October 30th, 2024

I have enabled “take ownership” permission, but I still cannot obtain write access

A customer was trying to write to a file that was protected with an access control list that did not grant write access to anyone, not even administrators. They found that they couldn’t open the file with dwDesiredAccess equal to GENERIC_WRITE, not even if they ran the process elevated and enabled the SE_TAKE_OWNERSHIP_NAME privilege.

The SE_TAKE_OWNERSHIP_NAME privilege does not affect access control masks. The SE_TAKE_OWNERSHIP_NAME privilege controls whether you can call Set­Named­Security­Info with the OWNER_SECURITY_INFORMATION flag to change the owner of an object.

Taking ownership of an object still doesn’t grant you write access, though. What you do get from ownership is automatic READ_CONTROL and WRITE_DAC access: The permission to read and write permissions.

Gaining write access to a file starting from “take ownership” privilege is therefore a multi-step procedure.

First, enable the “take ownership” privilege. This makes it possible to change a file’s owner.

Next, call Set­Named­Security­Info with the OWNER_SECURITY_INFORMATION flag to set yourself as the file owner. This gives you permission to change permissions.

Next, call Set­Named­Security­Info again, this time with the DACL_SECURITY_INFORMATION flag, passing an access control list that grants you write access.

Now you have write access to the file and can open it for GENERIC_WRITE.

Topics
Code

Author

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

0 comments

Discussion are closed.