Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Thu, 24 Jul 2008 14:03:00 -0700,    group: microsoft.public.platformsdk.security        back       


Replacing registry ACL with a new one    
I have code that modifies existing registry key ACL and works fine. I use 
GetNamedSecurityInfo to extract the old DACL, SetEntriesInAcl with the old 
DACL and the new Explicit Access structure(s) and then SetNamedSecurityInfo 
to set the new, merged DACL. This all works well - I can even revoke 
individual ACEs with this code. Here's the problem: I need to create a new 
ACL with a limited number of trustees, and either SetEntriesInAcl or 
SetNamedSecurityInfo keeps merging in the old trustees as well. To do this:

1. I use the same code that works, essentially calling GetNamedSecurityInfo 
which extracts a pointer to the old DACL.

2. I use SetEntriesInAcl, but this time I set the old DACL pointer to NULL 
while using a pointer to the EXPLICIT_ACCESS structure populated by desired 
trustees. I get a pointer to a new DACL from the API. 

3. I give the pointer to the new API to SetNamedSecurityInfo and although 
the new trustees are present, so are the old ones!

All calls return ERROR_SUCCESS, and I am baffled. 

Has anyone run into this?
date: Thu, 24 Jul 2008 14:03:00 -0700   author:   jpatrcik

RE: Replacing registry ACL with a new one    
Well I think I've found the problem, I needed to set the SECURITY_INFORMATION 
structure of SetNamedSecurityInfo to
PROTECTED_DACL_SECURITY_INFORMATION so the DACL cannot inherit access 
control entries (ACEs). However, in Vista (as in XP), it seems only the 
CREATOR_OWNSER has the Write_DAC permission, and even members of the local 
admin group get and ACCESS_DENIED when setting 
PROTECTED_DACL_SECURITY_INFORMATION on SetnamedSecurityInfo. In XP, 
power_users have the WRITE_DAC ability. Do I need to take ownership to 
replace the DACL - it sure looks like it...

"jpatrcik" wrote:

> I have code that modifies existing registry key ACL and works fine. I use 
> GetNamedSecurityInfo to extract the old DACL, SetEntriesInAcl with the old 
> DACL and the new Explicit Access structure(s) and then SetNamedSecurityInfo 
> to set the new, merged DACL. This all works well - I can even revoke 
> individual ACEs with this code. Here's the problem: I need to create a new 
> ACL with a limited number of trustees, and either SetEntriesInAcl or 
> SetNamedSecurityInfo keeps merging in the old trustees as well. To do this:
> 
> 1. I use the same code that works, essentially calling GetNamedSecurityInfo 
> which extracts a pointer to the old DACL.
> 
> 2. I use SetEntriesInAcl, but this time I set the old DACL pointer to NULL 
> while using a pointer to the EXPLICIT_ACCESS structure populated by desired 
> trustees. I get a pointer to a new DACL from the API. 
> 
> 3. I give the pointer to the new API to SetNamedSecurityInfo and although 
> the new trustees are present, so are the old ones!
> 
> All calls return ERROR_SUCCESS, and I am baffled. 
> 
> Has anyone run into this?
date: Thu, 24 Jul 2008 14:36:01 -0700   author:   jpatrcik

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us