Setting Privileges

The following example removes the discretionary ACL from a file. If necessary, ownership of the file is given to the Administrator account. If required, the SE_TAKE_OWNERSHIP_NAME privilege is enabled for the account.

LPSTR lpszOwnFile = "d:\\ntfs_sample_file";

PSID pSIDAliasAdmins = NULL;

static SID_IDENTIFIER_AUTHORITY

siaNTAuthority = SECURITY_NT_AUTHORITY;

BOOL FAR PASCAL TakeOwnership()

{

SECURITY_DESCRIPTOR sd;

/*

* Initialize a security descriptor and assign it a NULL

* discretionary ACL to allow unrestricted access.

* Assign the security descriptor to a file.

*/

if (!InitializeSecurityDescriptor(&sd,

SECURITY_DESCRIPTOR_REVISION)) {

ErrorHandler("InitializeSecurityDescriptor");

return FALSE;

}

if (!SetSecurityDescriptorDacl(&sd,

TRUE,

(PACL) NULL,

FALSE)) {

ErrorHandler("SetSecurityDescriptorDacl");

return FALSE;

}

if (SetFileSecurity(lpszOwnFile,

DACL_SECURITY_INFORMATION,

&sd))

return TRUE;

else

ErrorHandler("SetFileSecurity1");

/*

* If the preceding call to SetFileSecurity fails, create

* an Administrator SID and use it to set the owner of

* the security descriptor.

*/

if (!AllocateAndInitializeSid(&siaNTAuthority,

2, /* subauthority count */

/* first subauthority */

SECURITY_BUILTIN_DOMAIN_RID,

/* second subauthority */

DOMAIN_ALIAS_RID_ADMINS,

0, 0, 0, 0, 0, 0,

&pSIDAliasAdmins)) {

ErrorHandler("AllocateAndInitializeSid");

return FALSE;

}

if (!SetSecurityDescriptorOwner(&sd,

pSIDAliasAdmins,

FALSE)) {

ErrorHandler("SetSecurityDescriptorOwner");

FreeSid(pSIDAliasAdmins);

return FALSE;

}

/*

* If the following call to SetFileSecurity fails,

* enable SE_TAKE_OWNERSHIP_NAME in the access token for

* the current process and try again.

*/

if (!SetFileSecurity(lpszOwnFile,

OWNER_SECURITY_INFORMATION,

&sd)) {

ErrorHandler("SetFileSecurity2");

if (!AssertTakeOwnership(TRUE)) { /* local */

MessageBox(NULL, "Must be logged on as Administrator",

"AssertTakeOwnership", MB_OK);

FreeSid(pSIDAliasAdmins);

return FALSE;

}

if (!SetFileSecurity(lpszOwnFile,

OWNER_SECURITY_INFORMATION,

&sd)) {

MessageBox(NULL, "Must be logged on as Administrator",

"SetFileSecurity", MB_OK);

FreeSid(pSIDAliasAdmins);

return FALSE;

}

}

/*

* The Administrator is now the owner of the file.

* Try again to assign a NULL ACL.

*/

if (SetFileSecurity(lpszOwnFile,

DACL_SECURITY_INFORMATION,

&sd)) {

MessageBox(NULL, "Added NULL DACL; protection removed",

"SetFileSecurity", MB_OK);

AssertTakeOwnership(FALSE);

return TRUE;

}

else {

AssertTakeOwnership(FALSE);

ErrorHandler("SetFileSecurity3");

return FALSE;

}

}

BOOL FAR PASCAL AssertTakeOwnership(BOOL fEnable)

{

HANDLE hToken;

LUID TakeOwnershipValue;

TOKEN_PRIVILEGES tkp;

/* Retrieve a handle of the access token. */

if (!OpenProcessToken(GetCurrentProcess(),

TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,

&hToken)) {

ErrorHandler("OpenProcessToken");

return FALSE;

}

/*

* Enable the SE_TAKE_OWNERSHIP_NAME privilege or

* disable all privileges, depending on the fEnable

* flag.

*/

if(fEnable) {

if (!LookupPrivilegeValue((LPSTR) NULL,

SE_TAKE_OWNERSHIP_NAME,

&TakeOwnershipValue)) {

ErrorHandler("LookupPrivilegeValue");

return FALSE;

}

tkp.PrivilegeCount = 1;

tkp.Privileges[0].Luid = TakeOwnershipValue;

tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

AdjustTokenPrivileges(hToken,

FALSE,

&tkp,

sizeof(TOKEN_PRIVILEGES),

(PTOKEN_PRIVILEGES) NULL,

(PDWORD) NULL);

/*

* The return value of AdjustTokenPrivileges cannot

* be tested.

*/

if (GetLastError() != ERROR_SUCCESS) {

ErrorHandler("AdjustTokenPrivileges");

return FALSE;

}

}

else {

AdjustTokenPrivileges(hToken,

TRUE, /* disable all privileges */

(PTOKEN_PRIVILEGES) NULL,

(DWORD) 0,

(PTOKEN_PRIVILEGES) NULL,

(PDWORD) NULL);

/*

* The return value of AdjustTokenPrivileges cannot

* be tested.

*/

if (GetLastError() != ERROR_SUCCESS) {

ErrorHandler("AdjustTokenPrivileges");

return FALSE;

}

}

return TRUE;

}