Adding XP in another partition users into Vi$ta

  • Thread starter Thread starter Man-wai Chang ToDie (33.6k)
  • Start date Start date
Can you confirm this? It was my understanding that you can
only grant the permission for another to take ownership and
not simply assign ownership to another (for auditing purposes
to avoid someone taking ownership, making nefarious changes
and then assigning ownership to a scapegoat).

....again, this was from the W2K link - but I don't see why
that would change in Vista (unless they've improved on the
audit trail).
 
It's not just from IE ... it is any non-elevated program. The problem is
kind of interesting.

The actual ACL entry on the root drive is:

Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

Which means the label should only be applied to files that are created
beneath the root drive one level deep, with a no-write-up policy.

So the root drive itself has no label... theoretically, you should be able
to give yourself permission and create files.

But if you do that and try to create a file, you will get the error "A
required privilege is not held by the client."

Hmm... interesting. Ah... there is a security policy that says a process
cannot create a securable object that has a higher integrity than the
process, unless it has the SE_RELABEL_NAME privilege.

So it looks like it's failing because of that.

- JB
 
It was this bit that got me thinking that...

"The Owner tab shown in Figure 12.19 has no option for giving ownership to
another individual. If that were possible, an unscrupulous user could take
ownership, do something wrong, and then cover his tracks by giving ownership
to someone else. To prevent that from happening, the operating system does
not support a give ownership operation at any levelnot in the user
interface, not in application programming interfaces. It is true that a
program can write new information in the Owner field of an objects security
descriptor if the process has WRITE_OWNER access to the object, but
WRITE_OWNER access permits the caller to change ownership only to the user
SID in the callers access token or, if the user is a member of the
Administrators group, to the Administrators SID. Thus it is never possible
to give ownership of an object to another user. If you want to transfer
ownership of an object, you must give another user permission to take
ownership and then wait until the other user takes it."
 
The statement about there being no API to do it is just plain wrong. I guess
sometimes the left hand doesn't know what the right hand is doing :).

If Windows didn't support some mechanism for allowing a group of users to
set the owner on a file, the Windows backup program could not correctly
restore backups.

One can always remove this capability by not granting Administrators the
restore privilege.

- JB
 
Back
Top