> In my scenario (while the token is elevated) how does one replace a DACL with > a new one that I add an ACE granting my context full control without reading > the > security descriptor, or, with elevated state active, how can I also add > read_control > when I get write_dac so I can read the sd, and append an ACE versus blowing > out the dacl?
Turns out that the code to logon and impersonate was using LOGON32_LOGON_NEW_CREDENTIALS instead of LOGON32_LOGON_INTERACTIVE. According to GetNamedSecurityInfo docs at msdn [1], "To read the owner, group, or DACL from the object's security descriptor, the object's DACL must grant READ_CONTROL access to the caller, or the caller must be the owner of the object." So although I passed ownership to the account logged in and impersonated, the context for which the system saw the attempt to read the security descriptor came from the account running the code. Thanks Tim, jlc [1] http://msdn.microsoft.com/en-us/library/windows/desktop/aa446645(v=vs.85).aspx _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
