SetNamedSecurityInfo failing with rc 1307

July 24th, 2003 - 03:11 pm ET by Garfield Lewis | Report spam
Hi All,

Could someone tell me why this fails with a 1307 (ERROR_INVALID_OWNER)
error? I've found a lot of references to theses errors on Google but no
solutions. Actually, that is where I found the suggestion that the restore
privilege should be added (doesn't work!!!).

// If we are not the current owner of the object then take ownership.
if (!EqualSid(m_pOwnerSid,
p_pAdminSID)) {
m_bRC=OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&m_pToken);

if (!m_bRC) {
printf("OpenProcessToken failed - rc=%lu.", GetLastError());

goto done;
}

// Add the take ownership privilege to the current process.
m_bRC=SetPrivilege(m_pToken,
SE_TAKE_OWNERSHIP_NAME,
TRUE);

if (!m_bRC)
goto done;

m_bOwnerPrivilegeSet=TRUE;

m_bRC=SetPrivilege(m_pToken,
SE_RESTORE_NAME,
TRUE);

if (!m_bRC)
goto done;

m_bRestorePrivilegeSet=TRUE;

// Set the new owner for the object
m_dwRC=SetNamedSecurityInfo((LPSTR)p_ObjectName,
p_ObjectType,
OWNER_SECURITY_INFORMATION,
p_pAdminSID,
NULL,
NULL,
NULL);
if (ERROR_SUCCESS != m_dwRC) {
m_bRCúLSE;

printf("SetNamedSecurityInfo for owner SID failed - rc=%lu.",
m_dwRC);

goto done;
}
}

The p_pAdminSID is the SID of a group (not user) that I would like to take
ownereship of the object.

Garfield A. Lewis
email Follow the discussionReplies 1 replyReplies Make a reply

Replies

#1 Alaa Abdelhalim [MSFT]
July 25th, 2003 - 02:57 pm ET | Report spam
You can't just set any random SID to be the owner on an object through this
function.
There's an owner validity check that is performed. From MSDN, this is:

<MSDN>
The Owner ... must be a legally formed SID, and either must match the
TokenUser in Token, or match a group in the TokenGroups in Token where the
attributes on the group must include SE_GROUP_OWNER, and must not include
SE_GROUP_USE_FOR_DENY_ONLY.
</MSDN>

There are lower level API functions that allow you to bypass this check.
For example, you can retrieve the SD off of the object first and then call
SetPrivateObjectSecurityEx with the flag SEF_AVOID_PRIVILEGE_CHECK (a bit of
a misnomer for ownership) to set the owner SID to what you want by disabling
the ownership validation logic.
You would then have to stamp the SD back onto the object.


Alaa Abdelhalim [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.



"Garfield Lewis" wrote in message
news:#
Hi All,

Could someone tell me why this fails with a 1307 (ERROR_INVALID_OWNER)
error? I've found a lot of references to theses errors on Google but no
solutions. Actually, that is where I found the suggestion that the restore
privilege should be added (doesn't work!!!).

// If we are not the current owner of the object then take ownership.
if (!EqualSid(m_pOwnerSid,
p_pAdminSID)) {
m_bRC=OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&m_pToken);

if (!m_bRC) {
printf("OpenProcessToken failed - rc=%lu.", GetLastError());

goto done;
}

// Add the take ownership privilege to the current process.
m_bRC=SetPrivilege(m_pToken,
SE_TAKE_OWNERSHIP_NAME,
TRUE);

if (!m_bRC)
goto done;

m_bOwnerPrivilegeSet=TRUE;

m_bRC=SetPrivilege(m_pToken,
SE_RESTORE_NAME,
TRUE);

if (!m_bRC)
goto done;

m_bRestorePrivilegeSet=TRUE;

// Set the new owner for the object
m_dwRC=SetNamedSecurityInfo((LPSTR)p_ObjectName,
p_ObjectType,
OWNER_SECURITY_INFORMATION,
p_pAdminSID,
NULL,
NULL,
NULL);
if (ERROR_SUCCESS != m_dwRC) {
m_bRCúLSE;

printf("SetNamedSecurityInfo for owner SID failed - rc=%lu.",
m_dwRC);

goto done;
}
}

The p_pAdminSID is the SID of a group (not user) that I would like to take
ownereship of the object.

Garfield A. Lewis




Similar topics