Windows服务,用于控制对“所有用户\\应用程序数据”中文件的访问
[英]Windows service to control access to a file in “All Users\Application Data”
问题描述
Here is my situation: 
这是我的情况:
I have an application that use a configuration file. 我有一个使用配置文件的应用程序。 The configuration file applies to all users of the system and all users can make change to the configuration. 该配置文件适用于系统的所有用户,所有用户都可以更改配置。
I decided to put the configuration file in "All Users\\Application Data" folder. 我决定将配置文件放在“所有用户\\应用程序数据”文件夹中。
The problem is that the file is writable only by the user who created it. 问题是该文件只能由创建它的用户写入。
Here is my temporary solution: 这是我的临时解决方案:
When creating the file, the application set its security options so that it can be written by all users of the system. 创建文件时,应用程序会设置其安全性选项,以便系统的所有用户都可以编写该文件。
However, I think this is a hack and I think I have to create a service that will manage access to the file. 但是, 我认为这是一个hack ,我认为我必须创建一个服务来管理对文件的访问。
My application is written in C++ (MFC) and I'm not an expert with all the .Net stuff. 我的应用程序是用C ++(MFC)编写的,我不是所有.Net方面的专家。 So my first idea is to write a Windows C++ service with COM interfaces that will be called by the application. 因此,我的第一个想法是编写带有COM接口的Windows C ++服务,该接口将由应用程序调用。
My questions: 我的问题:
- Is my idea a good idea or someone knows a better way to do? 我的想法是一个好主意还是有人知道更好的方法?
- Is there any new more up to date way to do a service in Windows than plain C++ and COM? 与普通的C ++和COM相比,在Windows中进行服务有什么新方法吗?
EDIT: 编辑:
I know it's easy to set write permission to all users. 我知道很容易为所有用户设置写权限。
Back with Windows XP it was also easy to write files under "Program Files" and registry keys under "HKLM" with a limited user. 回到Windows XP,使用受限用户也可以轻松地在“程序文件”下写入文件,并在“ HKLM”下写入注册表项。 But now, if you want an application to have the Vista logo certification, you must not write to these location (event if Virtual Stores can 'save' you). 但是现在,如果您希望应用程序具有Vista徽标认证,则一定不要写到这些位置(如果Virtual Stores可以“保存”您,则该事件)。
Maybe my final solution will be the "make it writable to all users" one, but my question really is : "Is my solution good or do you have another easier solution that does not rely hacking a behavior fixed by Microsoft". 也许我的最终解决方案是“使其对所有用户都可写”,但是我的问题确实是:“我的解决方案好还是您有另一个更简单的解决方案,该解决方案不依赖于对Microsoft固定的行为进行黑客攻击”。
I'm really sorry to not have made it clear from the beginning. 真遗憾,从一开始就没有明确指出。
Thanks a lot, 非常感谢,
Nic 尼克
3 个解决方案
解决方案1
3 2009-01-15 21:22:52
This is not the right approach. 这不是正确的方法。 If you're putting the file in All Users\\Application Data, then it should be writable by all users. 如果要将文件放在“所有用户\\应用程序数据”中,则所有用户都应可写该文件。 When you create it, create it with write permissions for all users. 创建它时,请为所有用户创建具有写权限的文件。 Setting the creation permissions isn't that hard. 设置创建权限并不难。
解决方案2
1 2009-01-16 00:49:45
Raymond Chen's articles are interesting and detailed, but usually overly dogmatic and impractical. 雷蒙德·陈(Raymond Chen)的文章有趣而详尽,但通常过于教条和不切实际。 Unless this is some mission-critical system with danger of tampering, I'd take his perspective with a huge pile of NaCl. 除非这是一个具有篡改危险的关键任务系统,否则我将以他的观点使用一大堆NaCl。
Are your users going to open and modify the file directly? 您的用户要直接打开和修改文件吗? If not, just make the file global writable and enforce sane changes in your app's interface. 如果不是,只需将文件设置为全局可写并在应用程序界面中强制进行合理的更改即可。 For most classes of application it isn't worth the time and effort to protect a multiuser system from tampering. 对于大多数类别的应用程序来说,保护多用户系统免受篡改是不值得的。
Or, use a database. 或者,使用数据库。
解决方案3
0 已采纳 2009-01-15 15:12:47
I wouldn't even bother with COM. 我什至不理会COM。 Named pipes to your service work fine, too, and it's a lot easier to secure those with ACLs. 服务的命名管道也可以正常工作,并且使用ACL保护管道更容易。 The service will be so simple I wouldn't even bother with MFC or .NET, pure C++ should be fine. 该服务将是如此简单,我什至不必为MFC或.NET而烦恼,纯C ++应该可以。 All the heavy lifting is done by your real app; 所有繁重的工作都由您的真实应用程序完成; the service just checks if the request piped in are reasonable. 该服务仅检查通过管道传递的请求是否合理。 (ie. not too big etc.) (即不要太大等)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.