Jump-start your project by learning from devs who
write Windows drivers and file systems every day.
Take an OSR seminar!

OSR is Hiring! Click here to find out more.

Upcoming OSR Seminars:
Kernel Debugging & Crash Analysis Lab, Palo Alto, CA 18-22 August, 2014
Writing WDF Drivers for Windows Lab, Boston/Waltham, MA 22-26 September, 2014
Windows Internals & Software Drivers Lab, Dulles/Sterling, VA, 20-24 October, 2014
Developing File Systems for Windows, Seattle, WA 4-7 November, 2014


Go Back   OSR Online Lists > ntfsd
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
11 May 11 23:14
Ted Chang
xxxxxx@gmail.com
Join Date: 02 Dec 2010
Posts To This List: 6
How to disable the SeTakeOwnershipPrivilege privilege?

Hi, all Our users has a requirement to log in to the system with Administrator authentication, but they don't want the users who log in the system with Administrator authentication delete the files in our distributed file system. So we enabled the ACL on our distributed file system. But there was a problem. Our distributed file system implemented as a local file system by redirect the requests to the server. So if log in with Administrator, the user has SeTakeOwnershipPrivilege, then he can modify the ownership of a file to local Administrators and do any operation he can to the file. My goal is disable the SeTakeOwnershipPrivilege when the user access the file on our distributed file system. I have tried to disable the SeTakeOwnershipPrivilege in the following way, but it seems useless. 1.Get the access token by SeQuerySubjectContextToken 2.Query the privilege information by SeQueryInformationToken 3.For every privilege in the privilege set, check whether it is SeTakeOwnershipPrivilege, if yes, then set its attribute to SE_PRIVILEGE_REMOVED Just hope someone can give me a clue. Thanks in advance. Ted Chang
  Message 2 of 4  
12 May 11 02:12
Ladislav Zezula
xxxxxx@volny.cz
Join Date: 15 Jul 2003
Posts To This List: 1356
How to disable the SeTakeOwnershipPrivilege privilege?

You could eventually remove the TakeOwnership privilege from the privileges granted to the Administrator account. You can do that in the global policy editor. Depends on what your requirements are. L.
  Message 3 of 4  
12 May 11 03:35
Ted Chang
xxxxxx@gmail.com
Join Date: 02 Dec 2010
Posts To This List: 6
How to disable the SeTakeOwnershipPrivilege privilege?

Thanks, Ladislav. But if the local admin give himself the SeTakeOwnershipPrivilege by group policy edit tool, then he can take ownership of the file again. So I'm trying to disable this behavior from the file system layer. By now I didn't find a way to modify the privileges in access token. Or am I in the wrong direction? Ted Chang -----Original Message----- From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Ladislav Zezula Sent: Thursday, May 12, 2011 2:11 PM To: Windows File Systems Devs Interest List Subject: RE: [ntfsd] How to disable the SeTakeOwnershipPrivilege privilege? You could eventually remove the TakeOwnership privilege from the privileges granted to the Administrator account. You can do that in the global policy editor. Depends on what your requirements are. L. --- NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  Message 4 of 4  
12 May 11 10:33
Scott Noone
xxxxxx@osr.com
Join Date: 10 Jul 2002
Posts To This List: 678
List Moderator
How to disable the SeTakeOwnershipPrivilege privilege?

"Ted Chang" wrote in message news:90757@ntfsd... >Thanks, Ladislav. But if the local admin give himself the >SeTakeOwnershipPrivilege by group policy edit tool, then he can take >ownership of the file again. So I'm trying to disable this behavior from >the >file system layer. And what prevents the admin from disabling your filter and taking the privilege back? When it comes to privileges, the file system is really only ever in charge of checking them. The Security Reference Monitor is the one responsible for enforcing the policy of who gets what privileges and I don't know of any support for a "filter" in that activity. That's not to say that it can't be done, but the architected solution for this is using the standard security policy tools. If those don't fit into your design then you're probably on your own. Have you looked at filtering the IRP_MJ_SET_SECURITY request? I don't generally agree with this sort of thing (if the admin has the privilege they should be allowed to do what they want), but that would let you prevent the changing of the DACL on the object. -scott -- Scott Noone Consulting Associate and Chief System Problem Analyst OSR Open Systems Resources, Inc. http://www.osronline.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntfsd list to be able to post.

All times are GMT -5. The time now is 11:57.


Copyright ©2014, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license