Re: SetNamedSecurityInfo running under SYSTEM account
From: Dave Christiansen [MS] (davidchr_at_online.microsoft.com)
Date: Fri, 16 Jan 2004 16:42:21 -0800
Possibly a dumb question, but does EnableTokenPrivilege succeed or fail? By
default, only Administrators are granted SE_SECURITY_PRIVILEGE.
-- Dave Christiansen, Windows Core Security Testing This message is provided "AS IS" with no warranties, and confers no rights. This message originates in the State of Washington (USA), where unsolicited commercial email is legally actionable (see http://www.wa.gov/ago/junkemail). Harvesting of this address for purposes of bulk email (including "spam") is prohibited unless by my expressed prior request. I retaliate viciously against spammers and spam sites. "System" <S_1_5_18@hotmail.com> wrote in message news:ux7AAFQ2DHA.716@TK2MSFTNGP12.phx.gbl... > FYI .. the code does run on Windows 2000 (no SP) but not on Windows XP (no > SP) > > cheers > > "System" <S_1_5_18@hotmail.com> wrote in message > news:OlA5a2P2DHA.email@example.com... > > Hi! > > > > I am using SetNamedSecurityInfo to set both the dacl and sacl of a > > directory. I have tested my code under the admin account and it works but > > when I run it from our (msi) setup under the local system account there is > > something odd. When setting the SACL, SetNamedSecurityInfo returns error > > 1314 (ERROR_PRIVILEGE_NOT_HELD) .. > > > > I thought that the privs was enabled by default for Local System but it > > dioes not seem the case ( I have tested it). > > > > Anyway, In my code I explicitely enable the SE_SECURITY_NAME privilege. > > > > for the record, I have also enabled SE_TAKE_OWNERSHIP_NAME for the dacl. > > > > has anybody ever managed to use SetNamedSecurityInfo from the LocalSystem > > account? > > > > // audit everyone > > ACL* sacl =0; > > DWORD lenSacl; > > > > lenSacl = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) > > + GetLengthSid(worldSid) - sizeof(DWORD); > > > > sacl = (ACL *) malloc( lenSacl ); > > InitializeAcl(sacl, lenSacl, ACL_REVISION); > > > > ACCESS_MASK m = GENERIC_WRITE | WRITE_OWNER | WRITE_DAC | DELETE; > > AddAuditAccessAce(sacl, ACL_REVISION, m, worldSid, TRUE, TRUE); > > > > secinfo = SACL_SECURITY_INFORMATION | PROTECTED_SACL_SECURITY_INFORMATION > ; > > EnableTokenPrivilege(msi, SE_SECURITY_NAME); > > > > rc = SetNamedSecurityInfo( mydir, SE_FILE_OBJECT, secinfo, 0, 0, 0, > sacl ); > > > > rc is ERROR_PRIVILEGE_NOT_HELD !! > > > > Thanks. > > > > > > > > > >