拥有“损坏”权限的文件的所有权(Taking ownership of files with 'broken' permissions)
我试图克服以下情况。
给定存储在NTFS卷上的目录,其中:
- 目录所有者被设置为其他人(例如,非特权用户)
- 目录DACL被配置为允许访问不包括系统或管理员的特定人员组
- 目录上的DACL实际上不允许任何人取得所有权或更改DACL
(或者简而言之,所有管理员都被锁定在文件夹之外)
但!
- 我正在运行的帐户具有管理权限(SeBackupPrivilege,SeSecurityPrivilege)
- 无论如何,现在的DACL可以被忽略,因为我正在写一个新的DACL
- 使用其他工具(takeown.exe),我可以访问有问题的目录。
(或者简而言之,我有权修复DACL /所有者)
下面的代码我应该没有问题:
WindowsIdentity privilegedUser = System.Security.Principal.WindowsIdentity.GetCurrent(); // I cannot use File.GetAccessControl() as I get access denied // (working as intended! I have no access to read the ACL!) // so I have to write a new ACL: FileSecurity acl = new FileSecurity(); acl.SetOwner(admin.User); acl.AddAccessRule(new FileSystemAccessRule(privilegedUser.User, FileSystemRights.FullControl, AccessControlType.Allow)); File.SetAccessControl("c:\\path\\to\\broken", acl);
但是, SetAccessControl调用引发UnauthorizedAccessException 。 当我改变它只是调整业主,同样的事情发生。 当我只尝试调整DACL时,同样的事情。
我已经通过在Process Explorer中检查生成的进程来验证问题不是UAC,并且验证了管理员组已设置为“所有者”而不是“已禁用”。 我应该拥有所有必要的权利来执行此操作(备份操作员应该与管理员无关,但我添加了它来进行测试) - 但它只是拒绝访问权限。
相关technet文档: http : //technet.microsoft.com/en-us/library/cc783530%28WS.10%29.aspx
- “如果您拥有一个对象,则可以授予任何用户或安全组对该对象的任何权限,包括获得所有权的权限。”
- 所有权可以通过以下方式转让:
- 当前所有者可以将“获取所有权”权限授予其他用户,从而允许该用户随时获得所有权。 用户必须实际拥有所有权才能完成转移。 (不幸的是,业主无法在这种情况下重新分配所有权。)
- 管理员可以获得所有权。
- 具有“还原文件和目录”用户权限的用户可以将所有权分配给任何用户或组。
- 拥有文件和其他对象的能力是管理员维护系统需要优先于拥有者控制访问权的另一种情况。 通常情况下,只有在当前所有者允许您这样做的情况下,您才能获得对象的所有权。 NTFS对象的所有者可以允许其他用户通过授予其他用户获取所有权的权限来获得所有权; Active Directory对象的所有者可以授予其他用户修改所有者权限。 拥有此特权的用户可以在没有当前所有者的许可的情况下取得对象的所有权。 默认情况下,该权限仅分配给内置的管理员组。 它通常由管理员用于在当前所有者不再可用时获取并重新分配资源的所有权。
我在这里错过了什么?
I'm trying to overcome the following situation.
Given a directory stored on an NTFS volume, where:
- The directory owner is set to someone else (a non-privileged user for example)
- The directory DACL is configured to permit access to a specific group of people that does not include the system or Administrators
- The DACL on the directory actually grants no one access to either take ownership or change the DACL
(or in short, the all administrators have been locked out of the folder)
But!
- The account I am running under has administrative rights (SeBackupPrivilege, SeSecurityPrivilege)
- The existing DACL can be ignored as I am writing a new one anyway
- Using other tools (takeown.exe), I can get access to the directory in question.
(or in short, I have access to fix the DACL/owner)
I should have no problem with the following code:
WindowsIdentity privilegedUser = System.Security.Principal.WindowsIdentity.GetCurrent(); // I cannot use File.GetAccessControl() as I get access denied // (working as intended! I have no access to read the ACL!) // so I have to write a new ACL: FileSecurity acl = new FileSecurity(); acl.SetOwner(admin.User); acl.AddAccessRule(new FileSystemAccessRule(privilegedUser.User, FileSystemRights.FullControl, AccessControlType.Allow)); File.SetAccessControl("c:\\path\\to\\broken", acl);
But, the SetAccessControl call throws UnauthorizedAccessException. When I alter it to only adjust the owner, the same thing happens. When I only try to adjust the DACL, same thing.
I've verified that the issue is not UAC by checking the resulting process in Process Explorer, and verified that the Administrators group is set to "Owner" instead of "Disabled." I should have all of the necessary rights to do this (Backup Operators should be extraneous in the face of Administrators, but I added it for testing) -- but it just keeps throwing access denied.
