Taking Ownership Fails With UNC Path, Works Locally!?! Why?

Security
Published Jul 28, 2010 Updated Jul 14, 2019

Here is an interesting tidbit related to Windows security:

Create a test file share, e.g. C:\temp\test, and share it with full permissions for everyone (share, not NTFS permissions) as “test”
Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4
Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s)
Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM
Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally:
setacl -on \localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator
SetACL will fail with access denied (full message: “ERROR: Writing SD to <\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”)
Now issue the same command, but instead of using a UNC path use the local drive letter:
setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator
That works!

Why is this so? I have no clue.

This is also documented in the FAQ for SetACL.

CodeProject Permissions Security SetACL

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

What is the SYNCHRONIZE File Access Right?

When dealing with Windows NTFS file system permissions, one quickly encounters the SYNCHRONIZE access right, the purpose of which may not be obvious. SYNCHRONIZE belongs to the standard access rights, just like DELETE, READ_CONTROL, WRITE_DAC and WRITE_OWNER.

Software development

Windows 7 Default HKCU Registry Permissions

This is a complete listing of all Windows 7 HKEY_CURRENT_USER registry permissions. The list was generated on a 32-bit installation with SetACL. More default permission listings can be found here.

How Forcing Password Changes Actually Weakens Security

How Forcing Password Changes Actually Weakens Security

When was the last time you got that not too friendly message stating that your password has expired and asking you to change it? Probably only a few weeks ago, and just as sure as day follows night, it is going to appear again only too soon. At least that is the typical user’s point of view. Security conscious administrators see this differently: they seem to think that passwords become weaker over time, like human beings growing old, and therefore force a rejuvenation process every couple of weeks. But is that really necessary? I do not think so.

Blocking Office Macros, Managing Windows & macOS via Intune

Blocking Office Macros, Managing Windows & macOS via Intune

How to centrally manage essential security settings of self-managed devices This is a guest post by Martin Kretzschmar, customer success engineer at vast limits, the uberAgent company. One thing I especially like about my everyday working life is the flexibility it offers. I appreciate the freedom of choice in terms of location, time and device. We want to avoid getting into micro-management but, being an IT company, we also need to provide the necessary security where needed.

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Scripted WordPress to Hugo Migration

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Mitsubishi Heat Pump Data in Home Assistant via Modbus

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting