Locking files read only etc

[curly]

Hi all, me again.

I've had a good read and search but can' find anything, so I won't hold my breath...

Is it possible to set a file to read only, ideally with a password to open or edit?

Kind regards,

David

[Rod]

Windows can do it. www.onmsft.com/how-to/how-to-password-protect-a-folder-or-file-in-windows-10#:~:text=Password%20Protect%20Windows%2010%20Files%201%20Using%20File,lose%20access%20to%20your%20encrypted%20files%20See%20More.

However it is a bit of a longwinded exercise. Does it really need protected? If it is a file of data you might calculate a hash to ensure it has not been amended without authority. So what is the priority, protecting it from change or from prying eyes.

[Walt Decker]

If all you want to do is mark a file READ ONLY that can be done with kernel32.dll function:

"SetFileAttributesA", PathAndFileName$ AS PTR, Attrib AS ULONG, RetVal AS LONG.

Where Attrib = 1

E. G:

OPEN "kernel32.dll" FOR DLL AS #KERN

MyFile$ = DefaultDir$ + "Something.Txt"

CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG.

If you also want to hide the file:

Attrib = 1 OR 2

CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG. 

WINAPI VALUES:

FILE.ATTRIBUTE.READONLY = HEXDEC("&H00000001")
FILE.ATTRIBUTE.HIDDEN = HEXDEC("&H00000002")
FILE.ATTRIBUTE.SYSTEM = HEXDEC("&H00000004")
FILE.ATTRIBUTE.DIRECTORY HEXDEC("= &H00000010")
FILE.ATTRIBUTE.ARCHIVE = HEXDEC("&H00000020")
FILE.ATTRIBUTE.NORMAL = HEXDEC("&H00000080")

You can check file attributes with the GetFileAttributesA() function, e. g.

CALLDLL #KERN, "GetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG

Attrib will contain one or more of the values above.

I could set up a small dll for you that would accomplish both.

If you use SetFileAttributes() you could also set a password hash in the registry, but I would not recommend doing so.  The password would have to be on every device that might use the file.

[mknarr]

I have a backup program I wrote that looks for the ARCHIVE attribute, changes it to NORMAL  and backs it up using the  code of Walt's. I've also had Windows change the attribute on a couple of my files to READONLY and I was able to change the attribute to NORMAL so I could edit the files again using the same code Walt showed.

[curly]

Hi all, thanks for your help.

After all the data has been collected and validated, it is sent to our server for the Qualified Supervisor ( I know it's a silly title, but it is official ) to approve it. During the period between submission and approval, I can't allow the user to change it. The other options I considered was moving it to a hidden folder, or having a status bit in the file that could be set to various values to delete the data after it has been inputted, but thought setting a read only bit might be easier? Your valued opinions will be much appreciated. Having a status bit that could have various values might provide options for several scanarios? I think I'll utilise a status bit for moving forward after it has been submitted, but hiding it on the tablet will be really useful.

SO, WALT, MAKING IT A HIDDEN AND READ ONLY SOUNDs PERFECT IF I CAN SET TWO ATTRIBUTES, AND MAKE IT NORMAL WITH AN ANTIDOTE? I ASSUME HIDDEN FILES ARE HIDDEN ON TABLETS AS WELL!

In the hope of trying to understand code I am given, would this be close?  I don't know how "SetFileAttributeA" is defined?

To hide and make read only

Attrib = 1
OPEN "kernel32.dll" FOR DLL AS #KERN
MyFile$ = “C:\work\”+ "testfile.dat"
CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG.

Attrib = 2
OPEN "kernel32.dll" FOR DLL AS #KERN
MyFile$ = “C:\work\”+ "testfile.dat"
CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG.

To restore to normal
Attrib = 80
OPEN "kernel32.dll" FOR DLL AS #KERN
MyFile$ = “C:\work\”+ "testfile.dat"
CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG.

[Brandon Parker]

Just another note, you should be able to use the kernel32.dll without having to explicitly open it in LB since it is already opened by LB itself with the handle #kernel32. Just replace #KERN with #kernel32 in your example and remove all of the "OPEN "kernel32.dll" FOR DLL AS #KERN" ...

Opening/Loading DLL's takes time and resources, so if LB already has them open, if is nothing but a benefit to the developer and the user to use it and not open/load a duplicate.


{:0)

Brandon Parker

[tsh73]

Couldn't one easily see hidden/system files by changing options of Explorer?
(in days of old one had to go to Explorer settings. Now on Win 10 I have "Hidden files" checkbox right on View tab)
If you see that file can't you just easily uncheck that read-only attribute?

There are alternative explorers that will show hidden files no matter that.
There are editors that will allow to change read only file - I just got asked "File is read only, are you sure?" - that's all it took to change hidden read only file.

So I think as sequrity stuff this plain doesn't work.

[tsh73]

During the period between submission and approval, I can't allow the user to change it.

use state
State submitted - no editing allowed
State approved - well, your choice.

Do not store data in user-modifiable way
It it is plain text, add some checksum to see it it got changed, in that case, refuse loading changed data.

[Rod]

I am now more convinced that you need to calculate and store a hash of the file. To prove the file is unaltered recalculate the hash.

As tsh73 says the file attributes are easily amended and don’t really offer any security they just protect from inadvertent change. So you may still make the file read only.

[Walt Decker]

Basic file attributes functions ---> attributes

Back in the DOS days we used to set the first character of a file to CHR$(0) even though the file was stored as hidden and read-only. That made it not show up in any programmer scan of the disk. Don't know if that works now.

Making a file read-only does not adequately protect the data from change. Commercial text apps will honor that but any beginning hacker like myself could write an app that can change the data. To determine if a file is changed you must do some kind of check sum on the original, store that check sum out of the file, and each time check the file when it is accessed against the original sum.

