![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to takeown.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [WindowsNT SDKs] / mstools / samples / takeown|
Return to takeown.c CVS log | Up to [WindowsNT SDKs] / mstools / samples / takeown |
1.1 root 1: /*++
2:
3: Copyright (c) 1992 Microsoft Corporation
4:
5: Module Name:
6:
7: Takeown.c
8:
9: Abstract:
10:
11: Implements a recovery scheme to give an Administrator access to a
12: file that has been denied to all.
13:
14: Author:
15:
16: Robert Reichel (robertre) 22-Jun-1992
17:
18: Environment:
19:
20: Must be run from an Administrator account in order to perform
21: reliably.
22:
23: Revision History:
24:
25:
26: --*/
27: #include <windows.h>
28: #include <stdio.h>
29: #include <malloc.h>
30:
31: BOOL
32: AssertTakeOwnership(
33: HANDLE TokenHandle
34: );
35:
36: BOOL
37: GetTokenHandle(
38: PHANDLE TokenHandle
39: );
40:
41: BOOL
42: VariableInitialization();
43:
44:
45:
46:
47: PSID AliasAdminsSid = NULL;
48: PSID SeWorldSid;
49:
50: static SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY;
51: static SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
52:
53:
54:
55:
56: void main (int argc, char *argv[])
57: {
58:
59:
60: BOOL Result;
61: LPSTR lpFileName;
62: SECURITY_DESCRIPTOR SecurityDescriptor;
63: HANDLE TokenHandle;
64:
65:
66: //
67: // We expect a file...
68: //
69: if (argc <= 1) {
70:
71: printf("Must specify a file name");
72: return;
73: }
74:
75:
76: lpFileName = argv[1];
77:
78:
79: Result = VariableInitialization();
80:
81: if ( !Result ) {
82: printf("Out of memory\n");
83: return;
84: }
85:
86:
87:
88:
89: Result = GetTokenHandle( &TokenHandle );
90:
91: if ( !Result ) {
92:
93: //
94: // This should not happen
95: //
96:
97: printf("Unable to obtain the handle to our token, exiting\n");
98: return;
99: }
100:
101:
102:
103:
104:
105:
106: //
107: // Attempt to put a NULL Dacl on the object
108: //
109:
110: InitializeSecurityDescriptor( &SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION );
111:
112:
113: Result = SetSecurityDescriptorDacl (
114: &SecurityDescriptor,
115: TRUE,
116: NULL,
117: FALSE
118: );
119:
120:
121:
122: if ( !Result ) {
123: printf("SetSecurityDescriptorDacl failed, error code = %d\n", GetLastError());
124: printf("Exiting\n");
125: return;
126: }
127:
128: Result = SetFileSecurity(
129: lpFileName,
130: DACL_SECURITY_INFORMATION,
131: &SecurityDescriptor
132: );
133:
134: if ( Result ) {
135:
136: printf("Successful, protection removed\n");
137: return;
138: }
139:
140:
141: //
142: // That didn't work.
143: //
144:
145:
146: //
147: // Attempt to make Administrator the owner of the file.
148: //
149:
150:
151: Result = SetSecurityDescriptorOwner (
152: &SecurityDescriptor,
153: AliasAdminsSid,
154: FALSE
155: );
156:
157: if ( !Result ) {
158: printf("SetSecurityDescriptorOwner failed, lasterror = %d\n", GetLastError());
159: return;
160: }
161:
162:
163: Result = SetFileSecurity(
164: lpFileName,
165: OWNER_SECURITY_INFORMATION,
166: &SecurityDescriptor
167: );
168:
169: if ( !Result ) {
170:
171:
172: //
173: // That didn't work either.
174: //
175:
176:
177:
178: //
179: // Assert TakeOwnership privilege, then try again. Note that
180: // since the privilege is only enabled for the duration of
181: // this process, we don't have to worry about turning it off
182: // again.
183: //
184:
185: Result = AssertTakeOwnership( TokenHandle );
186:
187: if ( !Result ) {
188: printf("Could not enable SeTakeOwnership privilege\n");
189: printf("Log on as Administrator and try again\n");
190: return;
191: }
192:
193:
194: Result = SetFileSecurity(
195: lpFileName,
196: OWNER_SECURITY_INFORMATION,
197: &SecurityDescriptor
198: );
199:
200: if ( !Result ) {
201:
202: printf("Unable to assign Administrator as owner\n");
203: printf("Log on as Administrator and try again\n");
204: return;
205:
206: }
207: }
208:
209: //
210: // Try to put a benign DACL onto the file again
211: //
212:
213: Result = SetFileSecurity(
214: lpFileName,
215: DACL_SECURITY_INFORMATION,
216: &SecurityDescriptor
217: );
218:
219: if ( !Result ) {
220:
221: //
222: // This should not happen.
