The following example removes the discretionary ACL from a file. If necessary, ownership of the file is given to the Administrator account. If required, the SE_TAKE_OWNERSHIP_NAME privilege is enabled for the account.
LPSTR lpszOwnFile = "d:\\ntfs_sample_file";
PSID pSIDAliasAdmins = NULL;
static SID_IDENTIFIER_AUTHORITY
siaNTAuthority = SECURITY_NT_AUTHORITY;
BOOL FAR PASCAL TakeOwnership()
{
SECURITY_DESCRIPTOR sd;
/*
* Initialize a security descriptor and assign it a NULL
* discretionary ACL to allow unrestricted access.
* Assign the security descriptor to a file.
*/
if (!InitializeSecurityDescriptor(&sd,
SECURITY_DESCRIPTOR_REVISION)) {
ErrorHandler("InitializeSecurityDescriptor");
return FALSE;
}
if (!SetSecurityDescriptorDacl(&sd,
TRUE,
(PACL) NULL,
FALSE)) {
ErrorHandler("SetSecurityDescriptorDacl");
return FALSE;
}
if (SetFileSecurity(lpszOwnFile,
DACL_SECURITY_INFORMATION,
&sd))
return TRUE;
else
ErrorHandler("SetFileSecurity1");
/*
* If the preceding call to SetFileSecurity fails, create
* an Administrator SID and use it to set the owner of
* the security descriptor.
*/
if (!AllocateAndInitializeSid(&siaNTAuthority,
2, /* subauthority count */
/* first subauthority */
SECURITY_BUILTIN_DOMAIN_RID,
/* second subauthority */
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pSIDAliasAdmins)) {
ErrorHandler("AllocateAndInitializeSid");
return FALSE;
}
if (!SetSecurityDescriptorOwner(&sd,
pSIDAliasAdmins,
FALSE)) {
ErrorHandler("SetSecurityDescriptorOwner");
FreeSid(pSIDAliasAdmins);
return FALSE;
}
/*
* If the following call to SetFileSecurity fails,
* enable SE_TAKE_OWNERSHIP_NAME in the access token for
* the current process and try again.
*/
if (!SetFileSecurity(lpszOwnFile,
OWNER_SECURITY_INFORMATION,
&sd)) {
ErrorHandler("SetFileSecurity2");
if (!AssertTakeOwnership(TRUE)) { /* local */
MessageBox(NULL, "Must be logged on as Administrator",
"AssertTakeOwnership", MB_OK);
FreeSid(pSIDAliasAdmins);
return FALSE;
}
if (!SetFileSecurity(lpszOwnFile,
OWNER_SECURITY_INFORMATION,
&sd)) {
MessageBox(NULL, "Must be logged on as Administrator",
"SetFileSecurity", MB_OK);
FreeSid(pSIDAliasAdmins);
return FALSE;
}
}
/*
* The Administrator is now the owner of the file.
* Try again to assign a NULL ACL.
*/
if (SetFileSecurity(lpszOwnFile,
DACL_SECURITY_INFORMATION,
&sd)) {
MessageBox(NULL, "Added NULL DACL; protection removed",
"SetFileSecurity", MB_OK);
AssertTakeOwnership(FALSE);
return TRUE;
}
else {
AssertTakeOwnership(FALSE);
ErrorHandler("SetFileSecurity3");
return FALSE;
}
}
BOOL FAR PASCAL AssertTakeOwnership(BOOL fEnable)
{
HANDLE hToken;
LUID TakeOwnershipValue;
TOKEN_PRIVILEGES tkp;
/* Retrieve a handle of the access token. */
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken)) {
ErrorHandler("OpenProcessToken");
return FALSE;
}
/*
* Enable the SE_TAKE_OWNERSHIP_NAME privilege or
* disable all privileges, depending on the fEnable
* flag.
*/
if(fEnable) {
if (!LookupPrivilegeValue((LPSTR) NULL,
SE_TAKE_OWNERSHIP_NAME,
&TakeOwnershipValue)) {
ErrorHandler("LookupPrivilegeValue");
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = TakeOwnershipValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,
FALSE,
&tkp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
/*
* The return value of AdjustTokenPrivileges cannot
* be tested.
*/
if (GetLastError() != ERROR_SUCCESS) {
ErrorHandler("AdjustTokenPrivileges");
return FALSE;
}
}
else {
AdjustTokenPrivileges(hToken,
TRUE, /* disable all privileges */
(PTOKEN_PRIVILEGES) NULL,
(DWORD) 0,
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
/*
* The return value of AdjustTokenPrivileges cannot
* be tested.
*/
if (GetLastError() != ERROR_SUCCESS) {
ErrorHandler("AdjustTokenPrivileges");
return FALSE;
}
}
return TRUE;
}