Microsoft KB Archive/240184

{|
 * width="100%"|

INFO: Reading/Modifying DACL of a File or Folder with Backup and Restore Privileges

 * }

Q240184

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), included with:
 * Microsoft Windows NT Server version 4.0
 * Microsoft Windows NT Workstation version 4.0
 * the operating system: Microsoft Windows 2000

-

SUMMARY
Backup applications can use BackupRead and BackupWrite to backup and restore security descriptor information of a file or a folder like a standard data stream. However, if backup applications need to manipulate the security descriptor information on a file or a folder, the access control APIs can be used after opening the corresponding file or folder in backup mode. This article explains how a backup application can use backup and restore privileges for manipulating the owner, group, and discretionary access-control list (DACL) of the security descriptor associated with a file or a folder.

MORE INFORMATION
For reading or modifying the owner, group, and DACL of the security descriptor associated with a file or a folder, one needs READ_CONTROL, WRITE_OWNER, WRITE_DAC standard access rights. The system will grant these standard access rights if you have reading security permissions explicitly granted the respective access in the DACL or is the owner of the corresponding file or folder. However, the system can override these file security checks if the calling process has SE_BACKUP_NAME and SE_RESTORE_NAME privileges granted and enabled. These privileges are granted to Backup Operators by default for performing backup and restore operations.

GetFileSecurity or high level access control APIs do not provide a mechanism for the application to select how a file or a folder is to be opened. However if the SE_BACKUP_NAME privilege is granted and enabled in the calling process access token, an application can use CreateFile/GetKernelObjectSecurity pair for analyzing the security information. To open a file or a folder for reading the OWNER or GROUP or DACL information, an application can call CreateFile API with the following dwDesiredAccess and dwFlagsAndAttributes parameters.

   hFile = CreateFile(fileName,                READ_CONTROL,                0,                NULL,                OPEN_EXISTING,                FILE_FLAG_BACKUP_SEMANTICS,                NULL);

The handle obtained from CreateFile can then be used in GetKernelObjectSecurity API call for reading the OWNER, GROUP or DACL information. For reading the system access-control list (SACL) of a file or a folder, the application needs to include access system security (ACCESS_SYSTEM_SECURITY) bit in dwDesiredAccess parameter when calling CreateFile API.

Similarly, the security information of a file or a folder can be modified if the SE_RESTORE_NAME privilege is granted and enabled in the calling process access token. An application can use CreateFile/SetKernelObjectSecurity pair for modifying the security information. To open a file or a folder for modifying the security information, an application can call CreateFile API with the following dwDesiredAccess and dwFlagsAndAttributes parameters.

   hFile = CreateFile(fileName,                WRITE_OWNER|WRITE_DAC,                0,                NULL,                CREATE_ALWAYS,                FILE_FLAG_BACKUP_SEMANTICS,                NULL); The handle obtained from CreateFile can then be used to call SetKernelObjectSecurity API for modifying the security information in the corresponding file or folder.

Additional query words:

Keywords : kbAccCtrl kbAPI kbFileIO kbKernBase kbOSWinNT400 kbOSWin2000 kbSecurity kbDSupport kbGrpDSKernBase

Issue type : kbinfo

Technology : kbAudDeveloper kbWin32sSearch kbWin32API