[python-win32] Issue with taking ownership
Joseph L. Casale
jcasale at activenetwerx.com
Wed Jan 22 03:37:35 CET 2014
> In my scenario (while the token is elevated) how does one replace a DACL with
> a new one that I add an ACE granting my context full control without reading the
> security descriptor, or, with elevated state active, how can I also add read_control
> when I get write_dac so I can read the sd, and append an ACE versus blowing
> out the dacl?
Turns out that the code to logon and impersonate was using
LOGON32_LOGON_NEW_CREDENTIALS instead of LOGON32_LOGON_INTERACTIVE.
According to GetNamedSecurityInfo docs at msdn [1], "To read the owner, group, or
DACL from the object's security descriptor, the object's DACL must grant READ_CONTROL
access to the caller, or the caller must be the owner of the object."
So although I passed ownership to the account logged in and impersonated, the context
for which the system saw the attempt to read the security descriptor came from the
account running the code.
Thanks Tim,
jlc
[1] http://msdn.microsoft.com/en-us/library/windows/desktop/aa446645(v=vs.85).aspx
More information about the python-win32
mailing list