Monday 28 February 2005

MS Press, what are you thinking?

It looks like a couple of Jeffrey Richter’s classic and essential Windows programming books have gone out of print:

The .NET Framework and the C# programming language have huge productivity benefits, but there are times when you still need to get close to the metal. When you do, you need the best training possible. If you need to do it, those two books and Windows Internals, 4th Ed. are your best guide – IMO – to understanding what’s happening and how to make best use of the facilities at your disposal.

How to set the owner of an object in Windows XP

Normally, in Windows NT-family security, you cannot set the owner of a secured object (such as a file or folder, or a registry key) to someone else – you can only take ownership for yourself or a group you’re a member of. If you’re unprivileged you can only take ownership if the Discretionary Access Control List (ACL) gives you permission to take ownership. There is also a privilege – SE_TAKE_OWNERSHIP_NAME – which allows you to take ownership even if you’re not permitted in the ACL. This privilege is normally and by default only assigned to the Administrators group.

This ability to take ownership is in marked contrast to Unix where administrators can set ownership, but users cannot take it.

But what if you want to set ownership to a different user? If you try to execute this without any additional privileges, under I think any security principal, you’ll get an error. If you (like me) were using ADsSecurityUtility, it’ll be encapsulated in an HRESULT, code -2147023589 (0x8007051b). Anyone familiar with HRESULTs will recognise the 0x8007 high word as representing SEVERITY_ERROR | FACILITY_WIN32, i.e. a Win32 error code encoded as an HRESULT, so we can look up 0x51b = 1307 in WinError.h which is ERROR_INVALID_OWNER, “This security ID may not be assigned as the owner of this object.”

Looking this error code up in a search engine reveals the problem, that other people have had this problem before, and the fix. If you have the SE_RESTORE_NAME privilege enabled you’re permitted to set the owner of a secured object. Which makes sense, really, as you want restored data to have the same owner as it did when it was backed up.

Privileges come in two types – those which are enabled by default if they are permitted to a user (or a group of which the user is a member), and those which are disabled by default. Of the latter type, some Win32 APIs enable the privileges they require automatically. SE_RESTORE_NAME is not one; you must call AdjustTokenPrivileges to enable the privilege if not already enabled.

By default the Administrators and Backup Operators groups only have the SE_BACKUP_NAME and SE_RESTORE_NAME privileges. You can modify this and other privileges through Group Policy – for your own machine use the Local Security Policy shortcut in Administrative Tools. It’s really not recommended to modify these settings unless you’re absolutely certain you know what you’re doing. If you must, see under Security Settings > Local Policies > User Rights Assignment.

Sunday 6 February 2005

What a lovely birthday present

To whoever broke my driver’s door mirror, and didn’t leave a note:

Thanks for the wonderful birthday present. No, really. NOT!

I’m more annoyed because this time it’s not my fault.

My theory is that someone was going too fast down my road and got a bit close. It’s not as if they wouldn’t notice: the actual mirror is fine – still reflects the road behind me. It’s the fact that the only thing now holding it onto the car is a single clip on the facing plate – oh, and about two feet of gaffer tape. When I found it this morning it was basically hanging on by the three springs used to adjust the position. It might be possible to superglue it but I’ll try that at work tomorrow – I’m not standing out in the road doing it now. In future I’ll have to remember to tuck the mirrors in when I leave it. No-one else in the road seems to.

Part of the problem is that the end of what seems a fairly major road, just before it turns into the very major road, is in fact a bus lane – for all of about 50m – and is closed off to regular traffic, and the only warning of this is the sign a couple of metres before telling people to turn into my road. As a result this road is much busier than it should be.

(I’m 27.)