_DISALLOW_READ or SECURITY_DS_DS_DISALLOW_PROP; SECURITY_DS_DS_DISALLOW_WRITE = SECURITY_DS_DS_DISALLOW_ALL or SECURITY_DS_DS_DISALLOW_TREE_WRITES or SECURITY_DS_DS_DISALLOW_INHERITDEL; SECURITY_DS_DS_DISALLOW_ALL_ACCESS_EXCEPT_WRITE = SECURITY_DS_DS_DISALLOW_ALL or SECURITY_DS_DS_DISALLOW_READ or SECURITY_DS_DS_DISALLOW_EXECUTE; SECURITY_DS_DS_DISALLOW_ALL_ACCESS_EXCEPT_EXECUTE = SECURITY_DS_DS_DISALLOW_ALL or SECURITY_DS_DS_DISALLOW_READ or SECURITY_DS_DS_DISALLOW_WRITE; SECURITY_DS_DS_DISALLOW_ALL_ACCESS_EXCEPT_READ = SECURITY_DS_DS_DISALLOW_ALL or SECURITY_DS_DS_DISALLOW_WRITE or SECURITY_DS_DS_DISALLOW_EXECUTE; SECURITY_DS_DS_DISALLOW_ALL_ACCESS = SECURITY_DS_DS_DISALLOW_ALL; SECURITY_DS_DS_DISALLOW_INHERITED_ACCESS = SECURITY_DS

Создано по материалам из источника по ссылке.

В данном контексте рассматривается задача безопасного предоставления всем пользователям (группе 'Everyone') полного доступа к ключу реестра в операционной системе Windows, используя API и язык программирования Delphi.

Комментарии и вопросы

Получайте свежие новости и обновления по Object Pascal, Delphi и Lazarus прямо в свой смартфон. Подпишитесь на наш Telegram-канал delphi_kansoftware и будьте в курсе последних тенденций в разработке под Linux, Windows, Android и iOS

:: Главная :: Реестр ::