0

The backstory: My Visual-Studio 2010 installer package for my Windows MFC C++ application creates a data folder C:\MyDataFolder. Because this is created during the install, the owner of the folder is NT AUTHORITY\SYSTEM. I would like all (non-admin) users of my application to have Full access to this folder, so I have added some code to give all Authenticated Users Full permissions (SetEntriesInAcl, SetNamedSecurityInfo, etc.). This works fine when run as an Administrator.

To make this super easy for users, I would like to allow them to install as Admin, then later run the program as a limited user which would attempt to set these permissions, and then prompt them to elevate to Admin if necessary. (This would also cover existing installs that don't yet have these permissions.) I have successfully done this as well (CredUIPromptForWindowsCredentials, CredUnPackAuthenticationBuffer, CredUIParseUserName, LogonUser, ImpersonateLoggedOnUser). This gives me an elevated token. I have tried it with and without the final call to ImpersonateLoggedOnUser.

The problem: Retrying the call to SetNamedSecurityInfo still fails with Access Denied. I have also tried using AdjustTokenPrivileges to give my elevated token the SE_TAKE_OWNERSHIP_NAME privilege but this fails with "Not all privileges or groups referenced are assigned to the caller"

I believe I need to take ownership of this folder since it is owned by SYSTEM, but am not sure how to give my elevated token the SE_TAKE_OWNERSHIP_NAME privilege if it doesn't already have it.

I'm very new to all of this so it's very possible I am missing something very basic. I've also had the thought that I should just make a small app that runs during the install and does this, but now that I've come this far I'm being stubborn and want to get the elevation part working. Thanks for any help!

jacobsee
  • 1,438
  • 4
  • 18
  • 34
  • Why are you creating a data folder off the root of the C drive? These will typically be in the Users's (or All Users) folder tree, where the permissions will be correct and the files will be included in any backups the user might be using. – 1201ProgramAlarm Oct 13 '17 at 22:15
  • Is legacy reasons a cop out? – jacobsee Oct 13 '17 at 22:35
  • No. If you're maintaining existing code, this is the sort of problem you run in to. The best fix would be to relocate the data folder to the expected location. If that's not feasible, then Good Luck. – 1201ProgramAlarm Oct 13 '17 at 22:38
  • Also, the software controls some hardware and we don't want different data or configuration over different Windows accounts. – jacobsee Oct 13 '17 at 22:38
  • Our configuration file sits under ProgramData so that it can be common for all users. – jacobsee Oct 13 '17 at 22:38
  • 1
    If you put it in the All Users folder then it would be shared for everyone. – 1201ProgramAlarm Oct 13 '17 at 22:39
  • You don't have an elevated token - LogonUser won't give you one. Rather than collecting credentials yourself, you need to ask UAC to ask the user for permission to elevate. I'm just looking to see if I can find an existing answer for more details. – Harry Johnston Oct 13 '17 at 22:47
  • ... but it would probably be more sensible to explicitly set the permissions when you create the folder. You've already got admin privilege at that point, and you don't need them anyway. – Harry Johnston Oct 13 '17 at 22:51
  • I've been working off option 3. of Remy's answer here: https://stackoverflow.com/a/31844696/6320 – jacobsee Oct 13 '17 at 22:53
  • So frustrating that you've cut my well thought-out question at the knees Harry. I don't believe the other question answers my question. – jacobsee Oct 13 '17 at 22:59
  • Reopened. But I'm not sure what answer you expect; there is no way to make your current approach work. – Harry Johnston Oct 13 '17 at 23:07
  • Thank you. When you say I need to ask UAC to ask the user for permission to elevate, that is what I'm trying to do, that is the essence of my question and what I was attempting by using Logon User with Admin credentials. I don't understand why that doesn't give me an elevated token. I'm confused because I've seen several answer which seem to indicate that is possible, but just as many answers saying that is not possible. – jacobsee Oct 13 '17 at 23:26
  • OK. First problem is that LogonUser, by default, gives you a filtered token. [That can be worked around.](https://stackoverflow.com/a/21718198/886887) Second problem is that you don't have impersonation privilege, so when you call ImpersonateLoggedOnUser the impersonation is limited to the Identification impersonation level, i.e., no privileges for you. To the best of my knowledge, there is no way to work around that one. (Well, you can launch a child process rather than using impersonation, but that pretty much defeats the purpose of having taken this approach in the first place.) – Harry Johnston Oct 14 '17 at 00:00
  • Thanks for this. It makes more sense now and I appreciate your clarification. Please close as a dupe. – jacobsee Oct 16 '17 at 18:56

0 Answers0