File that requires elevated privileges-CodePudding

I want to create a file that is:

Read-only accessible for all local users.
Read-write accessible only when application runs with elevated privileges.

I have found Windows-classic-samples

But for some reason, writing to the file fails even with elevated privileges. (I tried with PowerShell, NotePad , etc)

What am I doing wrong?

CodePudding user response：

As @RbMm and @RaymondChen show in the comments, this can be done very cleanly:

#include <Windows.h>

#include <Accctrl.h>
#include <Aclapi.h>
#include <sddl.h>
#include <filesystem>

enum class FileAccess { ReadOnly, ReadWrite };

void grantAllAccess(const std::filesystem::path &file, const FileAccess access)
{
    const auto sidString = (access == FileAccess::ReadWrite) ?
        L"D:PAI(A;;0x12019f;;;WD)(A;;FA;;;BA)" : // Everyone Read/Write, Admin full access
        L"D:P(A;;FA;;;BA)(A;;FR;;;WD)";          // Everyone Read only, Admin full access

    PSID pSid = nullptr;
    if(ConvertStringSecurityDescriptorToSecurityDescriptorW(
            sidString, SDDL_REVISION_1, &pSid, nullptr) == 0)
    {
        throw std::runtime_error("Failed to create SID");
    }

    if(SetFileSecurityW(file.c_str(), DACL_SECURITY_INFORMATION, pSid) == 0)
    {
        LocalFree(pSid);
        throw std::runtime_error("Failed to set SID to file");
    }
    
    LocalFree(pSid);
}

See this answer for how to generate these cryptic strings. See this repo to convert these strings to readable text.