tags:

views:

93

answers:

0
Q: 

Why is SetNamedSecurityInfoW leaving out ACEs?

I've got some code that basically does:

  1. GetNamedSecurityInfoW (<some file>,dacl only)
  2. build a new ACL with the info from #1 and an additional ACE to allow local Administrators full control
  3. SetNamedSecurityInfoW (<the same file>,the new dacl)

The dacl from #1 contains 4 ACEs:

grant: mask(0x001F01FF), flags(0x00000010): S-1-5-18 (NT AUTHORITY\SYSTEM)
grant: mask(0x10000000), flags(0x0000001B): S-1-5-18 (NT AUTHORITY\SYSTEM)
grant: mask(0x001F01FF), flags(0x00000010): (local admin user #1)
grant: mask(0x10000000), flags(0x0000001B): (local admin user #1)
Note that this code is running as another local admin, but not the one in the ACEs. Let's say we're running as local admin #2. On Windows XP SP2.

All of these ACEs are inherited. Not sure if that's important or not.

From Peter Brown's _Programming Windows Security_ I understand that non-inherited ACEs granting access should appear before the inherited ACEs. So, to grant access (GENERIC_ALL | STANDARD_RIGHTS_ALL) to the Administrators group, I end up with 5 ACEs in this order: 
grant: mask(0x101F0000), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators)
grant: mask(0x001F01FF), flags(0x00000010): S-1-5-18 (NT AUTHORITY\SYSTEM)
grant: mask(0x10000000), flags(0x0000001B): S-1-5-18 (NT AUTHORITY\SYSTEM)
grant: mask(0x001F01FF), flags(0x00000010): (local admin user #1)
grant: mask(0x10000000), flags(0x0000001B): (local admin user #1)

Now that I've got the ACL set up the way (I think) I want, I call SetNamedSecurityInfoW.

It appears to succeed. At least it returns ERROR_SUCCESS.

The trouble is, when I call GetNamedSecurityInfoW on the same file right afterwards, I don't get the info I expect. Instead I get:

grant: mask(0x001F01FF), flags(0x00000000): S-1-5-32-544 (BUILTIN\Administrators)

Where did the other ACEs go?

I tried adjusting my additional ACE to use the OBJECT_INHERIT_ACE inheritance flag. This changed things slightly but the original ACEs still disappeared.

My big picture goal is to add rights to the local admin group for a directory, look in the directory, and then leave things as close to they were when I started. I'm not trying to be sneaky or evil, but I'd like to leave the ACEs that were there if possible. The code is running as part of an uninstaller that's looking for files to delete.

I already had to take ownership of the file to get access. I'm not sure if I can undo that, but I'd at least like to leave the ACEs as they were.

Thanks for your help understanding what's going on here.

-DB

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security