RE: BACKUP_SEMANTICS and inherited ACE

From: rkakv <rkakv@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Sep 2009 11:24:02 -0700

I don't think this functionality is currently exposed.
I mean, an executable with SE_BACKUP_NAME (BACKUP_OPERATOR) privilege
enabled, cannot use GetNamedSecurityInfo and hence cannot determine whether
an ACE is inherited or not.

Even GetExplicitEntriesFromACL won't help you.

"Himanshu" wrote:

I have a backup application that needs to determine whether an ACE is
inherited on not. I am using the following APIs in the given order.
1. CreateFile(filename, READ_CONTROL, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_FLAG_BACKUP_SEMANTICS, NULL);
2. GetKernelObjectSecurity(handle, DACL_SECURITY_INFORMATION, ...);

The dacl returned by #2, does not have the INHERITED_ACE flag set for the
inherited ACEs.
If I use GetNamedSecurityInfo I do get the flag set, but this function does
not support BACKUP_SEMNATICS.

How does one determine whether an ACE is inherited or not for a file which
does not grant me any access?

Thanks for the help.

References:
- BACKUP_SEMANTICS and inherited ACE
  - From: Himanshu

Prev by Date: Re: Invalid Signature when sign a PDF with iTextSharp and CSP private provider
Next by Date: figuring out the relationship between CA and end-user cert
Previous by thread: BACKUP_SEMANTICS and inherited ACE
Next by thread: Invalid Signature when sign a PDF with iTextSharp and CSP private provider
Index(es):
- Date
- Thread

Relevant Pages

Re: API to change "Allow inheritable permissions...
... GetAce to retrieve each ACE until you find the one you are trying to modify. ... You could also pass the security descriptor returned from ... GetNamedSecurityInfo into ConvertSecurityDescriptorToSecurityDescriptor, ...
(microsoft.public.win2000.security)
Re: SMTP and tcp ports
... The customers called me because they were not getting their mail so I ... I meant the ACE with seq # 50. ... of the ACEs first, and monitored the resulting matches, rather than ... that both ACEs were required to retain functionality, ...
(comp.dcom.sys.cisco)
Re: ICS and Static addresses?
... Herb Martin asked for help and I offered my ... >> functionality with the later SPs, which I kind of doubt and haven't ... > I was going by the docs as I never use ICS for ... Ace ...
(microsoft.public.win2000.networking)
Re: SMTP and tcp ports
... added the other ACE with source port eq smtp. ... statement AFTER the old statement would it have received no hits? ... Since they are both permit ACEs, with no deny ACE between them, changing the order of the ACEs would only change the order in which they were evaluated against inbound packets. ... Had you done so, matches on the resequenced ACE would have demonstrated that both ACEs were required to retain functionality, and your customer would not have experienced a service interruption. ...
(comp.dcom.sys.cisco)
BACKUP_SEMANTICS and inherited ACE
... I have a backup application that needs to determine whether an ACE is ... I am using the following APIs in the given order. ... If I use GetNamedSecurityInfo I do get the flag set, ...
(microsoft.public.dotnet.security)