Taking Ownership Fails With UNC Path, Works Locally!?! Why?

Security
Published Jul 28, 2010 Updated Jul 14, 2019

Here is an interesting tidbit related to Windows security:

Create a test file share, e.g. C:\temp\test, and share it with full permissions for everyone (share, not NTFS permissions) as “test”
Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4
Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s)
Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM
Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally:
setacl -on \localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator
SetACL will fail with access denied (full message: “ERROR: Writing SD to <\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”)
Now issue the same command, but instead of using a UNC path use the local drive letter:
setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator
That works!

Why is this so? I have no clue.

This is also documented in the FAQ for SetACL.

CodeProject Permissions Security SetACL

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Related Posts

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users

This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.

Blocking Office Macros, Managing Windows & macOS via Intune

Blocking Office Macros, Managing Windows & macOS via Intune

How to centrally manage essential security settings of self-managed devices This is a guest post by Martin Kretzschmar, customer success engineer at vast limits, the uberAgent company. One thing I especially like about my everyday working life is the flexibility it offers. I appreciate the freedom of choice in terms of location, time and device. We want to avoid getting into micro-management but, being an IT company, we also need to provide the necessary security where needed.

Finding (Executables in) User-Writeable Directories

Finding (Executables in) User-Writeable Directories

This article presents two different detection types for insecure filesystem permissions on Windows endpoints: scanning for directories that are user-writable, and detecting processes that are started from user-writeable directories. Directory Scan With ListUserWriteableDirectories & SetACL My ListUserWriteableDirectories script is an implementation of the first detection type: it scans the filesystem listing any permissions not known to be safe.

Permissions: A Primer, or: DACL, SACL, Owner, SID and ACE Explained

Updated: 2021-06-22 Every object that can have a security descriptor (SD) is a securable object that may be protected by permissions. All named and several unnamed Windows objects are securable and can have SDs, although this is not widely known. There does not even exist a GUI for manipulating the SDs of many object types! Have you ever tried to kill a system process in Task Manager and got the message “Access denied”? This is due to the fact that this process’ SD does not allow even administrators to kill the process. But it is, of course, possible, as an administrator, to obtain the necessary permissions, provided a GUI or some other tool is available.

Windows Internals

Latest Posts

Changing the Location of PowerShell Profile Scripts

A PowerShell profile is an init script that is executed when the shell starts. PowerShell searches for profile scripts in hard-coded locations. This article explains how to move profile scripts to any directory of your choice.

Changing the Location of the Windows Terminal Settings Files

Changing the Location of the Windows Terminal Settings Files

Windows Terminal stores its settings in configuration files that resides in the Windows user profile. This article explains how to move them to any directory of your choice. Where are the Settings Files Located? The location of the Windows Terminal settings file is hard-coded. The exact path depends on the app variant you installed, but it’s always in the user profile:

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.