To make the file unreadable to the casual browser you could use some rudimentary compression/encryption, e. g. Huffman. But again you need a check sum to determine the original status of the data.

The best way to protect against data change is store the data on removable storage and lock it up.

Attrib = 2  '<--- WRONG
OPEN "kernel32.dll" FOR DLL AS #KERN
MyFile$ = “C:\work\”+ "testfile.dat"
CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG.

When you see something like this:

Attrib = 1 OR 2

Attrib = (1 OR 2)

Attrib = 1 or 2

Attrib = (1 or 2)

it means that the value is a combination of the values produced by the logical "OR" operator not to choose one of the values.

Your best bet is to use the values I defined as in:

Attrib = FILE.ATTRIBUTE.READONLY OR FILE.ATTRIBUTE.HIDDEN

That way you know exactly what you are requesting.

To restore to normal
Attrib = 80 '<--- WRONG
OPEN "kernel32.dll" FOR DLL AS #KERN
MyFile$ = “C:\work\”+ "testfile.dat"
CALLDLL #KERN, "SetFileAttributesA", MyFile$ AS PTR, Attrib AS ULONG, RetVal AS LONG.insert quote here

80 and HEXDEC("&H80") ARE NOT THE SAME.

[curly]

WOW - a lot to take on board. Clearly setting attributes does not appear the best way forward?

To recap, after the user has clicked the button to indicate, 'I am finished and happy the inspetion has been carried out and recorded correctly', the completed file is copied from the tablet to our server for our Qualified Supervisor (QS) to approve. During this time, the creator of the file must not be able to change it, but I'm loathe to delete it at this stage in case it becomes corrupted during transit? When the QS is happy to approve it, I will look to send something to the tablet to delete the file stored there, but I feel I must stop the user making changes before the QS has done his bit. I therefore need to keep the file on the tablet but not accessible to the user. If the guy realises he has made an error, the QS needs to know and return the file to him for correction.

My thoughts also considered a status bit in the file that would be checked during opening. By having various values for the status bit, opening the file could be aborted under several different scenarios? The file will be encrypted before saving, so only my application will be able to understand it. Thinking more utside the box, the status bit could be used to monitor the state of the file from being saved incomplete, right up to and including being provided to the client, invoiced and paid?

The first item of data in the file is a string equivalent of a number. I could add a letter, a,b,c etc, as a prefix to the string to indicate the current status setting who could have access? Your thoughts on this will be most appreciated.

Kind regards, David

[Rod]

So the encrypted completed file is passed to the server and stored there. This is the file the QS inspects and approves. How would this file get overwritten or amended? Surely only if the operator in the field changes something and resubmits. Your server may store this file separately with(2) appended but it depends on the OS. If it is desirable to allow amended files to be submitted the QS must inspect the final file. If the files carry a date stamp it will be obvious to everyone what's going on. yyyymmddhhmmfilename.dat Using this naming convention will list your files to the OS in date order.

[Carl Gundel]

If your files are only accessed by software that you have control over, such as an application you supply in LB or other language then you can make use of fairly simple access methods because you are managing the locking/unlocking or access or whatever you want to call it.

If you are trying to prevent other software or users from playing with files, then you have a much harder problem.

So, is the goal to write an application, and that application will be the sole user of the files in question?

[curly]

Hi Rod, at the moment, data is not validated before submission, so it is common for a QS to phone the engineer to clarify one or two things that look like typos,because they haven't been listed as defects or where data is simply missing? The engineers currently scribble everything on paper, and then complete their electronic document due to the inherant difficulties with the current software. The engineer checks his paper notes, and is required to confirm requested changes and additions by email, and the QS effects the changes to the electronic file on the server. It is a pain.

With my application, the engineer is made aware of non-compliant data as it is entered, and he must confirm whether it is a defect or he wants to change it. It also checks that every bit of data that is required has been entered before allowing the file to be closed and submitted. We cannot legislate for someone who lies and cheats, and simply makes up test results if they are valid, and that is why we make site visits to see the guys working, and checking some of the test results. Our hopes are that the QS will see that every item that is not compliant is recorded as a defect, and that all essential data is present, and no queries will arise, but we don't live in this perfect world yet? This would save us so much time if it worked that way.

I am already incorporating the date in the filename in the format you suggest, but will include the time as well going forward, thank you.

My son-in-law has now come round to the idea I might have something quite good? Haqppy days! He is a network engineer and will be responsible for FTP and IP things.

Question - did you get the shed built? I'm also in the throes of fitting 5 KVA of solar panels on my workshop roof with a large battery store in the hope of being as near to energy self sufficiency as possible.
Are you a petrol head? If you do a Google search for DYJ624, a whole series of photos of one of my cars appears at many different locations. It is a 1955 Riley, and one of the pics includes me driving in a carnival at a village called Great Dunmow. This only seems to happen with this particular car, I don't know why? DYJ624 is the UK registration number. Thank you to all for your continued help, kind regards, David

[curly]

Hi Carl,

I'm encrypting all files including the data files opened as needed in the hope that nobody else will be able to get anything useful from them. It is my intention they will only be of use using my application.

The quality of electrical reporting is not whatwe would like it to be, and my original intention was to create an application that I would give away for free to potential customers for them to validate and identify how bad the reports were from their current contractors, in the hope of us picking up new business. However, like lots of things, it has got out of hand somewhat and my daughter (she has taken my role as MD and made me the Chairman) sees this this as a way of making us so much more profitable and competitive.

When the data has been approved by the QS, it is posted into a document template that becomes the clients pdf report. If nobody else can decipher the data, it is of no use to them.

Kind regards, David