Taking Ownership Fails With UNC Path, Works Locally!?! Why?
Here is an interesting tidbit related to Windows security:
- Create a test file share, e.g. C:\temp\test, and share it with full permissions for everyone (share, not NTFS permissions) as “test”
- Create the following directory hierarchy below the share: C:\temp\test\1\2\3\4
- Assign ownership of the four folders 1, 2, 3 and 4 to any user (but do not use your own account, just anyone else’s)
- Set permissions on 1, 2, 3 and 4 that only the user from the previous step has full access, nobody else, not even the SYSTEM
- Now try to use SetACL to change the owner of directory “4” over the network (SetACL uses backup and restore privileges so this should be no problem) by issuing the following command locally:
setacl -on \\localhost\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator - SetACL will fail with access denied (full message: “ERROR: Writing SD to <\\?\UNC\localhost\test\1\2\3\4> failed with: Access is denied.”)
- Now issue the same command, but instead of using a UNC path use the local drive letter:
setacl -on c:\temp\test\1\2\3\4 -ot file -actn setowner -ownr n:domain\administrator - That works!
Why is this so? I have no clue.
This is also documented in the FAQ for SetACL.
3 Comments
Hi Helge,With respect, this could have something to do with the way you've coded setacl, and is no different to some of the challenges with other Microsoft tools.Moving forward, since Windows 2003 SP2 + hotfix KB947870, I've been using combinations of takeown.exe and icacls.exe successfully, including UNC paths, DFS locations, etc.Cheers,Jeremy.
JHouseConsulting,I just found a workaround to the issue described in the article. It is included in the code for SetACL 2.1.However, I still think that the original issue might be a bug in the API function SetNamedSecurityInfo.
:) Maybe that's the same workaround they added to icacls.exe as per hotfix KB947870.