locked
REVOKE_ACCESS : how to remove / 'revoke' an inherited ACE? RRS feed

  • Question

  • I have the code below working for various ACE changes and adds and revoking -- it just does NOT work when I try and remove an ACE that is in the ACL (clearly) there, but this ACE is inherited. The SetEntriesInAcl() for revoke of non-inherited ACEs works, reduces the ACL ACE count and the following SetNamedSecurityInfo() does the revoke and the ACE is gone. When the ACE is inherited though -- both these API return SUCCESS - but the ACE is not removed/revoke, the ACL ACE count remains the same. I have also coded doing DeleteAce() but when that DACL is used in SetNamedSecurityInfo() again the RC is SUCCESS (no return codes) and the ACE remains for the folder I am deaing with --- clearly there is a trick ---- on how to remove an inherited ACE. Btw -- for the same folder in question . . . . SUBINACL command line tool does the revoke of this inherited ACE without problem -- HELP! Thanks in advance Kevin Waite ......

                     if( EqualSid( pSid_for_ace, pSid )  )
                        { /* ACE SID matched edit SID */
    
                        if( cmd_se_edit == SE_REM )
                           { /* remove */
    
                           rem_lst[ ace_idx ] = x;
    
                           exp_ace[ ace_idx ].grfAccessPermissions = dwAccessRights;
                           exp_ace[ ace_idx ].grfAccessMode        = REVOKE_ACCESS;
                           exp_ace[ ace_idx ].grfInheritance       = dwInheritance;
                           exp_ace[ ace_idx ].Trustee.TrusteeForm  = TRUSTEE_IS_SID;
                           exp_ace[ ace_idx ].Trustee.TrusteeType  = TRUSTEE_IS_WELL_KNOWN_GROUP;
                           exp_ace[ ace_idx ].Trustee.ptstrName    = pSid;
    
                           if( ace_idx < (REMMAX-1) ) ++ace_idx;
    
                           } /* remove */
    
                        } /* ACE SID matched edit SID */
    
                  pBA = (BYTE *)p_aceHdr;
    
                  ace_sz = p_aceHdr->AceSize;
    
                  p_aceHdr = (PACE_HEADER)&pBA[ ace_sz ];
    
                  } /* loop through ACEs */
    
    
               // Create a new ACL that merges the new ACE
               // into the existing DACL.
    
               if( ace_idx )
                  { /* ACEs to remove */
    
                  dwRes = SetEntriesInAcl( ace_idx, &exp_ace[0],
                                                            pDacl, &pNewDacl );
                  if( ERROR_SUCCESS != dwRes )
                     {
                     printf( "SetEntriesInAcl Error %u\n", dwRes );
                     goto Cleanup2;
                     }
    
                  // Attach the new ACL as the object's DACL.
    
                  dwRes = SetNamedSecurityInfo(    ObjName,
                                                   ObjectType,
                                                   DACL_SECURITY_INFORMATION,
                                                   NULL,
                                                   NULL,
                                                  pNewDacl,
                                                   NULL );
    
                  if( ERROR_SUCCESS != dwRes )
                     {
                     printf( "SetNamedSecurityInfo Error %u\n", dwRes );
                     goto Cleanup2;
                     }
    
                  } /* ACEs to remove */
    
    The access permissions mask and inheritance settings are identical to the ACE being revoked - per MS guidance (the only guidance I have found.) - Setting this ACE with the above code results in a new ACE that matches what I set -- but the original inherited ACE remains -- the ACL grew by 1 for this test - then the revoke of this test ACE worked correctly -- once again the original inherited ACE remains. 
    
    
    
    
    • Moved by Bob Wu-MT Monday, January 30, 2012 9:05 AM ACL issue (From:Windows Forms General)
    Sunday, January 29, 2012 5:11 AM

All replies

  • Hi Kevin,
    As this is a security issue, I will move it to the Application Security for Windows Desktop Forum for better support.
    Sorry for any inconvenience this may cause.
    Best Regards,

    Bob Wu [MSFT]
    MSDN Community Support | Feedback to us
    Monday, January 30, 2012 9:04 AM
  • Hey Kevin, can u remove ace successful? when i SetNamedSecurityInfo, i just get "An attempt was made to reference a token that does not exist" error in windows last error. can u help me?
    Thursday, March 1, 2012 1:08 AM