223: //
224:
225: printf("SetFileSecurity unexpectedly failed, error code = %d\n", GetLastError());
226:
227: } else {
228:
229: printf("Successful, protection removed\n");
230: return;
231: }
232: }
233:
234:
235:
236:
237:
238: BOOL
239: GetTokenHandle(
240: PHANDLE TokenHandle
241: )
242: //
243: // This routine will open the current process and return
244: // a handle to its token.
245: //
246: // These handles will be closed for us when the process
247: // exits.
248: //
249: {
250:
251: HANDLE ProcessHandle;
252: BOOL Result;
253:
254: ProcessHandle = OpenProcess(
255: PROCESS_QUERY_INFORMATION,
256: FALSE,
257: GetCurrentProcessId()
258: );
259:
260: if ( ProcessHandle == NULL ) {
261:
262: //
263: // This should not happen
264: //
265:
266: return( FALSE );
267: }
268:
269:
270: Result = OpenProcessToken (
271: ProcessHandle,
272: TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
273: TokenHandle
274: );
275:
276: if ( !Result ) {
277:
278: //
279: // This should not happen
280: //
281:
282: return( FALSE );
283:
284: }
285:
286: return( TRUE );
287: }
288:
289:
290: BOOL
291: AssertTakeOwnership(
292: HANDLE TokenHandle
293: )
294: //
295: // This routine turns on SeTakeOwnershipPrivilege in the current
296: // token. Once that has been accomplished, we can open the file
297: // for WRITE_OWNER even if we are denied that access by the ACL
298: // on the file.
299:
300: {
301: LUID TakeOwnershipValue;
302: BOOL Result;
303: TOKEN_PRIVILEGES TokenPrivileges;
304:
305:
306: //
307: // First, find out the value of TakeOwnershipPrivilege
308: //
309:
310:
311: Result = LookupPrivilegeValue(
312: NULL,
313: "SeTakeOwnershipPrivilege",
314: &TakeOwnershipValue
315: );
316:
317: if ( !Result ) {
318:
319: //
320: // This should not happen
321: //
322:
323: printf("Unable to obtain value of TakeOwnership privilege\n");
324: printf("Error = %d\n",GetLastError());
325: printf("Exiting\n");
326: return FALSE;
327: }
328:
329: //
330: // Set up the privilege set we will need
331: //
332:
333: TokenPrivileges.PrivilegeCount = 1;
334: TokenPrivileges.Privileges[0].Luid = TakeOwnershipValue;
335: TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
336:
337:
338:
339:
340: (VOID) AdjustTokenPrivileges (
341: TokenHandle,
342: FALSE,
343: &TokenPrivileges,
344: sizeof( TOKEN_PRIVILEGES ),
345: NULL,
346: NULL
347: );
348:
349: if ( GetLastError() != NO_ERROR ) {
350:
351: return( FALSE );
352:
353: } else {
354:
355: return( TRUE );
356: }
357:
358: }
359:
360:
361:
362: BOOL
363: VariableInitialization()
364:
365: //
366: // Create some useful SIDs.
367: //
368:
369: {
370:
371: BOOL Result;
372:
373: Result = AllocateAndInitializeSid(
374: &SepNtAuthority,
375: 2,
376: SECURITY_BUILTIN_DOMAIN_RID,
377: DOMAIN_ALIAS_RID_ADMINS,
378: 0,
379: 0,
380: 0,
381: 0,
382: 0,
383: 0,
384: &AliasAdminsSid
385: );
386:
387: if ( !Result ) {
388: return( FALSE );
389: }
390:
391:
392: Result = AllocateAndInitializeSid(
393: &SepWorldSidAuthority,
394: 1,
395: SECURITY_WORLD_RID,
396: 0,
397: 0,
398: 0,
399: 0,
400: 0,
401: 0,
402: 0,
403: &SeWorldSid
404: );
405:
406: if ( !Result ) {
407: return( FALSE );
408: }
409:
410: return( TRUE );
411: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.