INFO: Reading/Modifying DACL of a File or Folder with Backup and Restore Privileges

ID: Q240184

The information in this article applies to:
  • Microsoft Win32 Application Programming Interface (API), included with:
    • Microsoft Windows NT 4.0
    • Microsoft Windows 2000

SUMMARY

Backup applications can use BackupRead() and BackupWrite() to backup and restore security descriptor information of a file or a folder like a standard data stream. However, if backup applications need to manipulate the security descriptor information on a file or a folder, the access control APIs can be used after opening the corresponding file or folder in backup mode. This article explains how a backup application can use backup and restore privileges for manipulating the owner, group, and discretionary access-control list (DACL) of the security descriptor associated with a file or a folder.


MORE INFORMATION

For reading or modifying the owner, group, and DACL of the security descriptor associated with a file or a folder, one needs READ_CONTROL, WRITE_OWNER, WRITE_DAC standard access rights. The system will grant these standard access rights if you have reading security permissions explicitly granted the respective access in the DACL or is the owner of the corresponding file or folder. However, the system can override these file security checks if the calling process has SE_BACKUP_NAME and SE_RESTORE_NAME privileges granted and enabled. These privileges are granted to Backup Operators by default for performing backup and restore operations.

GetFileSecurity() or high level access control APIs do not provide a mechanism for the application to select how a file or a folder is to be opened. However if the SE_BACKUP_NAME privilege is granted and enabled in the calling process access token, an application can use CreateFile()/GetKernelObjectSecurity() pair for analyzing the security information. To open a file or a folder for reading the OWNER or GROUP or DACL information, an application can call CreateFile() API with the following dwDesiredAccess and dwFlagsAndAttributes parameters.


    hFile = CreateFile(fileName,
                READ_CONTROL,
                0,
                NULL,
                OPEN_EXISTING,
                FILE_FLAG_BACKUP_SEMANTICS,
                NULL);

The handle obtained from CreateFile() can then be used in GetKernelObjectSecurity() API call for reading the OWNER, GROUP or DACL information. For reading the system access-control list (SACL) of a file or a folder, the application needs to include access system security (ACCESS_SYSTEM_SECURITY) bit in dwDesiredAccess parameter when calling CreateFile() API.

Similarly, the security information of a file or a folder can be modified if the SE_RESTORE_NAME privilege is granted and enabled in the calling process access token. An application can use CreateFile()/SetKernelObjectSecurity() pair for modifying the security information. To open a file or a folder for modifying the security information, an application can call CreateFile() API with the following dwDesiredAccess and dwFlagsAndAttributes parameters.

    hFile = CreateFile(fileName,
                WRITE_OWNER|WRITE_DAC,
                0,
                NULL,
                CREATE_ALWAYS,
                FILE_FLAG_BACKUP_SEMANTICS,
                NULL);
The handle obtained from CreateFile() can then be used to call SetKernelObjectSecurity() API for modifying the security information in the corresponding file or folder.

Additional query words:

Keywords : kbAccCtrl kbAPI kbFileIO kbKernBase kbNTOS400 kbWinOS2000 kbSecurity kbDSupport kbGrpKernBase
Version : winnt:4.0
Platform : winnt
Issue type : kbinfo


Last Reviewed: October 25, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.