Re: SetNamedSecurityInfo running under SYSTEM account

From: Dave Christiansen [MS] (davidchr_at_online.microsoft.com)
Date: 01/17/04

  • Next message: Dave Christiansen [MS]: "Re: SetNamedSecurityInfo running under SYSTEM account"
    Date: Fri, 16 Jan 2004 16:42:21 -0800
    
    

    Possibly a dumb question, but does EnableTokenPrivilege succeed or fail? By
    default, only Administrators are granted SE_SECURITY_PRIVILEGE.

    -- 
    Dave Christiansen, Windows Core Security Testing
    This message is provided "AS IS" with no warranties, and confers no rights.
    This message originates in the State of Washington (USA), where unsolicited
    commercial email is legally actionable (see
    http://www.wa.gov/ago/junkemail).
    Harvesting of this address for purposes of bulk email (including "spam") is
    prohibited unless by my expressed prior request.  I retaliate viciously
    against spammers and spam sites.
    "System" <S_1_5_18@hotmail.com> wrote in message
    news:ux7AAFQ2DHA.716@TK2MSFTNGP12.phx.gbl...
    > FYI .. the code does run on Windows 2000 (no SP) but not on Windows XP (no
    > SP)
    >
    > cheers
    >
    > "System" <S_1_5_18@hotmail.com> wrote in message
    > news:OlA5a2P2DHA.3224@tk2msftngp13.phx.gbl...
    > > Hi!
    > >
    > > I am using SetNamedSecurityInfo to set both the dacl and sacl of a
    > > directory. I have tested my code under the admin account and it works
    but
    > > when I run it from our (msi) setup under the local system account there
    is
    > > something odd. When setting the SACL, SetNamedSecurityInfo returns error
    > > 1314 (ERROR_PRIVILEGE_NOT_HELD) ..
    > >
    > > I thought that the privs was enabled by default for Local System but it
    > > dioes not seem the case ( I have tested it).
    > >
    > > Anyway, In my code I explicitely enable the SE_SECURITY_NAME privilege.
    > >
    > > for the record, I have also enabled SE_TAKE_OWNERSHIP_NAME for the dacl.
    > >
    > > has anybody ever managed to use SetNamedSecurityInfo from the
    LocalSystem
    > > account?
    > >
    > >  // audit everyone
    > >  ACL* sacl =0;
    > >  DWORD lenSacl;
    > >
    > >  lenSacl = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
    > >             + GetLengthSid(worldSid) - sizeof(DWORD);
    > >
    > >  sacl = (ACL *) malloc( lenSacl );
    > >  InitializeAcl(sacl, lenSacl, ACL_REVISION);
    > >
    > >  ACCESS_MASK m = GENERIC_WRITE | WRITE_OWNER | WRITE_DAC | DELETE;
    > >  AddAuditAccessAce(sacl, ACL_REVISION, m, worldSid, TRUE, TRUE);
    > >
    > >  secinfo = SACL_SECURITY_INFORMATION |
    PROTECTED_SACL_SECURITY_INFORMATION
    > ;
    > >  EnableTokenPrivilege(msi, SE_SECURITY_NAME);
    > >
    > >  rc = SetNamedSecurityInfo( mydir, SE_FILE_OBJECT, secinfo, 0, 0, 0,
    > sacl );
    > >
    > > rc is ERROR_PRIVILEGE_NOT_HELD !!
    > >
    > > Thanks.
    > >
    > >
    > >
    > >
    >
    >
    

  • Next message: Dave Christiansen [MS]: "Re: SetNamedSecurityInfo running under SYSTEM account"

    Relevant Pages

    • SetNamedSecurityInfo running under SYSTEM account
      ... when I run it from our setup under the local system account there is ... When setting the SACL, SetNamedSecurityInfo returns error ... I have also enabled SE_TAKE_OWNERSHIP_NAME for the dacl. ...
      (microsoft.public.platformsdk.security)
    • Re: SetNamedSecurityInfo running under SYSTEM account
      ... > when I run it from our setup under the local system account there is ... When setting the SACL, SetNamedSecurityInfo returns error ...
      (microsoft.public.platformsdk.security)