I've got some code that basically does:
- GetNamedSecurityInfoW (<some file>,dacl only)
- build a new ACL with the info from #1 and an additional ACE to allow local Administrators full control
- SetNamedSecurityInfoW (<the same file>,the new dacl)
The dacl from #1 contains 4 ACEs:
grant: mask(0x001F01FF), flags(0x00000010): S-1-5-18 (NT AUTHORITY\SYSTEM) grant: mask(0x10000000), flags(0x0000001B): S-1-5-18 (NT AUTHORITY\SYSTEM) grant: mask(0x001F01FF), flags(0x00000010): (local admin user #1) grant: mask(0x10000000), flags(0x0000001B): (local admin user #1)Note that this code is running as another local admin, but not the one in the ACEs. Let's say we're running as local admin #2. On Windows XP SP2.
All of these ACEs are inherited. Not sure if that's important or not.
From Peter Brown's _Programming Windows Security_ I understand that non-inherited ACEs granting access should appear before the inherited ACEs. So, to grant access (GENERIC_ALL | STANDARD_RIGHTS_ALL) to the Administrators group, I end up with 5 ACEs in this order:
grant: mask(0x101F0000), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators) grant: mask(0x001F01FF), flags(0x00000010): S-1-5-18 (NT AUTHORITY\SYSTEM) grant: mask(0x10000000), flags(0x0000001B): S-1-5-18 (NT AUTHORITY\SYSTEM) grant: mask(0x001F01FF), flags(0x00000010): (local admin user #1) grant: mask(0x10000000), flags(0x0000001B): (local admin user #1)
Now that I've got the ACL set up the way (I think) I want, I call SetNamedSecurityInfoW.
It appears to succeed. At least it returns ERROR_SUCCESS.
The trouble is, when I call GetNamedSecurityInfoW on the same file right afterwards, I don't get the info I expect. Instead I get:
grant: mask(0x001F01FF), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators)
Where did the other ACEs go?
I tried adjusting my additional ACE to use the OBJECT_INHERIT_ACE inheritance flag. This changed things slightly but the original ACEs still disappeared.
My big picture goal is to add rights to the local admin group for a directory, look in the directory, and then leave things as close to they were when I started. I'm not trying to be sneaky or evil, but I'd like to leave the ACEs that were there if possible. The code is running as part of an uninstaller that's looking for files to delete.
I already had to take ownership of the file to get access. I'm not sure if I can undo that, but I'd at least like to leave the ACEs as they were.
Thanks for your help understanding what's going on here.
-DB