{"id":110440,"date":"2024-10-30T07:00:00","date_gmt":"2024-10-30T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=110440"},"modified":"2024-10-30T13:07:37","modified_gmt":"2024-10-30T20:07:37","slug":"20241030-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20241030-00\/?p=110440","title":{"rendered":"I have enabled “take ownership” permission, but I still cannot obtain write access"},"content":{"rendered":"

A customer was trying to write to a file that was protected with an access control list that did not grant write access to anyone, not even administrators. They found that they couldn’t open the file with dwDesiredAccess<\/code> equal to GENERIC_WRITE<\/code>, not even if they ran the process elevated and enabled the SE_TAKE_OWNERSHIP_NAME<\/code> privilege.<\/p>\n

The SE_TAKE_OWNERSHIP_NAME<\/code> privilege does not affect access control masks. The SE_TAKE_OWNERSHIP_NAME<\/code> privilege controls whether you can call Set\u00adNamed\u00adSecurity\u00adInfo<\/code> with the OWNER_SECURITY_INFORMATION<\/code> flag to change the owner of an object.<\/p>\n

Taking ownership of an object still doesn’t grant you write access, though. What you do get from ownership is automatic READ_CONTROL<\/code> and WRITE_DAC<\/code> access: The permission to read and write permissions.<\/p>\n

Gaining write access to a file starting from “take ownership” privilege is therefore a multi-step procedure.<\/p>\n

First, enable the “take ownership” privilege. This makes it possible to change a file’s owner.<\/p>\n

Next, call Set\u00adNamed\u00adSecurity\u00adInfo<\/code> with the OWNER_SECURITY_INFORMATION<\/code> flag to set yourself as the file owner. This gives you permission to change permissions.<\/p>\n

Next, call Set\u00adNamed\u00adSecurity\u00adInfo<\/code> again, this time with the DACL_SECURITY_INFORMATION<\/code> flag, passing an access control list that grants you write access.<\/p>\n

Now you have write access to the file and can open it for GENERIC_WRITE<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Taking ownership is only one part of gaining write access.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-110440","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"

Taking ownership is only one part of gaining write access.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=110440"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/110440\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=110440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=110440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=110440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}