Relevant technet documentation: http://technet.microsoft.com/en-us/library/cc783530%28WS.10%29.aspx
- "If you own an object, you can grant any user or security group any permission on that object, including the permission to take ownership."
- Ownership can be transferred in the following ways:
- The current owner can grant the Take ownership permission to another user, allowing that user to take ownership at any time. The user must actually take ownership to complete the transfer. (Unfortunately, the owner cannot reassign ownership in this situation.)
- An administrator can take ownership.
- A user who has the Restore files and directories user right can assign ownership to any user or group.
- The ability to take ownership of files and other objects is another case where an administrator’s need to maintain the system takes priority over an owner’s right to control access. Normally, you can take ownership of an object only if its current owner gives you permission to do so. Owners of NTFS objects can allow another user to take ownership by granting the other user Take Ownership permission; owners of Active Directory objects can grant another user Modify Owner permission. A user who has this privilege can take ownership of an object without the current owner’s permission. By default, the privilege is assigned only to the built-in Administrators group. It is normally used by administrators to take and reassign ownership of resources when their current owner is no longer available.
What am I missing here?
原文:https://stackoverflow.com/questions/5241718
最满意答案
其他回答
按 技术先进性,选 usb 3.0 哦 orico 7619sus3 全铝免工具3.5寸串口usb3.0 移动硬盘盒
有哪些3.5寸的硬盘盒支持2T的? 最近入手了个2T的日立的盘子..但是接着我不知是硬盘抽取盒好 还是外置的移动硬盘盒好啊 求高人指点啊 “设备未
相关问答
更多-
不用折腾了,2块黑盘,就算目前1万转的sas硬盘,你做成raid,最快也无法超过500M/s,连usb3.0的接口速度都达不到,更别说雷电了。 除非,你用好点的ssd,做raid,才能吃掉雷电的速度,不过先看看自己的腰包了。
-
orico的硬盘盒哪个好?求推荐[2023-06-07]
性价比一般,不如直接买硬盘做nas或者移动硬盘了 -
orico硬盘盒[2021-04-23]
2个可能性 1、供电不足问题。你的移动硬盘盒是否自带一转二线,请把双线都插上,并且插在后置口上,前置USB口很多供电不够,而出现可以发现新硬件,但无法使用 2、硬盘盒本身质量问题,这样的情况也见过很多,如1不行,有条件的情况下借一硬盘盒试验。 看你的情况 硬盘和因该没问题 因该是供电不足的问题 按照1的情况处理下看看 -
ORICO硬盘盒 质量怎样[2021-01-03]
orico的盒子创意挺好,但是说真的不耐用,可以插拔硬盘的盒子,很快就接触不良,自用和朋友用的多个都这样。 -
orico的硬盘盒是不是不支持希捷硬盘[2024-01-03]
检查希捷4TB硬盘和西部数据3TB硬盘接口、尺寸是否一致,不一致的话是无法通用的。 -
orico 3.5寸硬盘盒那款比较好 支持2T[2023-07-15]
1-目前市面大部分硬盘盒都支持2TB。 2-如果楼主是为了看高清电影,推荐硬盘抽取盒。日后多硬盘时方便插拔、更换硬盘。 3-3.5的硬盘盒较大,且比较重。并不适合随身携带,便携性差。如楼主需要经常携带建议购买2.5硬盘盒。 -
优越者和orico硬盘盒哪个好[2022-02-18]
这两我都用过,优越者的好,orico就是水军吹的,做工真心垃圾!绿盟都比那个orico好。你看那些点赞就知道。 -
蓝硕MR35T和ORICO 3588US3 3.5寸移动硬盘盒对比哪个好[2023-01-25]
Orico推出的2588US3多彩系列硬盘盒之后,其同样发布了针对3.5寸硬盘的USB3.0移动硬盘盒——Orico3588US3,从命名中不难看出,3588US3与之前的2588US3是属于同一大主系列,而支持3.5寸规格硬盘则是有了更广泛的用户群,毕竟互通数据资料还是直接用3.5寸硬盘来的更“直接”,之前本站评测的2588US3其凭借着JMS539主控IC拥有者非常好的稳定性和兼容性,而这次在3588US3这款移动硬盘盒上面,Orico将方案再度回归到瑞发科NS1066主控,其用意后文会为大家介绍,下面 ... -
请教下像ORICO的硬盘盒你们是用USB3还是ESATA[2023-09-01]
我是USB3.0接台式,esata接笔记本...一个盒子给两台电脑用真拙计...不过同时接的时候貌似只认esata -
orico 和ssk 3.5寸硬盘盒哪个好[2022-02-25]
这个都差不多 没什么技术难度 ssk要知名点 随便买