PDA

Click to See Complete Forum and Search --> : Cant get SACL

akhin
July 7th, 2007, 10:27 AM
I cant get SACL of an existing file on my system with this code.

GetNamedSecurityInfo returns 0 (ERROR_SUCCESS) , which means
there is no error in execution of it but pSACL still becomes 0x00000000
and IsValidAcl(pSACL) returns FALSE .



#include <windows.h>
#include <aclapi.h>

unsigned long enable_privilege(const char *priv)
{
HANDLE token = INVALID_HANDLE_VALUE;
u status = OpenProcessToken(
GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&token
);
if( !status )
{
return GetLastError();
}

unsigned char buf[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)];
TOKEN_PRIVILEGES *privs = (TOKEN_PRIVILEGES*)buf;

status = LookupPrivilegeValue(
NULL,
priv,
&privs->Privileges->Luid
);
if( !status )
{
u err = GetLastError();
CloseHandle(token);
return err;
}

privs->PrivilegeCount = 1;
privs->Privileges->Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(
token,
FALSE, // do not disable all
privs,
0, // zero buffer for prev state
NULL, // prev state don't care
NULL // no sink for returned prev state size
);

status = GetLastError();

CloseHandle(token);

return status;
}


int _tmain(int argc, _TCHAR* argv[])
{
PACL pSACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;

unsigned long returnValue ;

enable_privilege(SE_SECURITY_NAME );

returnValue = GetNamedSecurityInfo(
"D:\\aa.txt", // object name
SE_FILE_OBJECT, // object type
SACL_SECURITY_INFORMATION, // information type
NULL, // owner SID
NULL, // primary group SID
NULL, // DACL
&pSACL, // SACL

&pSD); // SD

if(!IsValidAcl(pSACL))
printf("FAILED , ERROR CODE : %d\n\n",returnValue);

LocalFree(pSD);

return 0 ;
}
LoveCPlusplus
July 18th, 2007, 05:10 AM
I think it simply means there is no SACL in SD.

If the method GetSecurityDescriptorSacl() is called, you will find that the present flag is 0.

However, if the file is changed to "c:\windows\system32\kernel32.dll", for example, although the pSACL is NULL again, the method GetSecurityDescriptorSacl() sets the present flag to 1. From MSDN, it means that NULL SACL is present.

SACL controls how the system audits attempts to access the object. If there is no audit, then there should not have SACL present.

I guess if the file "D:\aa.txt" is enabled for audit, you should be able to retrieve non-null pointer of SACL.

Please correct me if I am wrong.