Monday, 28 February 2005

How to set the owner of an object in Windows XP

Normally, in Windows NT-family security, you cannot set the owner of a secured object (such as a file or folder, or a registry key) to someone else – you can only take ownership for yourself or a group you’re a member of. If you’re unprivileged you can only take ownership if the Discretionary Access Control List (ACL) gives you permission to take ownership. There is also a privilege – SE_TAKE_OWNERSHIP_NAME – which allows you to take ownership even if you’re not permitted in the ACL. This privilege is normally and by default only assigned to the Administrators group.

This ability to take ownership is in marked contrast to Unix where administrators can set ownership, but users cannot take it.

But what if you want to set ownership to a different user? If you try to execute this without any additional privileges, under I think any security principal, you’ll get an error. If you (like me) were using ADsSecurityUtility, it’ll be encapsulated in an HRESULT, code -2147023589 (0x8007051b). Anyone familiar with HRESULTs will recognise the 0x8007 high word as representing SEVERITY_ERROR | FACILITY_WIN32, i.e. a Win32 error code encoded as an HRESULT, so we can look up 0x51b = 1307 in WinError.h which is ERROR_INVALID_OWNER, “This security ID may not be assigned as the owner of this object.”

Looking this error code up in a search engine reveals the problem, that other people have had this problem before, and the fix. If you have the SE_RESTORE_NAME privilege enabled you’re permitted to set the owner of a secured object. Which makes sense, really, as you want restored data to have the same owner as it did when it was backed up.

Privileges come in two types – those which are enabled by default if they are permitted to a user (or a group of which the user is a member), and those which are disabled by default. Of the latter type, some Win32 APIs enable the privileges they require automatically. SE_RESTORE_NAME is not one; you must call AdjustTokenPrivileges to enable the privilege if not already enabled.

By default the Administrators and Backup Operators groups only have the SE_BACKUP_NAME and SE_RESTORE_NAME privileges. You can modify this and other privileges through Group Policy – for your own machine use the Local Security Policy shortcut in Administrative Tools. It’s really not recommended to modify these settings unless you’re absolutely certain you know what you’re doing. If you must, see under Security Settings > Local Policies > User Rights Assignment.

No comments: