RtlSetDaclSecurityDescriptor - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
#ifndef _NTRTL_H
NTSYSAPI
NTSTATUS
NTAPI
RtlSetDaclSecurityDescriptor(
_Inout_ PSECURITY_DESCRIPTOR SecurityDescriptor,
_In_ BOOLEAN DaclPresent,
_In_opt_ PACL Dacl,
_In_ BOOLEAN DaclDefaulted
);
View code on GitHub// wdm.h
NTSYSAPI NTSTATUS RtlSetDaclSecurityDescriptor(
[in, out] PSECURITY_DESCRIPTOR SecurityDescriptor,
[in] BOOLEAN DaclPresent,
[in, optional] PACL Dacl,
[in, optional] BOOLEAN DaclDefaulted
);
View the official Windows Driver Kit DDI referenceThis function is documented in Windows Driver Kit.
The RtlSetDaclSecurityDescriptor routine sets the DACL information of an absolute-format security descriptor, or if there is already a DACL present in the security descriptor, it is superseded.
SecurityDescriptor [in, out]A pointer to a SECURITY_DESCRIPTOR structure. This structure is the security descriptor to which the DACL is to be applied.
DaclPresent [in]Whether to indicate that a DACL is present in the security descriptor. If this parameter is FALSE, RtlSetDaclSecurityDescriptor sets the SE_DACL_PRESENT control flag in the security descriptor to FALSE. In this case, the remaining optional parameters (Dacl and DaclDefaulted) are ignored. If DaclPresent is TRUE, the SE_DACL_PRESENT flag in the security descriptor is set to TRUE and the remaining optional parameters are not ignored. For more information about the SE_DACL_PRESENT flag, see SECURITY_DESCRIPTOR_CONTROL.
Dacl [in, optional]A pointer to the DACL for the security descriptor. If this parameter is NULL, the DACL pointer in the security descriptor is set to NULL. A NULL DACL pointer unconditionally grants all access to an object and is not the same as an empty DACL. An empty DACL denies all access to an object. If Dacl is non-NULL, the ACL structure supplied by the caller is referenced by, but not copied into, the security descriptor. The caller can allocate the ACL structure from paged system memory, and can call the RtlCreateAcl routine to initialize the structure.
❗WARNING❗ Setting a NULL DACL allows unrestricted access the object and, therefore, should only be used in strategic scenarios where a security evaluation has validated that this is an acceptable outcome. Consider using an empty DACL, which defaults to all access being denied by default.
DaclDefaulted [in, optional]Whether the DACL was supplied by some default mechanism, or was explicitly specified by the caller. If this parameter is TRUE, the DACL was supplied by a default mechanism. If DaclDefaulted is FALSE, the caller explicitly specified the DACL. RtlSetDaclSecurityDescriptor copies the value specified for this parameter to the SE_DACL_DEFAULTED control flag in the security descriptor. For more information about the SE_DACL_DEFAULTED flag, see SECURITY_DESCRIPTOR_CONTROL.
RtlSetDaclSecurityDescriptor can return one of the following status values.
| Return code | Description |
|---|---|
| STATUS_SUCCESS | The call completed successfully. |
| STATUS_UNKNOWN_REVISION | The revision of the security descriptor is unknown. |
| STATUS_INVALID_SECURITY_DESCR | The security descriptor is not an absolute format security descriptor. |