Re: Using Security Descriptors as containers for SIDs
- From: "Richard Ward" <richardw@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 9 Dec 2005 23:39:35 -0800
<hull.cary@xxxxxxxxx> wrote in message
news:1133985637.248635.283320@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> I'm working with the following Win32 API functions:
> GetNamedSecurityInfo, AllocateAndInitializeSid, and
> SetSecurityDescriptorOwner.
>
> 1. I'm using GetNamedSecurityInfo to get the
> OWNER_SECURTIY_INFORMATION.
>
> 2. I'm creating a SID for the BUILTIN\Administrators group with
> AllocateAndInitializeSid.
>
> 3. I'm trying to set the new owner SID (created in step two) into the
> security descriptor (gathered in step one) using
> SetSecurityDescriptorOwner.
>
> The problem is that step three fails with GetLastError == 1338
> (ERROR_INVALID_SECURITY_DESCR). This error is pretty funny to me
> because *just* before I call SetSecurityDescriptorOwner, I call
> IsValidSecurityDescriptor on the security descriptor I'm passing to
> SetSecurityDescriptorOwner, and it returns TRUE! So, one function says,
> "yes, this is valid" and the very next one says, "no, it's not!"
IsValidSecurityDescriptor is checking if the security descriptor is ready
for a call to AccessCheck, not if it is ready for a call to any of the edit
functions. So, yes, it is valid to pass a security descriptor with only the
owner to SetXxxSecurity(), it isn't for AccessCheck.
.
- Follow-Ups:
- Re: Using Security Descriptors as containers for SIDs
- From: hull . cary
- Re: Using Security Descriptors as containers for SIDs
- References:
- Using Security Descriptors as containers for SIDs
- From: hull . cary
- Using Security Descriptors as containers for SIDs
- Prev by Date: Re: LsaLogonUser - access to network resources
- Next by Date: Re: Access Token with conflicting SIDs
- Previous by thread: Using Security Descriptors as containers for SIDs
- Next by thread: Re: Using Security Descriptors as containers for SIDs
- Index(es):
Loading
