none
System.Security.AccessControl.NativeObjectSecurity.SetOwner Does Not Throw Exception Nor Does It Change Owner RRS feed

  • Question

  • Here is my code:

            public static bool TakeOwnership(string filename, string domainName, string userName)
            {
                if (domainName.Equals(""))
                    domainName = System.Environment.UserDomainName;
                if (userName.Equals(""))
                    userName = System.Environment.UserName;
                System.Security.AccessControl.NativeObjectSecurity accessControlObjectReference = null;
                try
                {
                    accessControlObjectReference = System.IO.Directory.GetAccessControl(filename);  // does NOT accept 8.3 filenames especially those preceeded with \\? for some ungodly reason
                }
                catch (Exception noown)
                {
                    Console.WriteLine("Unable to takeownership of file (not directory) (" + filename + ") because (" + noown.Message + ").");

                    return false;
                }
                try
                {
                    if (domainName.Equals(""))
                        domainName = System.Environment.UserDomainName;
                    if (userName.Equals(""))
                        userName = System.Environment.UserName;
                    accessControlObjectReference.SetOwner(new System.Security.Principal.NTAccount(domainName, userName));
                    return true;   // it seems the system has set a new owner -- maybe
                }
                catch (Exception ee)
                {
                    Console.WriteLine("Unable to takeownership of (" + filename + ") because (" + ee.Message + ").");
                    return false;
                }
            }

    The call is thus:     HeavyLifting.TakeOwnership(@"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe","","");

    The program runs with elevated privileges.  No exception is thrown.  The original owner is TrustedInstaller.

    What do I change to make this work as I intended?


    MARK D ROCKMAN

    Friday, December 1, 2017 2:40 PM

Answers

  • The ObjectSecurity type is a container for the permissions and whatnot of an object. Unto itself it does nothing. You use GetAccessControl to get the container. To actually apply the changes you've made to it back to the system you have to call SetAccessControl. It is that call that updates the underlying security on the object in question.

    void SetDirectoryOwner ( string path, IdentityReference principal )
    { 
        var security = Directory.GetAccessControl(path);
        security.SetOwner(principal);
        Directory.SetAccessControl(path, security);
    }


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Saturday, December 2, 2017 2:45 AM
    Friday, December 1, 2017 4:17 PM
    Moderator

All replies

  • The ObjectSecurity type is a container for the permissions and whatnot of an object. Unto itself it does nothing. You use GetAccessControl to get the container. To actually apply the changes you've made to it back to the system you have to call SetAccessControl. It is that call that updates the underlying security on the object in question.

    void SetDirectoryOwner ( string path, IdentityReference principal )
    { 
        var security = Directory.GetAccessControl(path);
        security.SetOwner(principal);
        Directory.SetAccessControl(path, security);
    }


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Saturday, December 2, 2017 2:45 AM
    Friday, December 1, 2017 4:17 PM
    Moderator
  • So it turns out a method called SetOwner doesn't set the owner.  It merely copies the name of the new owner into some structure for future writing to the file system.  Somewhat confusing.  But it is too late in the game to give the method a more descriptive name.  SetAccessControl performs the actual revision to the file system.  It appears there is some missing documentation regarding the permissions that are necessary for SetAccessControl to do its thing.  It is either or both of the following.  1)  Run as administrator and 2) Use ModifyPrivilege in C++ to set the  SeTakeOwnershipPrivilege privilege.

    MARK D ROCKMAN

    Saturday, December 2, 2017 2:53 AM