locked
GetNamedSecurityInfo doesn't return a DACL RRS feed

  • Question

  • Hello,

    I'm trying to write a small program to determine the DACL's of particular folders. I'm using GetNamedSecurityInfo() and can retrieve the owner information well enough, converting the SID to domain/user name. However, the DACL pointer is not updated. When I use the function GetSecurityDescriptorDacl() from the given PSECURITY_DESCRIPTOR, it indicates that no DACL is present.

    However, I'm running this code on Windows 8 and Windows 7 on my home directory (C:\Users\winuser), as well as on "C:\" where File Explorer shows that there are DACL's and they are not inherited. So I would have expected to retrieve DACL's for these two folders.

    The relevant code is:

     HANDLE hProcess = GetCurrentProcess();
     HANDLE hToken;

     result = OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken);
     if (result == 0) return;

     // Used for reading SACL's
     result = SetPrivilege(hToken, SE_SECURITY_NAME, TRUE);
     if (result == 0) return;

     PSID owner = NULL;
     PSID group = NULL;
     PACL dacl = NULL;
     PACL sacl = NULL;
     PSECURITY_DESCRIPTOR psd = NULL;

     DWORD dresult = GetNamedSecurityInfo(path, SE_FILE_OBJECT,
      SACL_SECURITY_INFORMATION || DACL_SECURITY_INFORMATION || GROUP_SECURITY_INFORMATION || OWNER_SECURITY_INFORMATION,
      &owner, &group, &dacl, &sacl, &psd);
     if (dresult != ERROR_SUCCESS) return;

     wprintf(L"Owner:%p Group:%p DACL:%p SACL:%p PSD:%p\n", owner, group, dacl, sacl, psd);

     BOOL daclPresent;
     PACL dacl2;
     BOOL daclDefault;
     result = GetSecurityDescriptorDacl(psd, &daclPresent, &dacl2, &daclDefault);
     if (result) {
      wprintf(L"DACL Present:%d Default:%d DACL:%p\n", daclPresent, daclDefault, dacl2);
     }

    For reading the DACL, documentation states I just need to have READ_TOKEN access, which I've also tried. Note, the SACL's are empty (but I would expect that as I've not set up auditing explicitly).

    How do I get the DACL for a particular folder? My end result is to check DACL's, similar to the security tab in Windows, so I can programmatically audit potential folders within the users home directory and ensure they're permissions are correct.

    When observing the results from GetSecurityDescriptorControl, the result is 0x8000 (no information present). When debugging SysInternals "accesschk.exe" utility it does get a DACL entry. I've tried setting the privileges SE_SECURITY_NAME, SE_DEBUG_NAME and SE_BACKUP_NAME with no difference. My manifest is created so it runs in Administrator mode also (which VS then escalates to (Administrator)).

    So I'm doing similar to what I've observed and read on MSDN, but I don't know what I'm doing wrong.


    • Edited by Jason Curl Sunday, March 17, 2013 9:09 PM minor code fix
    Sunday, March 17, 2013 4:01 PM

Answers

  • This is wrong:  SACL_SECURITY_INFORMATION || DACL_SECURITY_INFORMATION || GROUP_SECURITY_INFORMATION || OWNER_SECURITY_INFORMATION

    You must use the | operator, not ||.  With ||, the expression evaluates to true, which is then converted to 1, which equals OWNER_SECURITY_INFORMATION.

    • Proposed as answer by ranta Tuesday, March 19, 2013 11:33 AM
    • Marked as answer by Jason Curl Tuesday, March 19, 2013 7:45 PM
    Tuesday, March 19, 2013 11:33 AM

All replies

  • This is wrong:  SACL_SECURITY_INFORMATION || DACL_SECURITY_INFORMATION || GROUP_SECURITY_INFORMATION || OWNER_SECURITY_INFORMATION

    You must use the | operator, not ||.  With ||, the expression evaluates to true, which is then converted to 1, which equals OWNER_SECURITY_INFORMATION.

    • Proposed as answer by ranta Tuesday, March 19, 2013 11:33 AM
    • Marked as answer by Jason Curl Tuesday, March 19, 2013 7:45 PM
    Tuesday, March 19, 2013 11:33 AM
  • Well, that's embarrassing. Yes, that will certainly be the problem.
    Tuesday, March 19, 2013 7:46 PM