ERROR_ACCESS_DENIED设置文件的所有者 [英] ERROR_ACCESS_DENIED setting file owner
问题描述
我试图以编程方式在C ++中将文件所有者设置为另一个用户.
I am trying to set the owner of a file to another user programmatically in C++.
我确实为我的进程启用了SeRestorePrivilege.我可以使用Process Explorer确认这一点.我开始该过程,将其禁用,运行我的代码以将其启用,ProcExp将其报告为已启用,直到设置所有者的位置,并且它仍处于启用状态(即,我并非无意中禁用了该过程)它).
I have definitely enabled the SeRestorePrivilege for my process. I can confirm this using Process Explorer. I start the process, it is disabled, I run my code to enable it, ProcExp reports it as enabled, I go just up to the point where the owner is to be set, and it is still enabled (i.e. I am not accidentally disabling it).
此访问被拒绝的消息还有什么其他原因?我没有考虑什么?
What other caused can there be for this access is denied message? What have I not considered?
std::wstring fileSystemObject = L"C:\test.txt";
*status_code = SetNamedSecurityInfo((wchar_t*)fileSystemObject.c_str(), SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, pSID, NULL, NULL, NULL);
if (*status_code == ERROR_SUCCESS)
{
Log(L"Successfully set owner for " + fileSystemObject);
return true;
}
else
{
Log(L"Failed to set owner for " + fileSystemObject + L". Error code: ", *status_code);
return false;
}
谢谢.
编辑:非常感谢您一直以来的协助.非常感谢.
Thank you very much for your continued assistance. It is greatly appreciated.
我将您的代码用于以下所有测试.基本上,我还会从您的代码中获取访问被拒绝"消息,但是,我已经对其进行了进一步的跟踪.
I used your code for all of the following tests. Basically, I am also getting Access Denied messages from your code, however, I have tracked it down a little more.
首先,"C:\ test.txt"不是我的真实代码,不幸的是,缺少的反斜杠不是造成我问题的原因.不过谢谢您敏锐的眼睛:)
Firstly, "C:\test.txt" was not my real code, and unfortunately the missing backslash is not the cause of my problem. Thank you for your keen eyes though :)
此外,我正在运行一个禁用UAC的管理员帐户,并且我的程序在清单中设置了requireAdministrator.
Also, I am running an administrator account with UAC disabled, and my program has requireAdministrator set in the manifest.
但是,我注意到我的代码和您的代码都适用于简单文件.经过大量测试,我发现我仅在以下情况下获得AccessDenied消息:
However, I have noticed that both my code and yours work for simple files. After much testing, I have discovered that I only get AccessDenied messages in the following scenarios:
1:我不是所有者,例如,将获取所有权"权限设置为拒绝".每个人.
1: I am not the owner, and the "Take Ownership" permissions is set to Deny for e.g. Everyone.
2:我是所有者,例如,将获取所有权"权限设置为拒绝".每个人.奇怪的是,在第二种情况下,尽管有失败代码,但所有权的确发生了.
2: I am the owner, and the "Take Ownership" permissions is set to Deny for e.g. Everyone. Curiously, in this second instance, despite the failure code, the ownership change does actually occur.
我不明白为什么会这样.我和您已经在流程令牌中设置了SE_RESTORE_NAME.我应该被允许随意设置所有者SID.但是看来我做不到.
I don't see why this is happening. I, and you, have set SE_RESTORE_NAME in the process token. I should be allowed to arbitrarily set the owner SID. But it seems that I can't.
似乎所有对TakeOwnership DACL的拒绝都超过了我获得所有权的能力.但是,在拥有所有权之前,我无法更改权限! 叹气.
It seems that any Deny on TakeOwnership DACLs overrides my ability to take ownership. However, I can't change permissions until I can take ownership! sigh.
我可能会尝试按照您最初建议的那样设置SeTakeOwnershipPrivilege,将所有权授予自己,更改权限,从外部设置所有权.真痛苦而且我什至不是很有信心.
I might try setting SeTakeOwnershipPrivilege as you initially recommended, taking ownership to myself, changing permissions, setting ownership externally. What a pain. And I am not even very confident it will work.
我还发现了这一点: http://us .generation-nt.com/setnamedsecurityinfo-failing-rc-1307-help-59729462.html
他似乎处于类似情况(如果我没有正确设置进程令牌,则会得到1307).但是CreatePrivateObjectSecurityEx需要进行更多设置.
He seems to be in a similar situation (I get 1307 if I don't set up the process token properly). But CreatePrivateObjectSecurityEx takes a whole lot more setting up.
嗯.谢谢您的宝贵时间.
Hmmmm. Thanks for your time.
推荐答案
这里的问题是,安全子系统和模型正在保护对象免遭不合理的所有权更改,甚至拥有管理员权限也需要正确克服障碍.
The problem here is that security subsystem and model are defending the object from unreasonable ownership changes, and even having administrator permissions one needs to correctly overcome the obstacles.
获取文件所有权涉及两个特权:SE_TAKE_OWNERSHIP_NAME和SE_RESTORE_NAME.前者允许带走某人的物体,而后者允许设置不是设置者本人的所有者.
There are two privileges involved in taking ownership of a file: SE_TAKE_OWNERSHIP_NAME and SE_RESTORE_NAME. The former allows taking someone's object and the latter allows setting owner who is not the setter himself.
SE_RESTORE_NAME似乎是一种更强大的特权,足以完成任务,但事实并非如此.是的,它允许设置某人的所有权,如MSDN所述:
It might look like SE_RESTORE_NAME is a more powerful privilege and is sufficient for the task, however it appears that it is not. Yes it allows to set someone's ownership, as MSDN states:
如果调用者没有SeRestorePrivilege常量(请参见 权限常量),则此SID必须包含在调用方的 令牌,并且必须启用SE_GROUP_OWNER权限.这 SecurityInfo参数必须包含OWNER_SECURITY_INFORMATION 旗帜.要设置所有者,调用者必须具有对WRITE_OWNER的访问权限 对象或启用了SE_TAKE_OWNERSHIP_NAME权限.
If the caller does not have the SeRestorePrivilege constant (see Privilege Constants), this SID must be contained in the caller's token, and must have the SE_GROUP_OWNER permission enabled. The SecurityInfo parameter must include the OWNER_SECURITY_INFORMATION flag. To set the owner, the caller must have WRITE_OWNER access to the object or have the SE_TAKE_OWNERSHIP_NAME privilege enabled.
但是,它不能让您克服明确禁止所有权更改的DACL项目.在这种情况下,您还需要其他特权(也就是说,您需要同时启用这两种特权),这使您可以在决定将要授予的人之前从某人手中获取所有权.
However it does not let you overcome DACL item that explicitly prevents from ownership change. In this case you need that other privilege as well (that is, you need to enable both), which enables you to take ownership from someone before you decide whom you are going to give it then to.
I am copying the link to C++/ATL source code from comment above: SetFileOwner.cpp. When permissions/DACL has a Deny item, an exception takes place and enabling second privilege resolves the problem.
这篇关于ERROR_ACCESS_DENIED设置文件的所有者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
