I am trying to copy a file and all its attributes in a system work thread created by a drvier. I can successfully copy over (read and write) all the file streams and file attribute information, except the SACL.
It is my understanding that I need ACCESS_SYSTEM_SECURITY access to the file to modify the SACL. When I include ACCESS_SYSTEM_SECURITY on the ZwCreateFile call for the destination file I get STATUS_PRIVILEGE_NOT_HELD.
I have tried putting an impersonation token on the thread and enabling various privileges (including SeSecurityPrivilege) in the token but I still can’t create the file with ACCESS_SYSTEM_SECURITY access.
Any help on what I am missing, or suggestions on a better way to do this, would be appreciated.
The only thing that matters here is SeSecurityPrivilege. While I know you
indicate you have enabled it, this error would suggest otherwise. A more
specific way to check this would (literally) be to call
SeSinglePrivilegeCheck with this particular privilege to ensure it is in
fact properly enabled for the current thread.
I’d also *strongly* advise you not to get involved in impersonation here.
That’s only going to make it more difficult to get working properly (since
only some impersonation tokens can hold this privilege.)
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@executive.com [mailto:xxxxx@executive.com]
Sent: Wednesday, October 16, 2002 8:07 PM
To: File Systems Developers
Subject: [ntfsd] Copying the SACL of a file.
I am trying to copy a file and all its attributes in a system work thread
created by a drvier. I can successfully copy over (read and write) all the
file streams and file attribute information, except the SACL.
It is my understanding that I need ACCESS_SYSTEM_SECURITY access to the file
to modify the SACL. When I include ACCESS_SYSTEM_SECURITY on the
ZwCreateFile call for the destination file I get STATUS_PRIVILEGE_NOT_HELD.
I have tried putting an impersonation token on the thread and enabling
various privileges (including SeSecurityPrivilege) in the token but I still
can’t create the file with ACCESS_SYSTEM_SECURITY access.
Any help on what I am missing, or suggestions on a better way to do this,
would be appreciated.
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%
Hi,
It is my understanding that I need ACCESS_SYSTEM_SECURITY access to the
file to modify the SACL. When I include ACCESS_SYSTEM_SECURITY on the
ZwCreateFile call for the destination file I get
STATUS_PRIVILEGE_NOT_HELD.
As far as I know you don’t have to open file including
ACCESS_SYSTEM_SECURITY if you trying to set ACL using IRP you created.
Normally IoManager checks if operation is allowed for the handle. Sending
IRP directly to file system bypass those checks.
Alexei.
Security checks are NOT bypassed for network files.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Alexei Jelvis
Sent: Thursday, October 17, 2002 8:48 AM
To: File Systems Developers
Subject: [ntfsd] Re: Copying the SACL of a file.
Hi,
>It is my understanding that I need ACCESS_SYSTEM_SECURITY
access to the
>file to modify the SACL. When I include
ACCESS_SYSTEM_SECURITY on the
>ZwCreateFile call for the destination file I get
STATUS_PRIVILEGE_NOT_HELD.
As far as I know you don’t have to open file including
ACCESS_SYSTEM_SECURITY if you trying to set ACL using IRP you
created. Normally IoManager checks if operation is allowed
for the handle. Sending IRP directly to file system bypass
those checks.
Alexei.
You are currently subscribed to ntfsd as: xxxxx@nryan.com
To unsubscribe send a blank email to %%email.unsub%%