[python-win32] Issue with taking ownership

[Tim Golden]

On 21/01/2014 15:36, Joseph L. Casale wrote:
> I have a scenario where I have a directory owned by localhost\Administrators with
> that group and SYSTEM set to full control without inheritance propagated.
> 
> Under this, I have a folder owned by another account with only that account granted
> full control.
> 
> If I elevate my token and run:
> 
> win32security.SetNamedSecurityInfo(
>     path,
>     win32security.SE_FILE_OBJECT,
>     win32security.OWNER_SECURITY_INFORMATION,
>     owner.sid,
>     None,
>     None,
>     None
> ) 
> 
> from the account that has full control (and originally owned it), I can view the new owner.
> 
> This however doesn't allow the context that changed the owner to then access the dacl
> and add an ace? That context still cannot view the directory permissions which doesn't jive
> with the behavior of takeown.exe for example, after assuming ownership with that binary,
> the alternate context can view the permissions and see the original owner is the only entry
> in the ACL with full control (as it was)?

I think I understand your setup, which I've simulated below: an
"ownership" directory owned by Admins and with SYSTEM & Admins only
having full control. No inheritance; no propagation. Then an
"other-account" directory below it; again, no inheritance and owned by a
different account which has full control.

C:\temp>cacls ownership
C:\temp\ownership NT AUTHORITY\SYSTEM:(OI)(CI)F
                  BUILTIN\Administrators:(OI)(CI)(NP)F


C:\temp>cacls ownership\*
C:\temp\ownership\other-account VOUK\goldent:(OI)(CI)F


Although you don't show the code you're using to affect the
newly-reowned DACL, I suspect the problem is that you're not specifying
DACL-only access? In other words, your Ownership status gives you *just
enough* permission to write to the DACL to give yourself more. (ie
WRITE_DAC). Any attempt to access any other aspect of the security
structure will almost certainly fail with access denied.

Does that help?

TJG