ImpersonateLoggedOnUser and SetFileAttributes
- From: "Sebastian Bargmann" <sorry@xxxxxxx>
- Date: Tue, 26 Sep 2006 20:05:59 +0200
Hi,
I'm having some trouble with impersonating and SetFileAttributes. I'm
getting access, but I shouldn't!
I have created a file with only one ACE defined, granting r/w access to a
normal user (i.e. non-admin).
The local administrator is correctly denied access if he tries to change
file attributes from explorer. If he calls SetFileAttributes he's also
denied access.
If I try SetFileAttributes with LocalSystem, I get access denied.
But if LocalSystem impersonates local administrator and calls
SetFileAttributes, access is granted (which it shouldn't be!) and
SetFileAttributes is successful.
The code looks like this (error checking and cleanup omitted for brevity):
<code>
LogonUserW("administrator", NULL, "password",
LOGON32_LOGON_NETWORK_CLEARTEXT, LOGON32_PROVIDER_DEFAULT, &token);
ImpersonateLoggedOnUser(token);
SetFileAttributes(fileName, FILE_ATTRIBUTE_READONLY);
</code>
This happens on both XP and Win2K
What am I missing??
Thanks,
Sebastian Bargmann
(sorry about the crosspost to platformsdk.security)
.
- Follow-Ups:
- Re: ImpersonateLoggedOnUser and SetFileAttributes
- From: Slava M. Usov
- Re: ImpersonateLoggedOnUser and SetFileAttributes
- Prev by Date: How do I find a DEP problem?
- Next by Date: Re: mutex overkill ?
- Previous by thread: How do I find a DEP problem?
- Next by thread: Re: ImpersonateLoggedOnUser and SetFileAttributes
- Index(es):
