A customer was trying to write to a file that was protected with an access control list that did not grant write access to anyone, not even administrators. They found that they couldn’t open the file with dwDesiredAccess
equal to GENERIC_
, not even if they ran the process elevated and enabled the SE_
privilege.
The SE_
privilege does not affect access control masks. The SE_
privilege controls whether you can call SetÂNamedÂSecurityÂInfo
with the OWNER_
flag to change the owner of an object.
Taking ownership of an object still doesn’t grant you write access, though. What you do get from ownership is automatic READ_
and WRITE_
access: The permission to read and write permissions.
Gaining write access to a file starting from “take ownership” privilege is therefore a multi-step procedure.
First, enable the “take ownership” privilege. This makes it possible to change a file’s owner.
Next, call SetÂNamedÂSecurityÂInfo
with the OWNER_
flag to set yourself as the file owner. This gives you permission to change permissions.
Next, call SetÂNamedÂSecurityÂInfo
again, this time with the DACL_
flag, passing an access control list that grants you write access.
Now you have write access to the file and can open it for GENERIC_
.
0 comments